/*

 * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package java.security;

import java.util.*;

import java.util.regex.*;

import java.security.Provider.Service;

import sun.security.jca.*;

import sun.security.jca.GetInstance.Instance;

import sun.security.util.Debug;

/**

 * This class provides a cryptographically strong random number

 * generator (RNG).

 *

 * <p>A cryptographically strong random number

 * minimally complies with the statistical random number generator tests

 * specified in

 * <a href="http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf">

 * <i>FIPS 140-2, Security Requirements for Cryptographic Modules</i></a>,

 * section 4.9.1.

 * Additionally, SecureRandom must produce non-deterministic output.

 * Therefore any seed material passed to a SecureRandom object must be

 * unpredictable, and all SecureRandom output sequences must be

 * cryptographically strong, as described in

 * <a href="http://tools.ietf.org/html/rfc4086">

 * <i>RFC 4086: Randomness Requirements for Security</i></a>.

 *

 * <p>A caller obtains a SecureRandom instance via the

 * no-argument constructor or one of the {@code getInstance} methods:

 *

 * <pre>

 *      SecureRandom random = new SecureRandom();

 * </pre>

 *

 * <p> Many SecureRandom implementations are in the form of a pseudo-random

 * number generator (PRNG), which means they use a deterministic algorithm

 * to produce a pseudo-random sequence from a true random seed.

 * Other implementations may produce true random numbers,

 * and yet others may use a combination of both techniques.

 *

 * <p> Typical callers of SecureRandom invoke the following methods

 * to retrieve random bytes:

 *

 * <pre>

 *      SecureRandom random = new SecureRandom();

 *      random.nextBytes(bytes);

 * </pre>

 *

 * <p> Callers may also invoke the {@code generateSeed} method

 * to generate a given number of seed bytes (to seed other random number

 * generators, for example):

 * <pre>

 * </pre>

 *

 * Note: Depending on the implementation, the {@code generateSeed} and

 * {@code nextBytes} methods may block as entropy is being gathered,

 * for example, if they need to read from /dev/random on various Unix-like

 * operating systems.

 *

 * @see java.security.SecureRandomSpi

 * @see java.util.Random

 *

 * @author Benjamin Renaud

 * @author Josh Bloch

 */

public class SecureRandom extends java.util.Random {

    private static final Debug pdebug =

                        Debug.getInstance("provider", "Provider");

    private static final boolean skipDebug =

        Debug.isOn("engine=") && !Debug.isOn("securerandom");

    /**

     * The provider.

     *

     * @serial

     * @since 1.2

     */

    private Provider provider = null;

    /**

     * The provider implementation.

     *

     * @serial

     * @since 1.2

     */

    private SecureRandomSpi secureRandomSpi = null;

    /*

     * The algorithm name of null if unknown.

     *

     * @serial

     * @since 1.5

     */

    private String algorithm;

    // Seed Generator

    private static volatile SecureRandom seedGenerator = null;

    /**

     * Constructs a secure random number generator (RNG) implementing the

     * default random number algorithm.

     *

     * <p> This constructor traverses the list of registered security Providers,

     * starting with the most preferred Provider.

     * A new SecureRandom object encapsulating the

     * SecureRandomSpi implementation from the first

     * Provider that supports a SecureRandom (RNG) algorithm is returned.

     * If none of the Providers support a RNG algorithm,

     * then an implementation-specific default is returned.

     *

     * <p> Note that the list of registered providers may be retrieved via

     * the {@link Security#getProviders() Security.getProviders()} method.

     *

     * <p> See the SecureRandom section in the <a href=

     * "{@docRoot}/../technotes/guides/security/StandardNames.html#SecureRandom">

     * Java Cryptography Architecture Standard Algorithm Name Documentation</a>

     * for information about standard RNG algorithm names.

     *

     * <p> The returned SecureRandom object has not been seeded.  To seed the

     * returned object, call the {@code setSeed} method.

     * If {@code setSeed} is not called, the first call to

     * {@code nextBytes} will force the SecureRandom object to seed itself.

     * This self-seeding will not occur if {@code setSeed} was

     * previously called.

     */

    public SecureRandom() {

        /*

         * This call to our superclass constructor will result in a call

         * to our own {@code setSeed} method, which will return

         * immediately when it is passed zero.

         */

        super(0);

        getDefaultPRNG(false, null);

    }

    /**

     * Constructs a secure random number generator (RNG) implementing the

     * default random number algorithm.

     * The SecureRandom instance is seeded with the specified seed bytes.

     *

     * <p> This constructor traverses the list of registered security Providers,

     * starting with the most preferred Provider.

     * A new SecureRandom object encapsulating the

     * SecureRandomSpi implementation from the first

     * Provider that supports a SecureRandom (RNG) algorithm is returned.

     * If none of the Providers support a RNG algorithm,

     * then an implementation-specific default is returned.

     *

     * <p> Note that the list of registered providers may be retrieved via

     * the {@link Security#getProviders() Security.getProviders()} method.

     *

     * <p> See the SecureRandom section in the <a href=

     * "{@docRoot}/../technotes/guides/security/StandardNames.html#SecureRandom">

     * Java Cryptography Architecture Standard Algorithm Name Documentation</a>

     * for information about standard RNG algorithm names.

     *

     * @param seed the seed.

     */

        super(0);

        getDefaultPRNG(true, seed);

    }

    private void getDefaultPRNG(boolean setSeed, byte[] seed) {

        String prng = getPrngAlgorithm();

        if (prng == null) {

            // bummer, get the SUN implementation

            prng = "SHA1PRNG";

            this.secureRandomSpi = new sun.security.provider.SecureRandom();

            this.provider = Providers.getSunProvider();

            if (setSeed) {

                this.secureRandomSpi.engineSetSeed(seed);

            }

        } else {

            try {

                SecureRandom random = SecureRandom.getInstance(prng);

                this.secureRandomSpi = random.getSecureRandomSpi();

                this.provider = random.getProvider();

                if (setSeed) {

                    this.secureRandomSpi.engineSetSeed(seed);

                }

            } catch (NoSuchAlgorithmException nsae) {

                // never happens, because we made sure the algorithm exists

                throw new RuntimeException(nsae);

            }

        }

        // JDK 1.1 based implementations subclass SecureRandom instead of

        // SecureRandomSpi. They will also go through this code path because

        // they must call a SecureRandom constructor as it is their superclass.

        // If we are dealing with such an implementation, do not set the

        // algorithm value as it would be inaccurate.

        if (getClass() == SecureRandom.class) {

            this.algorithm = prng;

        }

    }

    /**

     * Creates a SecureRandom object.

     *

     * @param secureRandomSpi the SecureRandom implementation.

     * @param provider the provider.

     */

    protected SecureRandom(SecureRandomSpi secureRandomSpi,

                           Provider provider) {

        this(secureRandomSpi, provider, null);

    }

    private SecureRandom(SecureRandomSpi secureRandomSpi, Provider provider,

            String algorithm) {

        super(0);

        this.secureRandomSpi = secureRandomSpi;

        this.provider = provider;

        this.algorithm = algorithm;

        if (!skipDebug && pdebug != null) {

            pdebug.println("SecureRandom." + algorithm +

                " algorithm from: " + this.provider.getName());

        }

    }

    /**

     * Returns a SecureRandom object that implements the specified

     * Random Number Generator (RNG) algorithm.

     *

     * <p> This method traverses the list of registered security Providers,

     * starting with the most preferred Provider.

     * A new SecureRandom object encapsulating the

     * SecureRandomSpi implementation from the first

     * Provider that supports the specified algorithm is returned.

     *

     * <p> Note that the list of registered providers may be retrieved via

     * the {@link Security#getProviders() Security.getProviders()} method.

     *

     * <p> The returned SecureRandom object has not been seeded.  To seed the

     * returned object, call the {@code setSeed} method.

     * If {@code setSeed} is not called, the first call to

     * {@code nextBytes} will force the SecureRandom object to seed itself.

     * This self-seeding will not occur if {@code setSeed} was

     * previously called.

     *

     * @param algorithm the name of the RNG algorithm.

     * See the SecureRandom section in the <a href=

     * "{@docRoot}/../technotes/guides/security/StandardNames.html#SecureRandom">

     * Java Cryptography Architecture Standard Algorithm Name Documentation</a>

     * for information about standard RNG algorithm names.

     *

     * @return the new SecureRandom object.

     *

     * @exception NoSuchAlgorithmException if no Provider supports a

     *          SecureRandomSpi implementation for the

     *          specified algorithm.

     *

     * @see Provider

     *

     * @since 1.2

     */

    public static SecureRandom getInstance(String algorithm)

            throws NoSuchAlgorithmException {

        Instance instance = GetInstance.getInstance("SecureRandom",

            SecureRandomSpi.class, algorithm);

        return new SecureRandom((SecureRandomSpi)instance.impl,

            instance.provider, algorithm);

    }

    /**

     * Returns a SecureRandom object that implements the specified

     * Random Number Generator (RNG) algorithm.

     *

     * <p> A new SecureRandom object encapsulating the

     * SecureRandomSpi implementation from the specified provider

     * is returned.  The specified provider must be registered

     * in the security provider list.

     *

     * <p> Note that the list of registered providers may be retrieved via

     * the {@link Security#getProviders() Security.getProviders()} method.

     *

     * <p> The returned SecureRandom object has not been seeded.  To seed the

     * returned object, call the {@code setSeed} method.

     * If {@code setSeed} is not called, the first call to

     * {@code nextBytes} will force the SecureRandom object to seed itself.

     * This self-seeding will not occur if {@code setSeed} was

     * previously called.

     *

     * @param algorithm the name of the RNG algorithm.

     * See the SecureRandom section in the <a href=

     * "{@docRoot}/../technotes/guides/security/StandardNames.html#SecureRandom">

     * Java Cryptography Architecture Standard Algorithm Name Documentation</a>

     * for information about standard RNG algorithm names.

     *

     * @param provider the name of the provider.

     *

     * @return the new SecureRandom object.

     *

     * @exception NoSuchAlgorithmException if a SecureRandomSpi

     *          implementation for the specified algorithm is not

     *          available from the specified provider.

     *

     * @exception NoSuchProviderException if the specified provider is not

     *          registered in the security provider list.

     *

     * @exception IllegalArgumentException if the provider name is null

     *          or empty.

     *

     * @see Provider

     *

     * @since 1.2

     */

    public static SecureRandom getInstance(String algorithm, String provider)

            throws NoSuchAlgorithmException, NoSuchProviderException {

        Instance instance = GetInstance.getInstance("SecureRandom",

            SecureRandomSpi.class, algorithm, provider);

        return new SecureRandom((SecureRandomSpi)instance.impl,

            instance.provider, algorithm);

    }

    /**

     * Returns a SecureRandom object that implements the specified

     * Random Number Generator (RNG) algorithm.

     *

     * <p> A new SecureRandom object encapsulating the

     * SecureRandomSpi implementation from the specified Provider

     * object is returned.  Note that the specified Provider object

     * does not have to be registered in the provider list.

     *

     * <p> The returned SecureRandom object has not been seeded.  To seed the

     * returned object, call the {@code setSeed} method.

     * If {@code setSeed} is not called, the first call to

     * {@code nextBytes} will force the SecureRandom object to seed itself.

     * This self-seeding will not occur if {@code setSeed} was

     * previously called.

     *

     * @param algorithm the name of the RNG algorithm.

     * See the SecureRandom section in the <a href=

     * "{@docRoot}/../technotes/guides/security/StandardNames.html#SecureRandom">

     * Java Cryptography Architecture Standard Algorithm Name Documentation</a>

     * for information about standard RNG algorithm names.

     *

     * @param provider the provider.

     *

     * @return the new SecureRandom object.

     *

     * @exception NoSuchAlgorithmException if a SecureRandomSpi

     *          implementation for the specified algorithm is not available

     *          from the specified Provider object.

     *

     * @exception IllegalArgumentException if the specified provider is null.

     *

     * @see Provider

     *

     * @since 1.4

     */

    public static SecureRandom getInstance(String algorithm,

            Provider provider) throws NoSuchAlgorithmException {

        Instance instance = GetInstance.getInstance("SecureRandom",

            SecureRandomSpi.class, algorithm, provider);

        return new SecureRandom((SecureRandomSpi)instance.impl,

            instance.provider, algorithm);

    }

    /**

     * Returns the SecureRandomSpi of this SecureRandom object.

     */

    SecureRandomSpi getSecureRandomSpi() {

        return secureRandomSpi;

    }

    /**

     * Returns the provider of this SecureRandom object.

     *

     * @return the provider of this SecureRandom object.

     */

    public final Provider getProvider() {

        return provider;

    }

    /**

     * Returns the name of the algorithm implemented by this SecureRandom

     * object.

     *

     * @return the name of the algorithm or {@code unknown}

     *          if the algorithm name cannot be determined.

     * @since 1.5

     */

    public String getAlgorithm() {

        return (algorithm != null) ? algorithm : "unknown";

    }

    /**

     * Reseeds this random object. The given seed supplements, rather than

     * replaces, the existing seed. Thus, repeated calls are guaranteed

     * never to reduce randomness.

     *

     * @param seed the seed.

     *

     * @see #getSeed

     */

    synchronized public void setSeed(byte[] seed) {

        secureRandomSpi.engineSetSeed(seed);

    }

    /**

     * Reseeds this random object, using the eight bytes contained

     * in the given {@code long seed}. The given seed supplements,

     * rather than replaces, the existing seed. Thus, repeated calls

     * are guaranteed never to reduce randomness.

     *

     * <p>This method is defined for compatibility with

     * {@code java.util.Random}.

     *

     * @param seed the seed.

     *

     * @see #getSeed

     */

    @Override

    public void setSeed(long seed) {

        /*

         * Ignore call from super constructor (as well as any other calls

         * unfortunate enough to be passing 0).  It's critical that we

         * ignore call from superclass constructor, as digest has not

         * yet been initialized at that point.

         */

        if (seed != 0) {

            secureRandomSpi.engineSetSeed(longToByteArray(seed));

        }

    }

    /**

     * Generates a user-specified number of random bytes.

     *

     * <p> If a call to {@code setSeed} had not occurred previously,

     * the first call to this method forces this SecureRandom object

     * to seed itself.  This self-seeding will not occur if

     * {@code setSeed} was previously called.

     *

     * @param bytes the array to be filled in with random bytes.

     */

    @Override

    synchronized public void nextBytes(byte[] bytes) {

        secureRandomSpi.engineNextBytes(bytes);

    }

    /**

     * Generates an integer containing the user-specified number of

     * pseudo-random bits (right justified, with leading zeros).  This

     * method overrides a {@code java.util.Random} method, and serves

     * to provide a source of random bits to all of the methods inherited

     * from that class (for example, {@code nextInt},

     * {@code nextLong}, and {@code nextFloat}).

     *

     * @param numBits number of pseudo-random bits to be generated, where

     * {@code 0 <= numBits <= 32}.

     *

     * @return an {@code int} containing the user-specified number

     * of pseudo-random bits (right justified, with leading zeros).

     */

    @Override

    final protected int next(int numBits) {

        int numBytes = (numBits+7)/8;

        int next = 0;

        nextBytes(b);

        for (int i = 0; i < numBytes; i++) {

            next = (next << 8) + (b[i] & 0xFF);

        }

        return next >>> (numBytes*8 - numBits);

    }

    /**

     * Returns the given number of seed bytes, computed using the seed

     * generation algorithm that this class uses to seed itself.  This

     * call may be used to seed other random number generators.

     *

     * <p>This method is only included for backwards compatibility.

     * The caller is encouraged to use one of the alternative

     * {@code getInstance} methods to obtain a SecureRandom object, and

     * then call the {@code generateSeed} method to obtain seed bytes

     * from that object.

     *

     * @param numBytes the number of seed bytes to generate.

     *

     * @return the seed bytes.

     *

     * @see #setSeed

     */

    public static byte[] getSeed(int numBytes) {