SecureRandom API Update

jeremiahjstacey · jeremiahjstacey · commit eaa8ea870824 · 2022-03-18T07:40:17.000-05:00
Replacing calls to SecureRandom.getInstance(algorithm) with
SecureRandom.getInstanceStrong()
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultRandomizer.java b/src/main/java/org/owasp/esapi/reference/DefaultRandomizer.java
@@ -54,13 +54,12 @@ public static Randomizer getInstance() {
     private final Logger logger = ESAPI.getLogger("Randomizer");
 
     private DefaultRandomizer() {
-        String algorithm = ESAPI.securityConfiguration().getRandomAlgorithm();
         try {
-            secureRandom = SecureRandom.getInstance(algorithm);
+            secureRandom = SecureRandom.getInstanceStrong();
         } catch (NoSuchAlgorithmException e) {
             // Can't throw an exception from the constructor, but this will get
             // it logged and tracked
-            new EncryptionException("Error creating randomizer", "Can't find random algorithm " + algorithm, e);
+            new EncryptionException("Error creating randomizer", "Failed to generate strong SecureRandom reference", e);
         }
     }
 
diff --git a/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java b/src/main/java/org/owasp/esapi/reference/crypto/JavaEncryptor.java
@@ -205,14 +205,7 @@ public static void main( String[] args ) throws Exception {
             System.out.println( "\tuse '-print' to also show available crypto algorithms from all the security providers" );
         }
 
-        // setup algorithms -- Each of these have defaults if not set, although
-        //                     someone could set them to something invalid. If
-        //                     so a suitable exception will be thrown and displayed.
-        encryptAlgorithm = ESAPI.securityConfiguration().getEncryptionAlgorithm();
-        encryptionKeyLength = ESAPI.securityConfiguration().getEncryptionKeyLength();
-        randomAlgorithm = ESAPI.securityConfiguration().getRandomAlgorithm();
-
-        SecureRandom random = SecureRandom.getInstance(randomAlgorithm);
+        SecureRandom random = SecureRandom.getInstanceStrong();
         SecretKey secretKey = CryptoHelper.generateSecretKey(encryptAlgorithm, encryptionKeyLength);
         byte[] raw = secretKey.getEncoded();
         byte[] salt = new byte[20]; // Or 160-bits; big enough for SHA1, but not SHA-256 or SHA-512.
@@ -280,7 +273,7 @@ private JavaEncryptor() throws EncryptionException {
                 // For asymmetric encryption (i.e., public/private key)
                 //
                 try {
-                    SecureRandom prng = SecureRandom.getInstance(randomAlgorithm);
+                    SecureRandom prng = SecureRandom.getInstanceStrong();
 
                     // Because hash() is not static (but it could be were in not
                     // for the interface method specification in Encryptor), we

Original file line number	Diff line number	Diff line change
`@@ -54,13 +54,12 @@ public static Randomizer getInstance() {`
`54`	`54`	`private final Logger logger = ESAPI.getLogger("Randomizer");`
`55`	`55`
`56`	`56`	`private DefaultRandomizer() {`
`57`		`- String algorithm = ESAPI.securityConfiguration().getRandomAlgorithm();`
`58`	`57`	`try {`
`59`		`- secureRandom = SecureRandom.getInstance(algorithm);`
	`58`	`+ secureRandom = SecureRandom.getInstanceStrong();`
`60`	`59`	`} catch (NoSuchAlgorithmException e) {`
`61`	`60`	`// Can't throw an exception from the constructor, but this will get`
`62`	`61`	`// it logged and tracked`
`63`		`- new EncryptionException("Error creating randomizer", "Can't find random algorithm " + algorithm, e);`
	`62`	`+ new EncryptionException("Error creating randomizer", "Failed to generate strong SecureRandom reference", e);`
`64`	`63`	`}`
`65`	`64`	`}`
`66`	`65`