Info Call to Random API

Description

List of all calls to methods that return pseudo-random values.

Recommendation

Do not seed Random with the current time because that value is more predictable to an attacker than the default seed.

The java.util.Random class must not be used either for security-critical applications or for protecting sensitive data. Use a more secure random number generator, such as the java.security.SecureRandom class.

Technical details

Method c.e.a.a.h.Ac.w() calling method java.util.Random.<init>()


    public final long w()
    {
        if (this.e.get() != 0) {
            try {
                this.e.compareAndSet(-1, 1);
                return this.e.getAndIncrement();
            } catch (Throwable v1_2) {
                throw v1_2;
            }
        } else {
            try {
            } catch (Throwable v1_7) {
                throw v1_7;
            }
            Throwable v1_5 = new java.util.Random((System.nanoTime() ^ ((c.e.a.a.c.d.b) this.a.n).a())).nextLong();
            long v3_1 = (this.f + 1);
            this.f = v3_1;
            return (v1_5 + ((long) v3_1));
        }
    }

Method c.f.a.a.t.<init>() calling method java.util.Random.<init>()


    public t(c.f.a.a.r p6)
    {
        this.g = new java.util.ArrayList();
        this.h = new java.io.ByteArrayOutputStream();
        byte[] v0_9 = new StringBuilder();
        StringBuilder v1_0 = new java.util.Random();
        String v2_0 = 0;
        while (v2_0 < 30) {
            String v3_2 = c.f.a.a.t.c;
            v0_9.append(v3_2[v1_0.nextInt(v3_2.length)]);
            v2_0++;
        }
        this.d = v0_9.toString();
        StringBuilder v1_1 = c.a.a.a.a.a("--");
        v1_1.append(this.d);
        v1_1.append("\r\n");
        this.e = v1_1.toString().getBytes();
        StringBuilder v1_4 = c.a.a.a.a.a("--");
        v1_4.append(this.d);
        v1_4.append("--");
        v1_4.append("\r\n");
        this.f = v1_4.toString().getBytes();
        this.i = p6;
        return;
    }

Method d.a.a.a.i.a.d.a() calling method java.security.SecureRandom.<init>()


    public d.a.a.a.e a(d.a.a.a.a.n p28, d.a.a.a.p p29, d.a.a.a.m.e p30)
    {
        a.b.f.a.H.b(p28, "Credentials");
        a.b.f.a.H.b(p29, "HTTP request");
        if (this.a("realm") == null) {
            throw new d.a.a.a.a.j("missing realm in challenge");
        } else {
            if (this.a("nonce") == null) {
                throw new d.a.a.a.a.j("missing nonce in challenge");
            } else {
                this.b.put("methodname", ((d.a.a.a.k.m) p29.getRequestLine()).b);
                this.b.put("uri", ((d.a.a.a.k.m) p29.getRequestLine()).c);
                if (this.a("charset") == null) {
                    this.b.put("charset", this.a(p29));
                }
                d.a.a.a.k.l v6_27 = this.a("uri");
                String v9_1 = this.a("realm");
                java.security.MessageDigest v10_6 = this.a("nonce");
                String v12_1 = this.a("opaque");
                int v7_16 = this.a("methodname");
                String v14 = this.a("algorithm");
                if (v14 == null) {
                    v14 = "MD5";
                }
                d.a.a.a.k.e v8_15;
                String v20;
                int v15_0;
                java.util.StringTokenizer v19;
                String v3_10 = new java.util.HashSet(8);
                d.a.a.a.i.a.g v11_9 = this.a("qop");
                String v17 = v12_1;
                String v13_0 = "auth";
                if (v11_9 == null) {
                    v20 = "uri";
                    v19 = "qop";
                    v8_15 = -1;
                    v15_0 = 0;
                } else {
                    v19 = "qop";
                    v20 = "uri";
                    int v15_2 = new java.util.StringTokenizer(v11_9, ",");
                    while (v15_2.hasMoreTokens()) {
                        String v21_2 = v15_2;
                        v3_10.add(v15_2.nextToken().trim().toLowerCase(java.util.Locale.ENGLISH));
                        v15_2 = v21_2;
                    }
                    if ((!(p29 instanceof d.a.a.a.k)) || (!v3_10.contains("auth-int"))) {
                        if (!v3_10.contains("auth")) {
                            v8_15 = -1;
                            v15_0 = -1;
                        } else {
                            v8_15 = -1;
                            v15_0 = 2;
                        }
                    } else {
                        v8_15 = -1;
                        v15_0 = 1;
                    }
                }
                if (v15_0 == v8_15) {
                    throw new d.a.a.a.a.j(c.a.a.a.a.a("None of the qop methods is supported: ", v11_9));
                } else {
                    java.util.StringTokenizer v5_0 = this.a("charset");
                    if (v5_0 == null) {
                        v5_0 = "ISO-8859-1";
                    }
                    d.a.a.a.i.a.g v11_1;
                    if (!v14.equalsIgnoreCase("MD5-sess")) {
                        v11_1 = v14;
                    } else {
                        v11_1 = "MD5";
                    }
                    String v23;
                    d.a.a.a.i.a.g v11_2 = java.security.MessageDigest.getInstance(v11_1);
                    String v12_0 = p28.getUserPrincipal().getName();
                    java.util.ArrayList v4_0 = p28.getPassword();
                }
            }
        }
    }

Method d.a.a.a.i.a.d.a() calling method java.security.SecureRandom.<init>()


    public d.a.a.a.e a(d.a.a.a.a.n p29, d.a.a.a.p p30)
    {
        new java.util.concurrent.ConcurrentHashMap();
        a.b.f.a.H.b(p29, "Credentials");
        a.b.f.a.H.b(p30, "HTTP request");
        if (this.a("realm") == null) {
            throw new d.a.a.a.a.j("missing realm in challenge");
        } else {
            if (this.a("nonce") == null) {
                throw new d.a.a.a.a.j("missing nonce in challenge");
            } else {
                this.b.put("methodname", ((d.a.a.a.k.m) p30.getRequestLine()).b);
                this.b.put("uri", ((d.a.a.a.k.m) p30.getRequestLine()).c);
                if (this.a("charset") == null) {
                    this.b.put("charset", this.a(p30));
                }
                java.util.StringTokenizer v6_23 = this.a("uri");
                d.a.a.a.k.e v9_4 = this.a("realm");
                java.security.MessageDigest v10_6 = this.a("nonce");
                String v12_1 = this.a("opaque");
                d.a.a.a.k.l v7_14 = this.a("methodname");
                String v14 = this.a("algorithm");
                if (v14 == null) {
                    v14 = "MD5";
                }
                int v15_0;
                int v8_0;
                String v21;
                java.util.StringTokenizer v20;
                int v3_15 = new java.util.HashSet(8);
                String v11_13 = this.a("qop");
                String v18 = v12_1;
                String v13_0 = "auth";
                if (v11_13 == null) {
                    v21 = "uri";
                    v20 = "qop";
                    v8_0 = -1;
                    v15_0 = 0;
                } else {
                    v20 = "qop";
                    v21 = "uri";
                    int v15_2 = new java.util.StringTokenizer(v11_13, ",");
                    while (v15_2.hasMoreTokens()) {
                        String v22_1 = v15_2;
                        v3_15.add(v15_2.nextToken().trim().toLowerCase(java.util.Locale.ENGLISH));
                        v15_2 = v22_1;
                    }
                    if ((!(p30 instanceof d.a.a.a.k)) || (!v3_15.contains("auth-int"))) {
                        if (!v3_15.contains("auth")) {
                            v8_0 = -1;
                            v15_0 = -1;
                        } else {
                            v8_0 = -1;
                            v15_0 = 2;
                        }
                    } else {
                        v8_0 = -1;
                        v15_0 = 1;
                    }
                }
                if (v15_0 == v8_0) {
                    throw new d.a.a.a.a.j(c.a.a.a.a.a("None of the qop methods is supported: ", v11_13));
                } else {
                    String v5_0 = this.a("charset");
                    if (v5_0 == null) {
                        v5_0 = "ISO-8859-1";
                    }
                    String v11_1;
                    if (!v14.equalsIgnoreCase("MD5-sess")) {
                        v11_1 = v14;
                    } else {
                        v11_1 = "MD5";
                    }
                    String v24;
                    String v11_2 = java.security.MessageDigest.getInstance(v11_1);
                    String v12_0 = p29.getUserPrincipal().getName();
                    java.util.ArrayList v4_1 = p29.getPassword();
                }
            }
        }
    }

Method c.e.a.a.h.Ac.x() calling method java.security.SecureRandom.<init>()


    public final java.security.SecureRandom x()
    {
        this.b();
        if (this.d == null) {
            this.d = new java.security.SecureRandom();
        }
        return this.d;
    }

Method c.e.a.a.h.Ac.q() calling method java.security.SecureRandom.<init>()


    public final void q()
    {
        this.b();
        c.e.a.a.h.Aa v0_5 = new java.security.SecureRandom();
        long v1 = v0_5.nextLong();
        if (v1 == 0) {
            v1 = v0_5.nextLong();
            if (v1 == 0) {
                this.o().h.a("Utils falling back to Random for random id");
            }
        }
        this.e.set(v1);
        return;
    }

Method com.razorpay.BaseUtils.getRandomString() calling method java.security.SecureRandom.<init>()


    public static String getRandomString()
    {
        String v0_3 = new java.math.BigInteger(130, new java.security.SecureRandom()).toString(32);
        com.razorpay.BaseUtils.d__1_ = ((com.razorpay.BaseUtils.a_$P$ + 89) % 128);
        return v0_3;
    }