Use SecureRandom.getInstanceStrong() instead of SecureRandom()

data/src/main/java/org/cryptomator/data/cloud/crypto/CryptoCloudFactory.java

@@ -9,13 +9,15 @@
 import org.cryptomator.domain.UnverifiedVaultConfig;
 import org.cryptomator.domain.Vault;
 import org.cryptomator.domain.exception.BackendException;
+import org.cryptomator.domain.exception.FatalBackendException;
 import org.cryptomator.domain.repository.CloudContentRepository;
 import org.cryptomator.domain.usecases.ProgressAware;
 import org.cryptomator.domain.usecases.cloud.Flag;
 import org.cryptomator.domain.usecases.vault.UnlockToken;
 
 import java.io.ByteArrayOutputStream;
 import java.nio.charset.StandardCharsets;
+import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 
 import javax.inject.Inject;
@@ -29,13 +31,18 @@ public class CryptoCloudFactory {
 
 	private final CloudContentRepository<Cloud, CloudNode, CloudFolder, CloudFile> cloudContentRepository;
 	private final CryptoCloudContentRepositoryFactory cryptoCloudContentRepositoryFactory;
-	private final SecureRandom secureRandom = new SecureRandom();
+	private final SecureRandom secureRandom;
 
 	@Inject
 	public CryptoCloudFactory(CloudContentRepository/*<Cloud, CloudNode, CloudFolder, CloudFile>*/ cloudContentRepository, //
 			CryptoCloudContentRepositoryFactory cryptoCloudContentRepositoryFactory) {
 		this.cloudContentRepository = cloudContentRepository;
 		this.cryptoCloudContentRepositoryFactory = cryptoCloudContentRepositoryFactory;
+		try {
+			secureRandom = SecureRandom.getInstanceStrong();
+		} catch (NoSuchAlgorithmException e) {
+			throw new FatalBackendException("A strong algorithm must exist in every Java platform.", e);
+		}
 	}
 
 	public void create(CloudFolder location, CharSequence password) throws BackendException {

data/src/main/java/org/cryptomator/data/cloud/crypto/MasterkeyCryptoCloudProvider.kt

@@ -157,7 +157,7 @@ class MasterkeyCryptoCloudProvider(
 	@Throws(BackendException::class)
 	private fun createUnlockToken(vault: Vault, location: CloudFile): UnlockTokenImpl {
 		val keyFileData = readKeyFileData(location)
-		return UnlockTokenImpl(vault, keyFileData)
+		return UnlockTokenImpl(vault, secureRandom, keyFileData)
 	}
 
 	@Throws(BackendException::class)
@@ -290,15 +290,15 @@ class MasterkeyCryptoCloudProvider(
 		}
 	}
 
-	class UnlockTokenImpl(private val vault: Vault, val keyFileData: ByteArray) : UnlockToken {
+	class UnlockTokenImpl(private val vault: Vault, private val secureRandom: SecureRandom, val keyFileData: ByteArray) : UnlockToken {
 
 		override fun getVault(): Vault {
 			return vault
 		}
 
 		@Throws(IOException::class)
 		fun getKeyFile(password: CharSequence?): Masterkey {
-			return MasterkeyFileAccess(CryptoConstants.PEPPER, SecureRandom()).load(ByteArrayInputStream(keyFileData), password)
+			return MasterkeyFileAccess(CryptoConstants.PEPPER, secureRandom).load(ByteArrayInputStream(keyFileData), password)
 		}
 	}
 }

data/src/test/java/org/cryptomator/data/cloud/crypto/MasterkeyCryptoCloudProviderTest.kt

@@ -165,7 +165,7 @@ internal class MasterkeyCryptoCloudProviderTest {
 		whenever(vault.path).thenReturn("/foo")
 		whenever(vault.isUnlocked).thenReturn(true)
 
-		val unlockToken = UnlockTokenImpl(vault, masterkeyV7.toByteArray(StandardCharsets.UTF_8))
+		val unlockToken = UnlockTokenImpl(vault, secureRandom, masterkeyV7.toByteArray(StandardCharsets.UTF_8))
 		val unverifiedVaultConfig = UnverifiedVaultConfig(vaultConfig, URI.create(String.format("%s:%s", CryptoConstants.MASTERKEY_SCHEME, CryptoConstants.MASTERKEY_FILE_NAME)), CryptoConstants.MAX_VAULT_VERSION)
 		val result: Vault = inTest.unlock(unlockToken, Optional.of(unverifiedVaultConfig), "foo") { false }
 
@@ -192,7 +192,7 @@ internal class MasterkeyCryptoCloudProviderTest {
 		whenever(vault.path).thenReturn("/foo")
 		whenever(vault.isUnlocked).thenReturn(true)
 
-		val unlockToken = UnlockTokenImpl(vault, masterkeyV7.toByteArray(StandardCharsets.UTF_8))
+		val unlockToken = UnlockTokenImpl(vault, secureRandom, masterkeyV7.toByteArray(StandardCharsets.UTF_8))
 		val result = inTest.unlock(unlockToken, Optional.absent(), "foo", { false })
 
 		MatcherAssert.assertThat(result.isUnlocked, CoreMatchers.`is`(true))
@@ -206,7 +206,7 @@ internal class MasterkeyCryptoCloudProviderTest {
 	@Test
 	@DisplayName("unlockLegacyUsingNewVault(\"foo\")")
 	fun testUnlockLegacyVaultUsingVaultFormat8() {
-		val unlockToken: UnlockToken = UnlockTokenImpl(vault, masterkeyV8.toByteArray(StandardCharsets.UTF_8))
+		val unlockToken: UnlockToken = UnlockTokenImpl(vault, secureRandom, masterkeyV8.toByteArray(StandardCharsets.UTF_8))
 		Assertions.assertThrows(MissingVaultConfigFileException::class.java) { inTest.unlock(unlockToken, Optional.absent(), "foo", { false }) }
 	}
 
@@ -302,15 +302,15 @@ internal class MasterkeyCryptoCloudProviderTest {
 		if (legacy) {
 			MatcherAssert.assertThat(testVaultPasswordVault(masterkeyV7, Optional.absent(), password), CoreMatchers.`is`(true))
 
-			val unlockToken = UnlockTokenImpl(vault, masterkeyV7.toByteArray(StandardCharsets.UTF_8))
+			val unlockToken = UnlockTokenImpl(vault, secureRandom, masterkeyV7.toByteArray(StandardCharsets.UTF_8))
 
 			Mockito.verify(inTest).cryptorFor(unlockToken.getKeyFile(password), CryptorProvider.Scheme.SIV_CTRMAC)
 		} else {
 			val unverifiedVaultConfig = UnverifiedVaultConfig(vaultConfig, URI.create(String.format("%s:%s", CryptoConstants.MASTERKEY_SCHEME, CryptoConstants.MASTERKEY_FILE_NAME)), CryptoConstants.MAX_VAULT_VERSION)
 
 			MatcherAssert.assertThat(testVaultPasswordVault(masterkeyV8, Optional.of(unverifiedVaultConfig), password), CoreMatchers.`is`(true))
 
-			val unlockToken = UnlockTokenImpl(vault, masterkeyV8.toByteArray(StandardCharsets.UTF_8))
+			val unlockToken = UnlockTokenImpl(vault, secureRandom, masterkeyV8.toByteArray(StandardCharsets.UTF_8))
 
 			Mockito.verify(inTest).cryptorFor(unlockToken.getKeyFile(password), CryptorProvider.Scheme.SIV_GCM)
 		}