[feat] remove SHA1PRNG fallback: use default SecureRandom

kares · kares · commit e00321016c80 · 2026-04-05T14:35:36.000+02:00
ehen the preferred PRNG (NativePRNGNonBlocking) is unavailable, fall
through directly to new SecureRandom() which lets the JDK pick the best
available provider
diff --git a/src/main/java/org/jruby/ext/openssl/Random.java b/src/main/java/org/jruby/ext/openssl/Random.java
@@ -160,7 +160,7 @@ private static void setSecureRandom(ThreadContext context, java.security.SecureR
             }
             // setting it to "" (empty) or "default" should just use new SecureRandom() :
             if (prng.isEmpty() || prng.equalsIgnoreCase("default")) {
-                prng = null; tryPreferredPRNG = false; trySHA1PRNG = false;
+                prng = null; tryPreferredPRNG = false;
             }
 
             PREFERRED_PRNG = prng;
@@ -177,7 +177,6 @@ private static void setSecureRandom(ThreadContext context, java.security.SecureR
         }
 
         private static boolean tryPreferredPRNG = true;
-        private static boolean trySHA1PRNG = true;
         private static boolean tryStrongPRNG = false; // NOT-YET-IMPLEMENTED
 
         // copied from JRuby (not available in all 1.7.x) :
@@ -194,17 +193,6 @@ public java.security.SecureRandom getSecureRandomImpl() {
                 }
             }
 
-            // Try SHA1PRNG
-            if (secureRandom == null && trySHA1PRNG) {
-                try {
-                    secureRandom = java.security.SecureRandom.getInstance("SHA1PRNG");
-                }
-                catch (Exception e) {
-                    trySHA1PRNG = false;
-                    OpenSSL.debug("SecureRandom SHA1PRNG failed:", e);
-                }
-            }
-
             // Just let JDK do whatever it does
             if (secureRandom == null) {
                 secureRandom = new java.security.SecureRandom();
diff --git a/src/main/java/org/jruby/ext/openssl/x509store/PEMInputOutput.java b/src/main/java/org/jruby/ext/openssl/x509store/PEMInputOutput.java
@@ -1213,12 +1213,7 @@ private static void writePemEncrypted(final BufferedWriter out,
 
     private static SecureRandom secureRandom() {
         if ( random == null ) {
-            try {
-                random = SecureRandom.getInstance("SHA1PRNG");
-            }
-            catch (NoSuchAlgorithmException e) {
-                random = new SecureRandom();
-            }
+            random = new SecureRandom();
         }
         return random;
     }

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ private static void setSecureRandom(ThreadContext context, java.security.SecureR`
`160`	`160`	`}`
`161`	`161`	`// setting it to "" (empty) or "default" should just use new SecureRandom() :`
`162`	`162`	`if (prng.isEmpty() \|\| prng.equalsIgnoreCase("default")) {`
`163`		`- prng = null; tryPreferredPRNG = false; trySHA1PRNG = false;`
	`163`	`+ prng = null; tryPreferredPRNG = false;`
`164`	`164`	`}`
`165`	`165`
`166`	`166`	`PREFERRED_PRNG = prng;`
`@@ -177,7 +177,6 @@ private static void setSecureRandom(ThreadContext context, java.security.SecureR`
`177`	`177`	`}`
`178`	`178`
`179`	`179`	`private static boolean tryPreferredPRNG = true;`
`180`		`- private static boolean trySHA1PRNG = true;`
`181`	`180`	`private static boolean tryStrongPRNG = false; // NOT-YET-IMPLEMENTED`
`182`	`181`
`183`	`182`	`// copied from JRuby (not available in all 1.7.x) :`
`@@ -194,17 +193,6 @@ public java.security.SecureRandom getSecureRandomImpl() {`
`194`	`193`	`}`
`195`	`194`	`}`
`196`	`195`
`197`		`- // Try SHA1PRNG`
`198`		`- if (secureRandom == null && trySHA1PRNG) {`
`199`		`- try {`
`200`		`- secureRandom = java.security.SecureRandom.getInstance("SHA1PRNG");`
`201`		`- }`
`202`		`- catch (Exception e) {`
`203`		`- trySHA1PRNG = false;`
`204`		`- OpenSSL.debug("SecureRandom SHA1PRNG failed:", e);`
`205`		`- }`
`206`		`- }`
`207`		`-`
`208`	`196`	`// Just let JDK do whatever it does`
`209`	`197`	`if (secureRandom == null) {`
`210`	`198`	`secureRandom = new java.security.SecureRandom();`
Original file line number	Diff line number	Diff line change
`@@ -1213,12 +1213,7 @@ private static void writePemEncrypted(final BufferedWriter out,`
`1213`	`1213`
`1214`	`1214`	`private static SecureRandom secureRandom() {`
`1215`	`1215`	`if ( random == null ) {`
`1216`		`- try {`
`1217`		`- random = SecureRandom.getInstance("SHA1PRNG");`
`1218`		`- }`
`1219`		`- catch (NoSuchAlgorithmException e) {`
`1220`		`- random = new SecureRandom();`
`1221`		`- }`
	`1216`	`+ random = new SecureRandom();`
`1222`	`1217`	`}`
`1223`	`1218`	`return random;`
`1224`	`1219`	`}`