Revert "SecureRandom API Update"

jeremiahjstacey · jeremiahjstacey · commit b399483ae7e0 · 2022-03-19T16:04:14.000-05:00
This reverts commit eaa8ea8.
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultRandomizer.java b/src/main/java/org/owasp/esapi/reference/DefaultRandomizer.java
@@ -54,12 +54,13 @@ public static Randomizer getInstance() {
     private final Logger logger = ESAPI.getLogger("Randomizer");
 
     private DefaultRandomizer() {
+        String algorithm = ESAPI.securityConfiguration().getRandomAlgorithm();
         try {
-            secureRandom = SecureRandom.getInstanceStrong();
+            secureRandom = SecureRandom.getInstance(algorithm);
         } catch (NoSuchAlgorithmException e) {
             // Can't throw an exception from the constructor, but this will get
             // it logged and tracked
-            new EncryptionException("Error creating randomizer", "Failed to generate strong SecureRandom reference", e);
+            new EncryptionException("Error creating randomizer", "Can't find random algorithm " + algorithm, e);
         }
     }
 
diff --git a/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java b/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java
@@ -205,7 +205,14 @@ public static void main( String[] args ) throws Exception {
             System.out.println( "\tuse '-print' to also show available crypto algorithms from all the security providers" );
         }
 
-        SecureRandom random = SecureRandom.getInstanceStrong();
+        // setup algorithms -- Each of these have defaults if not set, although
+        //                     someone could set them to something invalid. If
+        //                     so a suitable exception will be thrown and displayed.
+        encryptAlgorithm = ESAPI.securityConfiguration().getEncryptionAlgorithm();
+        encryptionKeyLength = ESAPI.securityConfiguration().getEncryptionKeyLength();
+        randomAlgorithm = ESAPI.securityConfiguration().getRandomAlgorithm();
+
+        SecureRandom random = SecureRandom.getInstance(randomAlgorithm);
         SecretKey secretKey = CryptoHelper.generateSecretKey(encryptAlgorithm, encryptionKeyLength);
         byte[] raw = secretKey.getEncoded();
         byte[] salt = new byte[20]; // Or 160-bits; big enough for SHA1, but not SHA-256 or SHA-512.
@@ -273,7 +280,7 @@ private JavaEncryptor() throws EncryptionException {
                 // For asymmetric encryption (i.e., public/private key)
                 //
                 try {
-                    SecureRandom prng = SecureRandom.getInstanceStrong();
+                    SecureRandom prng = SecureRandom.getInstance(randomAlgorithm);
 
                     // Because hash() is not static (but it could be were in not
                     // for the interface method specification in Encryptor), we

Original file line number	Diff line number	Diff line change
`@@ -54,12 +54,13 @@ public static Randomizer getInstance() {`
`54`	`54`	`private final Logger logger = ESAPI.getLogger("Randomizer");`
`55`	`55`
`56`	`56`	`private DefaultRandomizer() {`
	`57`	`+ String algorithm = ESAPI.securityConfiguration().getRandomAlgorithm();`
`57`	`58`	`try {`
`58`		`- secureRandom = SecureRandom.getInstanceStrong();`
	`59`	`+ secureRandom = SecureRandom.getInstance(algorithm);`
`59`	`60`	`} catch (NoSuchAlgorithmException e) {`
`60`	`61`	`// Can't throw an exception from the constructor, but this will get`
`61`	`62`	`// it logged and tracked`
`62`		`- new EncryptionException("Error creating randomizer", "Failed to generate strong SecureRandom reference", e);`
	`63`	`+ new EncryptionException("Error creating randomizer", "Can't find random algorithm " + algorithm, e);`
`63`	`64`	`}`
`64`	`65`	`}`
`65`	`66`