Hi,
I found the spec says, to a non-argument constructor for
SecurityRandom, the SecurityRandom():
*Note that this instance of SecureRandom has not been seeded. A call to
the setSeed method will seed the SecureRandom object. If a call is not made
to setSeed, the first call to the nextBytes method will force the
SecureRandom object to seed itself.*
* *
* *
But it seems that SecureRandom does not call setSeed before the first call
to nextBytes when it is not seeded.* *
Here is a testcase:
public class TestSecureRandom {
public static void main(String[] args) {
SecureRandom secureRandom = new MockSecureRandom();
secureRandom.nextBytes(new byte[32]);
System.out.println("Succeed!");
}
}
class MockSecureRandom extends SecureRandom {
@Override
public synchronized void setSeed(byte[] seed) {
System.out.println("setSeed called!");
super.setSeed(seed);
}
}
Which shows that although the secureRandom is not seeded, and when we get
the nextBytes, it is not seeded by setSeed.
So my question is:
1. Is the SecureRandom really been seeded?
2. How is it seeded as spec says?
3. Is the implementation of SecureRandomSpi that seeds itself?
Thanks.
Good luck!
--
Leo Li
China Software Development Lab, IBM
