diff --git a/smack-core/src/main/java/org/jivesoftware/smack/util/RandomUtil.java b/smack-core/src/main/java/org/jivesoftware/smack/util/RandomUtil.java new file mode 100644 index 000000000..6a0c617ba --- /dev/null +++ b/smack-core/src/main/java/org/jivesoftware/smack/util/RandomUtil.java @@ -0,0 +1,46 @@ +/** + * + * Copyright 2003-2007 Jive Software, 2016-2019 Florian Schmaus. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.jivesoftware.smack.util; + +import java.security.SecureRandom; +import java.util.Random; + +public class RandomUtil { + + static final ThreadLocal SECURE_RANDOM = new ThreadLocal() { + @Override + protected SecureRandom initialValue() { + return new SecureRandom(); + } + }; + + /** + * Pseudo-random number generator object for use with randomString(). + * The Random class is not considered to be cryptographically secure, so + * only use these random Strings for low to medium security applications. + */ + static final ThreadLocal RANDOM = new ThreadLocal() { + @Override + protected Random initialValue() { + return new Random(); + } + }; + + public static int nextSecureRandomInt(int bound) { + return SECURE_RANDOM.get().nextInt(bound); + } +} diff --git a/smack-core/src/main/java/org/jivesoftware/smack/util/StringUtils.java b/smack-core/src/main/java/org/jivesoftware/smack/util/StringUtils.java index affe6a047..82e75f8b7 100644 --- a/smack-core/src/main/java/org/jivesoftware/smack/util/StringUtils.java +++ b/smack-core/src/main/java/org/jivesoftware/smack/util/StringUtils.java @@ -1,6 +1,6 @@ /** * - * Copyright 2003-2007 Jive Software, 2016-2018 Florian Schmaus. + * Copyright 2003-2007 Jive Software, 2016-2019 Florian Schmaus. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,7 +18,6 @@ package org.jivesoftware.smack.util; import java.io.UnsupportedEncodingException; -import java.security.SecureRandom; import java.util.Collection; import java.util.Iterator; import java.util.Random; @@ -253,18 +252,6 @@ public class StringUtils { } } - /** - * Pseudo-random number generator object for use with randomString(). - * The Random class is not considered to be cryptographically secure, so - * only use these random Strings for low to medium security applications. - */ - private static final ThreadLocal randGen = new ThreadLocal() { - @Override - protected Random initialValue() { - return new Random(); - } - }; - /** * Array of numbers and letters of mixed case. Numbers appear in the list * twice so that there is a more equal chance that a number will be picked. @@ -288,18 +275,11 @@ public class StringUtils { * @return a random String of numbers and letters of the specified length. */ public static String insecureRandomString(int length) { - return randomString(length, randGen.get()); + return randomString(length, RandomUtil.RANDOM.get()); } - private static final ThreadLocal SECURE_RANDOM = new ThreadLocal() { - @Override - protected SecureRandom initialValue() { - return new SecureRandom(); - } - }; - public static String randomString(final int length) { - return randomString(length, SECURE_RANDOM.get()); + return randomString(length, RandomUtil.SECURE_RANDOM.get()); } public static String randomString(final int length, Random random) { diff --git a/smack-openpgp/src/main/java/org/jivesoftware/smackx/ox/element/EncryptedOpenPgpContentElement.java b/smack-openpgp/src/main/java/org/jivesoftware/smackx/ox/element/EncryptedOpenPgpContentElement.java index 951dc90f8..0494e80d0 100644 --- a/smack-openpgp/src/main/java/org/jivesoftware/smackx/ox/element/EncryptedOpenPgpContentElement.java +++ b/smack-openpgp/src/main/java/org/jivesoftware/smackx/ox/element/EncryptedOpenPgpContentElement.java @@ -1,6 +1,6 @@ /** * - * Copyright 2017 Florian Schmaus, 2018 Paul Schaub. + * Copyright 2017-2019 Florian Schmaus, 2018 Paul Schaub. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,13 +16,13 @@ */ package org.jivesoftware.smackx.ox.element; -import java.security.SecureRandom; import java.util.Date; import java.util.List; import java.util.Set; import org.jivesoftware.smack.packet.ExtensionElement; import org.jivesoftware.smack.util.Objects; +import org.jivesoftware.smack.util.RandomUtil; import org.jivesoftware.smack.util.StringUtils; import org.jivesoftware.smack.util.XmlStringBuilder; @@ -53,8 +53,7 @@ public abstract class EncryptedOpenPgpContentElement extends OpenPgpContentEleme } private static String createRandomPadding() { - SecureRandom secRan = new SecureRandom(); - int len = secRan.nextInt(256); + int len = RandomUtil.nextSecureRandomInt(256); return StringUtils.randomString(len); }