pseudo_bytes should use SecureRandom to match CRuby behavior

kares · claude · kares · commit e49a4d9160f5 · 2026-04-05T14:33:38.000+02:00
CRuby's OpenSSL::Random.pseudo_bytes is an alias for random_bytes (both
call RAND_bytes). JRuby was using java.util.Random which is not
cryptographically secure, silently weakening randomness for applications
porting from CRuby.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/main/java/org/jruby/ext/openssl/Random.java b/src/main/java/org/jruby/ext/openssl/Random.java
@@ -289,7 +289,8 @@ private static RubyString random_bytes(final ThreadContext context,
     @JRubyMethod(meta = true)
     public static RubyString pseudo_bytes(final ThreadContext context,
         final IRubyObject self, final IRubyObject len) {
-        return generate(context, self, toInt(context.runtime, len), false); // plain-random
+        // NOTE: CRuby's pseudo_bytes is an alias for random_bytes (both use RAND_bytes)
+        return generate(context, self, toInt(context.runtime, len), true); // secure-random
     }
 
     private static int toInt(final Ruby runtime, final IRubyObject arg) {

Original file line number	Diff line number	Diff line change
`@@ -289,7 +289,8 @@ private static RubyString random_bytes(final ThreadContext context,`
`289`	`289`	`@JRubyMethod(meta = true)`
`290`	`290`	`public static RubyString pseudo_bytes(final ThreadContext context,`
`291`	`291`	`final IRubyObject self, final IRubyObject len) {`
`292`		`- return generate(context, self, toInt(context.runtime, len), false); // plain-random`
	`292`	`+ // NOTE: CRuby's pseudo_bytes is an alias for random_bytes (both use RAND_bytes)`
	`293`	`+ return generate(context, self, toInt(context.runtime, len), true); // secure-random`
`293`	`294`	`}`
`294`	`295`
`295`	`296`	`private static int toInt(final Ruby runtime, final IRubyObject arg) {`