On Fri, 18 Dec 2020 14:42:38 GMT, PROgrm_JARvis <github.com+7693005+jarviscr...@openjdk.org> wrote:
>>> I've looked through [Standard Algorithms section for >>> MessageDigest](https://docs.oracle.com/en/java/javase/15/docs/specs/security/standard-names.html#messagedigest-algorithms) >>> and is says >>> >>> > Algorithm names that _can_ be specified >>> >>> And the javadoc of `MessageDigest` says: >>> >>> > Every implementation of the Java platform is required to support the >>> > following standard `MessageDigest` algorithms: >>> > >>> > * `SHA-1` >>> > * `SHA-256` >>> >>> So I cannot find any requirement for `MD5` to be present. Although I >>> believe that every implementation does provide it, it may be essential to >>> either specify it or describe the behavior for its absence in case of >>> `UUID`'s usage. >> >> MD5 and DES were removed as SE requirements in JDK 14. See >> https://bugs.openjdk.java.net/browse/JDK-8214483 for more information. >> However, there are no plans to remove the implementations from the JDK at >> this time. > >> MD5 and DES were removed as SE requirements in JDK 14. See >> https://bugs.openjdk.java.net/browse/JDK-8214483 for more information. >> However, there are no plans to remove the implementations from the JDK at >> this time. > > In this case, should a bug report be filled to require specifying behaviour > for `UUID#nameUUIDFromBytes(byte[])` in case of MD5 not being present? A more general issue is that this patch assumes the `MessageDigest` object returned is statically shareable, which implies it being stateless and thread-safe. This doesn't seem to be the case. See [MD5.java](https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/MD5.java) and the [DigestBase.java](https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/provider/DigestBase.java) base class, which both have mutating buffers for doing the digest. ------------- PR: https://git.openjdk.java.net/jdk/pull/1821
