Skip to content

Migrate Java Random to SecureRandom #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Migrate Java Random to SecureRandom #1

wants to merge 8 commits into from

Conversation

gitar-bot-staging[bot]
Copy link

Migrate OkHttp from Random to SecureRandom for Enhanced Cryptographic Security

Description

This PR comprehensively migrates OkHttp from standard Random implementations to cryptographically secure SecureRandom implementations across all security-sensitive operations. The migration includes extensive performance monitoring tools and documentation to ensure security improvements don't compromise performance.

Motivation

  • Security Enhancement: Standard Random implementations are not cryptographically secure and can be predictable, creating vulnerabilities in security-sensitive operations like WebSocket frame masking, OAuth token generation, and SSL/TLS certificate handling
  • Compliance: Using SecureRandom aligns with security best practices for cryptographic operations and helps meet security compliance requirements

Key Changes

  • Core Migration: Converted all Random usage to SecureRandom across OkHttp components including WebSocket handling, connection pooling, and OAuth session management
  • Performance Monitoring: Added comprehensive performance monitoring utilities (RandomBenchmark, RandomMigrationMonitor, RandomMigrationUtility) to measure and optimize the security vs performance trade-offs
  • Testing Enhancement: Introduced property-based testing with jqwik to ensure robust validation of the migration
  • Documentation: Created detailed migration guide with performance optimization strategies

Impact

Files Changed (23 files, +2,101/-23 lines)

Core Changes

  • okhttp3/OkHttpClient.kt - Updated client-level random generation
  • okhttp3/internal/connection/RealConnectionPool.kt - Secured connection pool randomization
  • okhttp3/internal/ws/RealWebSocket.kt & WebSocketWriter.kt - Secured WebSocket frame masking
  • okhttp3/slack/OAuthSessionFactory.java - Secured OAuth session generation
  • okhttp3/sample/SampleServer.java - Updated sample implementations

New Performance & Testing Infrastructure

  • docs/random_migration_guide.md - Comprehensive migration documentation
  • internal/performance/RandomBenchmark.kt - Performance comparison tools
  • internal/performance/RandomMigrationMonitor.kt - Real-time monitoring
  • internal/performance/RandomMigrationUtility.kt - Migration utilities
  • Multiple property-based tests for validation

Test Plan

  • ✅ All existing tests pass with SecureRandom implementations
  • ✅ Added property-based tests using jqwik for comprehensive validation
  • ✅ Performance benchmarks confirm acceptable performance characteristics
  • ✅ Security contexts properly use cryptographically secure random generation

The migration maintains full backward compatibility while significantly improving the security posture of random number generation throughout OkHttp.

Link to run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@gitar-bot