Desperately seeking JDK1.1.x Signature help!!!

Mike Burati (burati@pubweb.net)
Wed, 24 Jun 1998 17:51:41 -0400

Message-Id: <3.0.1.32.19980624175141.00ec93c0@mail.pubweb.net>
Date: Wed, 24 Jun 1998 17:51:41 -0400
To: java-security@web4.javasoft.com
From: Mike Burati <burati@pubweb.net>
Subject: Desperately seeking JDK1.1.x Signature help!!!

From: Charlie.Lai@Eng (Charlie Lai)
>
>> If the loop is executed by n threads instead of a single process the block
>> is guaranteed.
>> I've read something somewhere about this in Internet.
>> Is it a bug? Or a "desired" behaviour when the machine in too loaded?
>
>we did fix some of the SecureRandom code to avoid looping forever
>on a system that's heavily loaded. the fixes are in 1.1.6.
>they're also in jdk1.2.

Ok, my brain is fried, otherwise I'd probably be able to figure out
some of this myself, but I need advice...

We have been developing a JAVA based solution that's built around
the Java Web Server and servlets. Since our system will need to
integrate with other web/http based systems out there, http/https
is the obvious choice to base our transport on too. We use the
SSL built into JWS for privacy, and we're trying to use the built
in DSA support in JDK1.1.x to sign/verify our messages from one
service to another.

BEFORE anybody answers, we CANNOT use JDK1.2, since it's not released
yet, and we're piloting this to customers now. We rely on Sun's JWS,
which is not even qualified on JDK1.1.6 yet, nevermind JDK1.2, so
we're stuck with JDK1.1.4/JDK1.1.6 for a while. Also, we are not
using the sun.security internal calls, we are using the public
Keypair generator classes and Signature class/methods only.

This has all been working fine up until this afternoon. I generate
keys in a standalone utility, so the above SecureRandom bug hasn't
been affecting us. Up until this afternoon, signing messages up to
and through 300K was taking a few seconds (5?) at most. I just
configured another piece into my test system (so I have two servlets
signing messages, instead of one signing/one verifying). Even though
Only one is signing/verifying at a time, the signing of 170K bytes is
now taking 604 to 605 seconds *EVERY TIME*. What could cause this?

Is Signature.sign() using the above SecureRandom class in a way that
would cause this looping bug?

I upgraded my Java Web Server1.1 from 1.1.5 to 1.1.6 based on the
above claimed fix, and it's still agonizingly slow!

HELP!. Again, JDK1.2 is not an answer. They'll make us rewrite
everything in C++ before letting us wait for 1.2 to become widely
used and supported by JWS. What are other's experiences with
signing/verifying data in moderately loaded services with JDK1.1.x???

We've had good experiences with JWS and it's SSL support, and
the DSA signature capabilities of JDK1.1.x up until this point...

Thanks in advance,
..Mike