Android Chromoting: Initialize SecureRandom generator.

remoting/android/java/src/org/chromium/chromoting/ThirdPartyTokenFetcher.java

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.chromoting;
 
+import android.annotation.SuppressLint;
 import android.app.Activity;
 import android.content.ActivityNotFoundException;
 import android.content.ComponentName;
 import android.content.Intent;
 import android.content.pm.PackageManager;
 import android.net.Uri;
 import android.text.TextUtils;
 import android.util.Base64;
 import android.util.Log;
 
+import java.io.IOException;
 import java.security.SecureRandom;
 import java.util.ArrayList;
 
 /**
  * This class is responsible for fetching a third party token from the user using the OAuth2
  * implicit flow.  It directs the user to a third party login page located at |tokenUrl|.  It relies
  * on the |ThirdPartyTokenFetcher$OAuthRedirectActivity| to intercept the access token from the
  * redirect at intent://|REDIRECT_URI_PATH|#Intent;...end; upon successful login.
  */
 public class ThirdPartyTokenFetcher {
     /** Callback for receiving the token. */
     public interface Callback {
         void onTokenFetched(String code, String accessToken);
     }
 
     /** The path of the Redirect URI. */
     private static final String REDIRECT_URI_PATH = "/oauthredirect/";
 
     /**
      * Request both the authorization code and access token from the server.  See
      * http://tools.ietf.org/html/rfc6749#section-3.1.1.
      */
     private static final String RESPONSE_TYPE = "code token";
 
     /** This is used to securely generate an opaque 128 bit for the |mState| variable. */
-    private static SecureRandom sSecureRandom = new SecureRandom();
+    @SuppressLint("TrulyRandom")
+    private static SecureRandom sSecureRandom;
+
+    // TODO(lambroslambrou): Refactor this class to only initialize a PRNG when ThirdPartyAuth is
+    // actually used.
+    static {
+        sSecureRandom = new SecureRandom();
+        try {
+            SecureRandomInitializer.initialize(sSecureRandom);

[palmer, 2014/08/18 17:47:52]

I almost wonder if the interface should instead be:

    sSecureRandom = SecureRandomInitializer.getInstance();

[Lambros, 2014/08/18 20:31:31]

I thought about that, but there are a lot of SecureRandom ctors and factory
methods to override. I'm open to persuasion though - maybe there should be One
True Way for all of Chromium code to get a SecureRandom object?

+        } catch (IOException e) {
+            throw new RuntimeException("Failed to initialize PRNG: " + e);
+        }
+    }
 
     /** This is used to launch the third party login page in the browser. */
     private Activity mContext;
 
     /**
      * An opaque value used by the client to maintain state between the request and callback.  The
      * authorization server includes this value when redirecting the user-agent back to the client.
      * The parameter is used for preventing cross-site request forgery. See
      * http://tools.ietf.org/html/rfc6749#section-10.12.
      */
@@ skipping 165 matching lines @@
             ComponentName component = new ComponentName(
                     context.getApplicationContext(),
                     ThirdPartyTokenFetcher.OAuthRedirectActivity.class);
             context.getPackageManager().setComponentEnabledSetting(
                     component,
                     enabledState,
                     PackageManager.DONT_KILL_APP);
         }
     }
 }