Proper way to reimplement openssl_random_pseudo_bytes function in Java

Question

I need re-implement behaviour of PHP function openssl_random_pseudo_bytes, which is according to its description:

openssl_random_pseudo_bytes — Generate a pseudo-random string of bytes

As it is just pseudo-random string of bytes, and as I need hex representation of it, I could use just this function. But there is also additional parameter:

crypto_strong

If passed into the function, this will hold a boolean value that determines if the algorithm used was "cryptographically strong", e.g., safe for usage with GPG, passwords, etc. TRUE if it did, otherwise FALSE

So core of my question is: what exactly does this crypto_strong parameter? How I should correctly re-implement this behaviour?

NB! Can I just use java.security.SecureRandom() class for this purposes?

Answer 1

The function openssl_random_pseudo_bytes($length, &$crypto_strong) indicates in the second parameter receives an indication if the generated bytes are cryptographically strong.

This code seems to be used as:

openssl_random_pseudo_bytes(XX, true)

which doesn't make sense, as it is seemingly treated as an input parameter rather than the output parameter that it is.

On (embedded) devices without good entropy source to seed the RNG, it may be that the crypto_strong parameter is set to false by the function. Obviously it is impossible to set true to false so this will fail; i.e. it's a bug in the PHP code (apparently not caught by the rather permissive type system of PHP itself).

---

The programmer of PHP probably tried to indicate that cryptographically strong PRNG is required. So new SecureRandom() seems indeed the best way to go.