/* * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package java.security; import java.util.*; import java.util.regex.*; import java.security.Provider.Service; import java.util.function.Function; import dalvik.system.VMRuntime; import sun.security.jca.*; import sun.security.jca.GetInstance.Instance; /** * This class provides a cryptographically strong random number * generator (RNG). * *

A cryptographically strong random number * minimally complies with the statistical random number generator tests * specified in * FIPS 140-2, Security Requirements for Cryptographic Modules, * section 4.9.1. * Additionally, SecureRandom must produce non-deterministic output. * Therefore any seed material passed to a SecureRandom object must be * unpredictable, and all SecureRandom output sequences must be * cryptographically strong, as described in * * RFC 1750: Randomness Recommendations for Security. * *

A caller obtains a SecureRandom instance via the * no-argument constructor or one of the {@code getInstance} methods: * *

 *      SecureRandom random = new SecureRandom();
 * 
* *

Many SecureRandom implementations are in the form of a pseudo-random * number generator (PRNG), which means they use a deterministic algorithm * to produce a pseudo-random sequence from a true random seed. * Other implementations may produce true random numbers, * and yet others may use a combination of both techniques. * *

Typical callers of SecureRandom invoke the following methods * to retrieve random bytes: * *

 *      SecureRandom random = new SecureRandom();
 *      byte bytes[] = new byte[20];
 *      random.nextBytes(bytes);
 * 
* *

Callers may also invoke the {@code generateSeed} method * to generate a given number of seed bytes (to seed other random number * generators, for example): *

 *      byte seed[] = random.generateSeed(20);
 * 
* * Note: Depending on the implementation, the {@code generateSeed} and * {@code nextBytes} methods may block as entropy is being gathered, * for example, if they need to read from /dev/random on various Unix-like * operating systems. * * The SHA1PRNG algorithm from the Crypto provider has been deprecated as it was insecure, and also * incorrectly used by some apps as a key derivation function. See * * Security "Crypto" provider deprecated in Android N for details. * * @see java.security.SecureRandomSpi * @see java.util.Random * * @author Benjamin Renaud * @author Josh Bloch */ public class SecureRandom extends java.util.Random { // Android-removed: this debugging mechanism is not used in Android. /* private static final Debug pdebug = Debug.getInstance("provider", "Provider"); private static final boolean skipDebug = Debug.isOn("engine=") && !Debug.isOn("securerandom"); */ // END Android-removed /** * The provider. * * @serial * @since 1.2 */ private Provider provider = null; /** * The provider implementation. * * @serial * @since 1.2 */ private SecureRandomSpi secureRandomSpi = null; /* * The algorithm name of null if unknown. * * @serial * @since 1.5 */ private String algorithm; // Seed Generator private static volatile SecureRandom seedGenerator = null; /** * Constructs a secure random number generator (RNG) implementing the * default random number algorithm. * *

This constructor traverses the list of registered security Providers, * starting with the most preferred Provider. * A new SecureRandom object encapsulating the * SecureRandomSpi implementation from the first * Provider that supports a SecureRandom (RNG) algorithm is returned. * If none of the Providers support a RNG algorithm, * then an implementation-specific default is returned. * *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * *

See the SecureRandom section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard RNG algorithm names. * *

The returned SecureRandom object has not been seeded. To seed the * returned object, call the {@code setSeed} method. * If {@code setSeed} is not called, the first call to * {@code nextBytes} will force the SecureRandom object to seed itself. * This self-seeding will not occur if {@code setSeed} was * previously called. */ public SecureRandom() { /* * This call to our superclass constructor will result in a call * to our own {@code setSeed} method, which will return * immediately when it is passed zero. */ super(0); getDefaultPRNG(false, null); } /** * Constructs a secure random number generator (RNG) implementing the * default random number algorithm. * The SecureRandom instance is seeded with the specified seed bytes. * *

This constructor traverses the list of registered security Providers, * starting with the most preferred Provider. * A new SecureRandom object encapsulating the * SecureRandomSpi implementation from the first * Provider that supports a SecureRandom (RNG) algorithm is returned. * If none of the Providers support a RNG algorithm, * then an implementation-specific default is returned. * *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * *

See the SecureRandom section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard RNG algorithm names. * * @param seed the seed. */ public SecureRandom(byte seed[]) { super(0); getDefaultPRNG(true, seed); } private void getDefaultPRNG(boolean setSeed, byte[] seed) { String prng = getPrngAlgorithm(); if (prng == null) { // Android-changed: This should never happen, we always provide a SecureRandom throw new IllegalStateException("No SecureRandom implementation!"); } else { try { SecureRandom random = SecureRandom.getInstance(prng); this.secureRandomSpi = random.getSecureRandomSpi(); this.provider = random.getProvider(); if (setSeed) { this.secureRandomSpi.engineSetSeed(seed); } } catch (NoSuchAlgorithmException nsae) { // never happens, because we made sure the algorithm exists throw new RuntimeException(nsae); } } // JDK 1.1 based implementations subclass SecureRandom instead of // SecureRandomSpi. They will also go through this code path because // they must call a SecureRandom constructor as it is their superclass. // If we are dealing with such an implementation, do not set the // algorithm value as it would be inaccurate. if (getClass() == SecureRandom.class) { this.algorithm = prng; } } /** * Creates a SecureRandom object. * * @param secureRandomSpi the SecureRandom implementation. * @param provider the provider. */ protected SecureRandom(SecureRandomSpi secureRandomSpi, Provider provider) { this(secureRandomSpi, provider, null); } private SecureRandom(SecureRandomSpi secureRandomSpi, Provider provider, String algorithm) { super(0); this.secureRandomSpi = secureRandomSpi; this.provider = provider; this.algorithm = algorithm; // BEGIN Android-removed: this debugging mechanism is not supported in Android. /* if (!skipDebug && pdebug != null) { pdebug.println("SecureRandom." + algorithm + " algorithm from: " + this.provider.getName()); } */ // END Android-removed } /** * Returns a SecureRandom object that implements the specified * Random Number Generator (RNG) algorithm. * *

This method traverses the list of registered security Providers, * starting with the most preferred Provider. * A new SecureRandom object encapsulating the * SecureRandomSpi implementation from the first * Provider that supports the specified algorithm is returned. * *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * *

The returned SecureRandom object has not been seeded. To seed the * returned object, call the {@code setSeed} method. * If {@code setSeed} is not called, the first call to * {@code nextBytes} will force the SecureRandom object to seed itself. * This self-seeding will not occur if {@code setSeed} was * previously called. * * @param algorithm the name of the RNG algorithm. * See the SecureRandom section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard RNG algorithm names. * * @return the new SecureRandom object. * * @exception NoSuchAlgorithmException if no Provider supports a * SecureRandomSpi implementation for the * specified algorithm. * * @see Provider * * @since 1.2 */ public static SecureRandom getInstance(String algorithm) throws NoSuchAlgorithmException { Instance instance = GetInstance.getInstance("SecureRandom", SecureRandomSpi.class, algorithm); return new SecureRandom((SecureRandomSpi)instance.impl, instance.provider, algorithm); } // BEGIN Android-added: Support for Crypto provider workaround /** * Maximum SDK version for which the workaround for the Crypto provider is in place. * *

We provide instances from the Crypto provider (although the provider is not installed) to * apps targeting M or earlier versions of the SDK. * *

Default is 23 (M). We have it as a field for testability and it shouldn't be changed. * * @hide */ public static final int DEFAULT_SDK_TARGET_FOR_CRYPTO_PROVIDER_WORKAROUND = 23; private static int sdkTargetForCryptoProviderWorkaround = DEFAULT_SDK_TARGET_FOR_CRYPTO_PROVIDER_WORKAROUND; /** * Only for testing. * * @hide */ public static void setSdkTargetForCryptoProviderWorkaround(int sdkTargetVersion) { sdkTargetForCryptoProviderWorkaround = sdkTargetVersion; } /** * Only for testing. * * @hide */ public static int getSdkTargetForCryptoProviderWorkaround() { return sdkTargetForCryptoProviderWorkaround; } // END Android-added: Support for Crypto provider workaround /** * Returns a SecureRandom object that implements the specified * Random Number Generator (RNG) algorithm. * *

A new SecureRandom object encapsulating the * SecureRandomSpi implementation from the specified provider * is returned. The specified provider must be registered * in the security provider list. * *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * *

The returned SecureRandom object has not been seeded. To seed the * returned object, call the {@code setSeed} method. * If {@code setSeed} is not called, the first call to * {@code nextBytes} will force the SecureRandom object to seed itself. * This self-seeding will not occur if {@code setSeed} was * previously called. * * @param algorithm the name of the RNG algorithm. * See the SecureRandom section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard RNG algorithm names. * * @param provider the name of the provider. * * @return the new SecureRandom object. * * @exception NoSuchAlgorithmException if a SecureRandomSpi * implementation for the specified algorithm is not * available from the specified provider. * * @exception NoSuchProviderException if the specified provider is not * registered in the security provider list. * * @exception IllegalArgumentException if the provider name is null * or empty. * * @see Provider * * @since 1.2 */ public static SecureRandom getInstance(String algorithm, String provider) throws NoSuchAlgorithmException, NoSuchProviderException { try { Instance instance = GetInstance.getInstance("SecureRandom", SecureRandomSpi.class, algorithm, provider); return new SecureRandom((SecureRandomSpi) instance.impl, instance.provider, algorithm); // BEGIN Android-added: Crypto provider deprecation } catch (NoSuchProviderException nspe) { if ("Crypto".equals(provider)) { System.logE(" ********** PLEASE READ ************ "); System.logE(" * "); System.logE(" * New versions of the Android SDK no longer support the Crypto provider."); System.logE(" * If your app was relying on setSeed() to derive keys from strings, you"); System.logE(" * should switch to using SecretKeySpec to load raw key bytes directly OR"); System.logE(" * use a real key derivation function (KDF). See advice here : "); System.logE(" * http://android-developers.blogspot.com/2016/06/security-crypto-provider-deprecated-in.html "); System.logE(" *********************************** "); if (VMRuntime.getRuntime().getTargetSdkVersion() <= sdkTargetForCryptoProviderWorkaround) { System.logE(" Returning an instance of SecureRandom from the Crypto provider"); System.logE(" as a temporary measure so that the apps targeting earlier SDKs"); System.logE(" keep working. Please do not rely on the presence of the Crypto"); System.logE(" provider in the codebase, as our plan is to delete it"); System.logE(" completely in the future."); return getInstanceFromCryptoProvider(algorithm); } } throw nspe; } } private static SecureRandom getInstanceFromCryptoProvider(String algorithm) throws NoSuchAlgorithmException { Provider cryptoProvider; try { cryptoProvider = (Provider) SecureRandom.class.getClassLoader() .loadClass( "org.apache.harmony.security.provider.crypto.CryptoProvider") .newInstance(); } catch (Exception e) { throw new RuntimeException(e); } Service service = cryptoProvider.getService("SecureRandom", algorithm); Instance instance = GetInstance.getInstance(service, SecureRandomSpi.class); return new SecureRandom( (SecureRandomSpi) instance.impl, instance.provider, algorithm); } // END Android-added: Crypto provider deprecation /** * Returns a SecureRandom object that implements the specified * Random Number Generator (RNG) algorithm. * *

A new SecureRandom object encapsulating the * SecureRandomSpi implementation from the specified Provider * object is returned. Note that the specified Provider object * does not have to be registered in the provider list. * *

The returned SecureRandom object has not been seeded. To seed the * returned object, call the {@code setSeed} method. * If {@code setSeed} is not called, the first call to * {@code nextBytes} will force the SecureRandom object to seed itself. * This self-seeding will not occur if {@code setSeed} was * previously called. * * @param algorithm the name of the RNG algorithm. * See the SecureRandom section in the * Java Cryptography Architecture Standard Algorithm Name Documentation * for information about standard RNG algorithm names. * * @param provider the provider. * * @return the new SecureRandom object. * * @exception NoSuchAlgorithmException if a SecureRandomSpi * implementation for the specified algorithm is not available * from the specified Provider object. * * @exception IllegalArgumentException if the specified provider is null. * * @see Provider * * @since 1.4 */ public static SecureRandom getInstance(String algorithm, Provider provider) throws NoSuchAlgorithmException { Instance instance = GetInstance.getInstance("SecureRandom", SecureRandomSpi.class, algorithm, provider); return new SecureRandom((SecureRandomSpi)instance.impl, instance.provider, algorithm); } /** * Returns the SecureRandomSpi of this SecureRandom object. */ SecureRandomSpi getSecureRandomSpi() { return secureRandomSpi; } /** * Returns the provider of this SecureRandom object. * * @return the provider of this SecureRandom object. */ public final Provider getProvider() { return provider; } /** * Returns the name of the algorithm implemented by this SecureRandom * object. * * @return the name of the algorithm or {@code unknown} * if the algorithm name cannot be determined. * @since 1.5 */ public String getAlgorithm() { return (algorithm != null) ? algorithm : "unknown"; } /** * Reseeds this random object. The given seed supplements, rather than * replaces, the existing seed. Thus, repeated calls are guaranteed * never to reduce randomness. * * @param seed the seed. * * @see #getSeed */ synchronized public void setSeed(byte[] seed) { secureRandomSpi.engineSetSeed(seed); } /** * Reseeds this random object, using the eight bytes contained * in the given {@code long seed}. The given seed supplements, * rather than replaces, the existing seed. Thus, repeated calls * are guaranteed never to reduce randomness. * *

This method is defined for compatibility with * {@code java.util.Random}. * * @param seed the seed. * * @see #getSeed */ @Override public void setSeed(long seed) { /* * Ignore call from super constructor (as well as any other calls * unfortunate enough to be passing 0). It's critical that we * ignore call from superclass constructor, as digest has not * yet been initialized at that point. */ if (seed != 0) { secureRandomSpi.engineSetSeed(longToByteArray(seed)); } } /** * Generates a user-specified number of random bytes. * *

If a call to {@code setSeed} had not occurred previously, * the first call to this method forces this SecureRandom object * to seed itself. This self-seeding will not occur if * {@code setSeed} was previously called. * * @param bytes the array to be filled in with random bytes. */ @Override // Android-changed: Added synchronized // This method has been synchronized at least since Cupcake, so it would probably // lead to problems if it was removed. synchronized public void nextBytes(byte[] bytes) { secureRandomSpi.engineNextBytes(bytes); } /** * Generates an integer containing the user-specified number of * pseudo-random bits (right justified, with leading zeros). This * method overrides a {@code java.util.Random} method, and serves * to provide a source of random bits to all of the methods inherited * from that class (for example, {@code nextInt}, * {@code nextLong}, and {@code nextFloat}). * * @param numBits number of pseudo-random bits to be generated, where * {@code 0 <= numBits <= 32}. * * @return an {@code int} containing the user-specified number * of pseudo-random bits (right justified, with leading zeros). */ @Override final protected int next(int numBits) { int numBytes = (numBits+7)/8; byte b[] = new byte[numBytes]; int next = 0; nextBytes(b); for (int i = 0; i < numBytes; i++) { next = (next << 8) + (b[i] & 0xFF); } return next >>> (numBytes*8 - numBits); } /** * Returns the given number of seed bytes, computed using the seed * generation algorithm that this class uses to seed itself. This * call may be used to seed other random number generators. * *

This method is only included for backwards compatibility. * The caller is encouraged to use one of the alternative * {@code getInstance} methods to obtain a SecureRandom object, and * then call the {@code generateSeed} method to obtain seed bytes * from that object. * * @param numBytes the number of seed bytes to generate. * * @return the seed bytes. * * @see #setSeed */ public static byte[] getSeed(int numBytes) { if (seedGenerator == null) { seedGenerator = new SecureRandom(); } return seedGenerator.generateSeed(numBytes); } /** * Returns the given number of seed bytes, computed using the seed * generation algorithm that this class uses to seed itself. This * call may be used to seed other random number generators. * * @param numBytes the number of seed bytes to generate. * * @return the seed bytes. */ public byte[] generateSeed(int numBytes) { return secureRandomSpi.engineGenerateSeed(numBytes); } /** * Helper function to convert a long into a byte array (least significant * byte first). */ private static byte[] longToByteArray(long l) { byte[] retVal = new byte[8]; for (int i = 0; i < 8; i++) { retVal[i] = (byte) l; l >>= 8; } return retVal; } /** * Gets a default PRNG algorithm by looking through all registered * providers. Returns the first PRNG algorithm of the first provider that * has registered a SecureRandom implementation, or null if none of the * registered providers supplies a SecureRandom implementation. */ private static String getPrngAlgorithm() { for (Provider p : Providers.getProviderList().providers()) { for (Service s : p.getServices()) { if (s.getType().equals("SecureRandom")) { return s.getAlgorithm(); } } } return null; } /* * Lazily initialize since Pattern.compile() is heavy. * Effective Java (2nd Edition), Item 71. */ private static final class StrongPatternHolder { /* * Entries are alg:prov separated by , * Allow for prepended/appended whitespace between entries. * * Capture groups: * 1 - alg * 2 - :prov (optional) * 3 - prov (optional) * 4 - ,nextEntry (optional) * 5 - nextEntry (optional) */ private static Pattern pattern = Pattern.compile( "\\s*([\\S&&[^:,]]*)(\\:([\\S&&[^,]]*))?\\s*(\\,(.*))?"); } /** * Returns a {@code SecureRandom} object. * * In Android this is equivalent to get a SHA1PRNG from OpenSSLProvider. * * Some situations require strong random values, such as when * creating high-value/long-lived secrets like RSA public/private * keys. To help guide applications in selecting a suitable strong * {@code SecureRandom} implementation, Java distributions * include a list of known strong {@code SecureRandom} * implementations in the {@code securerandom.strongAlgorithms} * Security property. *

* Every implementation of the Java platform is required to * support at least one strong {@code SecureRandom} implementation. * * @return a strong {@code SecureRandom} implementation * * @throws NoSuchAlgorithmException if no algorithm is available * * @see Security#getProperty(String) * * @since 1.8 */ public static SecureRandom getInstanceStrong() throws NoSuchAlgorithmException { String property = AccessController.doPrivileged( new PrivilegedAction() { @Override public String run() { return Security.getProperty( "securerandom.strongAlgorithms"); } }); if ((property == null) || (property.length() == 0)) { throw new NoSuchAlgorithmException( "Null/empty securerandom.strongAlgorithms Security Property"); } String remainder = property; while (remainder != null) { Matcher m; if ((m = StrongPatternHolder.pattern.matcher( remainder)).matches()) { String alg = m.group(1); String prov = m.group(3); try { if (prov == null) { return SecureRandom.getInstance(alg); } else { return SecureRandom.getInstance(alg, prov); } } catch (NoSuchAlgorithmException | NoSuchProviderException e) { } remainder = m.group(5); } else { remainder = null; } } throw new NoSuchAlgorithmException( "No strong SecureRandom impls available: " + property); } // Declare serialVersionUID to be compatible with JDK1.1 static final long serialVersionUID = 4940670005562187L; // Retain unused values serialized from JDK1.1 /** * @serial */ private byte[] state; /** * @serial */ private MessageDigest digest = null; /** * @serial * * We know that the MessageDigest class does not implement * java.io.Serializable. However, since this field is no longer * used, it will always be NULL and won't affect the serialization * of the SecureRandom class itself. */ private byte[] randomBytes; /** * @serial */ private int randomBytesUsed; /** * @serial */ private long counter; }