addressed Gemini comments

Author: sagnghos

java-spanner/google-cloud-spanner/pom.xml

@@ -537,16 +537,6 @@
       <version>2.91.0</version><!-- {x-version-update:proto-google-cloud-trace-v1:current} -->
       <scope>test</scope>
     </dependency>
-    <dependency>
-      <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk18on</artifactId>
-      <version>1.78</version>
-    </dependency>
-    <dependency>
-      <groupId>com.google.crypto.tink</groupId>
-      <artifactId>tink</artifactId>
-      <version>1.13.0</version>
-    </dependency>
   </dependencies>
   <profiles>
     <profile>
@@ -744,16 +734,6 @@
           <groupId>com.google.api.grpc</groupId>
           <artifactId>grpc-google-cloud-spanner-executor-v1</artifactId>
         </dependency>
-    <dependency>
-      <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk18on</artifactId>
-      <version>1.78</version>
-    </dependency>
-    <dependency>
-      <groupId>com.google.crypto.tink</groupId>
-      <artifactId>tink</artifactId>
-      <version>1.13.0</version>
-    </dependency>
       </dependencies>
     </profile>
   </profiles>

java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/SpannerOptions.java

@@ -1849,8 +1849,7 @@ public Builder login(String username, String passwordFile, boolean backgroundRef
         while (len > 0 && (rawBytes[len - 1] == '\n' || rawBytes[len - 1] == '\r')) {
           len--;
         }
-        byte[] passwordBytes = new byte[len];
-        System.arraycopy(rawBytes, 0, passwordBytes, 0, len);
+        byte[] passwordBytes = java.util.Arrays.copyOf(rawBytes, len);
         return loginWithPasswordBytes(username, passwordBytes, backgroundRefresh);
       } catch (IOException e) {
         throw SpannerExceptionFactory.newSpannerException(

java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/omni/LoginClient.java

@@ -39,6 +39,8 @@
  * authenticate to Spanner Omni using username/password.
  */
 public class LoginClient {
+  private static final java.security.SecureRandom SECURE_RANDOM = new java.security.SecureRandom();
+
   private final LoginServiceGrpc.LoginServiceStub stub;
 
   public LoginClient(ManagedChannel channel) {
@@ -63,9 +65,8 @@ public AccessToken login(String username, byte[] password) throws SpannerExcepti
       byte[] clientPrivateKeyshare = keyPair[0];
       byte[] clientPublicKeyshare = keyPair[1];
       byte[] clientNonce = OpaqueUtil.nonce();
-      java.security.SecureRandom random = new java.security.SecureRandom();
       byte[] blind = new byte[32];
-      random.nextBytes(blind);
+      SECURE_RANDOM.nextBytes(blind);
 
       byte[] blindedMessage = OpaqueUtil.blind(password, blind);
 
@@ -249,10 +250,7 @@ LoginResponse getResponse() throws InterruptedException {
       if (error != null) {
         throw SpannerExceptionFactory.newSpannerException(error);
       }
-      if (response == LoginResponse.getDefaultInstance() && (completed || error != null)) {
-         if (error != null) {
-            throw SpannerExceptionFactory.newSpannerException(error);
-         }
+      if (response == LoginResponse.getDefaultInstance() && completed) {
          return null;
       }
       return response;

java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/omni/SpannerOmniCredentials.java

@@ -48,6 +48,7 @@ public class SpannerOmniCredentials extends GoogleCredentials {
     private final byte[] password;
     private final String target;
     private final boolean backgroundRefresh;
+    private final ManagedChannel loginChannel;
 
     private ScheduledFuture<?> refreshTask;
 
@@ -60,13 +61,13 @@ public SpannerOmniCredentials(String username, byte[] password, String target, b
         this.password = password;
         this.target = target;
         this.backgroundRefresh = backgroundRefresh;
+        this.loginChannel = ManagedChannelBuilder.forTarget(target).build();
     }
 
     @Override
     public AccessToken refreshAccessToken() throws IOException {
-        ManagedChannel loginChannel = ManagedChannelBuilder.forTarget(target).build();
         try {
-            LoginClient loginClient = new LoginClient(loginChannel);
+            LoginClient loginClient = new LoginClient(this.loginChannel);
             google.spanner.omni.v1.AccessToken protoToken = loginClient.login(username, password);
             String tokenValue = Base64.getEncoder().encodeToString(protoToken.toByteArray());
 
@@ -90,16 +91,6 @@ public AccessToken refreshAccessToken() throws IOException {
         } catch (Exception e) {
             logger.log(Level.SEVERE, "Failed to login to Spanner Omni. Username: " + username + ", Target: " + target, e);
             throw new IOException("Failed to login to Spanner Omni", e);
-        } finally {
-            loginChannel.shutdown();
-            try {
-                if (!loginChannel.awaitTermination(1, TimeUnit.SECONDS)) {
-                    loginChannel.shutdownNow();
-                }
-            } catch (InterruptedException ie) {
-                Thread.currentThread().interrupt();
-                loginChannel.shutdownNow();
-            }
         }
     }
 
@@ -123,21 +114,26 @@ private void scheduleRefresh(long tokenLifetimeMillis) {
 
         java.lang.ref.WeakReference<SpannerOmniCredentials> weakThis = new java.lang.ref.WeakReference<>(this);
 
-        refreshTask = SHARED_EXECUTOR.schedule(() -> {
-            SpannerOmniCredentials creds = weakThis.get();
-            if (creds == null) {
-                // The credentials instance was garbage collected. Stop the background refresh loop.
-                return;
-            }
-            try {
-                creds.refresh();
-            } catch (IOException e) {
-                logger.log(Level.WARNING, "Failed to auto-refresh Spanner Omni credentials", e);
-                // Retry in a short interval on failure
-                long retryDelay = Math.min(TimeUnit.SECONDS.toMillis(5), tokenLifetimeMillis / 4);
-                if (retryDelay <= 0) retryDelay = 1000;
-                creds.scheduleRefresh(retryDelay * 2); // Pass double the retry delay as fake lifetime to get retryDelay scheduling
+        Runnable refreshAction = new Runnable() {
+            @Override
+            public void run() {
+                SpannerOmniCredentials creds = weakThis.get();
+                if (creds == null) {
+                    // The credentials instance was garbage collected. Stop the background refresh loop.
+                    return;
+                }
+                try {
+                    creds.refresh();
+                } catch (IOException e) {
+                    logger.log(Level.WARNING, "Failed to auto-refresh Spanner Omni credentials", e);
+                    // Retry in a short interval on failure
+                    long retryDelay = Math.min(TimeUnit.SECONDS.toMillis(5), tokenLifetimeMillis / 4);
+                    if (retryDelay <= 0) retryDelay = 1000;
+                    creds.refreshTask = SHARED_EXECUTOR.schedule(this, retryDelay, TimeUnit.MILLISECONDS);
+                }
             }
-        }, delayMillis, TimeUnit.MILLISECONDS);
+        };
+        
+        refreshTask = SHARED_EXECUTOR.schedule(refreshAction, delayMillis, TimeUnit.MILLISECONDS);
     }
 }

java-spanner/google-cloud-spanner/src/main/java/com/google/cloud/spanner/omni/opaque/OpaqueUtil.java

@@ -304,8 +304,6 @@ public static byte[] randomOracleSha256(byte[] x, BigInteger max) throws General
         byte[] tmp = new byte[iBytes.length - 1];
         System.arraycopy(iBytes, 1, tmp, 0, tmp.length);
         iBytes = tmp;
-      } else if (iBytes.length == 0) {
-        iBytes = new byte[]{0}; // Shouldn't happen for i >= 1
       }
 
       byte[] bignumBytes;