Is KeyPairGenerator.generateKeyPair () safe?
The request KeyPairGenerator.initialize()
takes an instance as a method SecureRandom
, which is expensive to initialize. The Java Doc says nothing about being thread safe. All I can find is a comment in the source code . Maybe it depends on the actual instance KeyPairGenerator
? By the way, I'm using a Sun RSA instance.
source to share
It depends on the actual instance created, neuritis you guessed it. It is important to note that the KeyPairGenerator class is abstract, and the subclassing implementation overrides the generateKeyPair method. Thus, the authors of the abstract KeyPairGenerator class cannot claim to be thread safe. All they can do is make sure they haven't done anything to compromise thread safety.
The standard way to get a KeyPairGenerator using the static getInstance method returns an instance of a class that derives from KeyPairGenerator: see the KeyPairGenerator.Delegate class. Its generateKeyPair implementation also does nothing to compromise thread safety, so if you get your KeyPairGenerator that way, you're great † . But you can also get KeyPairGenerator like this:
KeyPairGenerator kpg=new KeyPairGenerator("RSA"){
@Override
public KeyPair generateKeyPair(){
return doSomethingThatIsntThreadSafe();
}
};
Now, of course, you will never do that, but the authors of KeyPairGenerator cannot know this, so they cannot tell you that any instance of KeyPairGenerator is thread safe.
† where subtle means depend on your SPI crypto to do the right thing!
source to share