From 17e325565ed1251c7b1616f8761a5d8f320086e9 Mon Sep 17 00:00:00 2001 From: jmestwa-coder Date: Thu, 30 Apr 2026 15:19:33 +0530 Subject: [PATCH] Use SecureRandom for cryptographic operations and remove SHA1PRNG dependency --- .../random/DefaultSecureRandomSupplier.java | 20 ++++--------------- .../apache/wicket/util/crypt/SunJceCrypt.java | 5 +++-- 2 files changed, 7 insertions(+), 18 deletions(-) diff --git a/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java b/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java index 42e12ea6ddd..b471519cd44 100644 --- a/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java +++ b/wicket-core/src/main/java/org/apache/wicket/core/random/DefaultSecureRandomSupplier.java @@ -16,14 +16,11 @@ */ package org.apache.wicket.core.random; -import java.security.NoSuchAlgorithmException; import java.security.SecureRandom; -import org.apache.wicket.WicketRuntimeException; - /** - * A very simple {@link ISecureRandomSupplier} that holds a {@code SecureRandom} using - * {@code SHA1PRNG}. This {@code SecureRandom} is strong enough for generation of nonces with a + * A very simple {@link ISecureRandomSupplier} that holds a {@code SecureRandom}. + * This {@code SecureRandom} is strong enough for generation of nonces with a * short lifespan, but might not be strong enough for generating long-lived keys. When your * application has stronger requirements on the random implementation, you should replace this class * by your own implementation. @@ -34,19 +31,10 @@ public class DefaultSecureRandomSupplier implements ISecureRandomSupplier { private static final class Holder { - private static final SecureRandom INSTANCE; - - static - { - try - { - INSTANCE = SecureRandom.getInstance("SHA1PRNG"); - } catch (NoSuchAlgorithmException e) { - throw new WicketRuntimeException(e); - } - } + private static final SecureRandom INSTANCE = new SecureRandom(); } + @Override public SecureRandom getRandom() { diff --git a/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java b/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java index f4cf621a146..52be4175610 100644 --- a/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java +++ b/wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java @@ -18,10 +18,10 @@ import java.security.GeneralSecurityException; import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; import java.security.spec.InvalidKeySpecException; import java.security.spec.KeySpec; -import java.util.Random; import javax.crypto.Cipher; import javax.crypto.SecretKey; @@ -42,6 +42,7 @@ */ public class SunJceCrypt extends AbstractCrypt { + private static final SecureRandom SECURE_RANDOM = new SecureRandom(); /** Name of the default encryption method */ public static final String DEFAULT_CRYPT_METHOD = "PBEWithMD5AndDES"; @@ -169,7 +170,7 @@ public static byte[] randomSalt() // must be 8 bytes - for anything else PBES1Core throws // InvalidAlgorithmParameterException: Salt must be 8 bytes long byte[] salt = new byte[8]; - new Random().nextBytes(salt); + SECURE_RANDOM.nextBytes(salt); return salt; } }