== How to fix it in Java Cryptographic Extension

=== Code examples

==== Noncompliant code example

[source,kotlin,diff-id=1,diff-type=noncompliant]
----
import java.nio.charset.StandardCharsets
import java.security.InvalidAlgorithmParameterException
import java.security.InvalidKeyException
import java.security.NoSuchAlgorithmException
import javax.crypto.Cipher
import javax.crypto.NoSuchPaddingException
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec

fun encrypt(key: String, plainText: String) {

    val randomBytes = "7cVgr5cbdCZVw5WY".toByteArray(StandardCharsets.UTF_8)

    val iv      = GCMParameterSpec(128, randomBytes)
    val keySpec = SecretKeySpec(key.toByteArray(StandardCharsets.UTF_8), "AES")

    try {
        val cipher = Cipher.getInstance("AES/CBC/NoPadding")
        cipher.init(Cipher.ENCRYPT_MODE, keySpec, iv) // Noncompliant

    } catch (e: NoSuchAlgorithmException) {
        // ...
    } catch (e: InvalidKeyException) {
        // ...
    } catch (e: NoSuchPaddingException) {
        // ...
    } catch (e: InvalidAlgorithmParameterException) {
        // ...
    }
}
----

==== Compliant solution

:explicit_strong: java.security.SecureRandom

include::../../common/fix/explicit-fix.adoc[]

[source,kotlin,diff-id=1,diff-type=compliant]
----
import java.nio.charset.StandardCharsets
import java.security.SecureRandom
import java.security.InvalidAlgorithmParameterException
import java.security.InvalidKeyException
import java.security.NoSuchAlgorithmException
import javax.crypto.Cipher
import javax.crypto.NoSuchPaddingException
import javax.crypto.spec.GCMParameterSpec
import javax.crypto.spec.SecretKeySpec

fun encrypt(key: String, plainText: String) {

    val random      = SecureRandom();
    val randomBytes = ByteArray(16);
    random.nextBytes(randomBytes);

    val iv      = GCMParameterSpec(128, randomBytes)
    val keySpec = SecretKeySpec(key.toByteArray(StandardCharsets.UTF_8), "AES")

    try {
        val cipher = Cipher.getInstance("AES/CBC/NoPadding")
        cipher.init(Cipher.ENCRYPT_MODE, keySpec, iv)

    } catch (e: NoSuchAlgorithmException) {
        // ...
    } catch (e: InvalidKeyException) {
        // ...
    } catch (e: NoSuchPaddingException) {
        // ...
    } catch (e: InvalidAlgorithmParameterException) {
        // ...
    }
}
----

=== How does this work?

include::../../common/fix/fix.adoc[]