Adrian Anderson created CRYPTO-160: -------------------------------------- Summary: CryptoRandom implementation classes unnecessarily extend Random Key: CRYPTO-160 URL: https://issues.apache.org/jira/browse/CRYPTO-160 Project: Commons Crypto Issue Type: Bug Reporter: Adrian Anderson
The CryptoRandom implementation class JavaCryptoRandom extends java.util.Random when they don't need to and without re-implementing the "protected int next(int bits)" method. The issue is that if a developer were to use the CryptoRandomFactory to create a JavaCryptoRandom instance and to Random wanting to use as a replacement for code using an instance of Random in existing code the implementation would fall back to the java.util.Random (inherited) implementation rather than the CryptoRandom (encapsulated) implementation. For example {{CryptoRandom cryptoRandom = CryptoRandomFactory.getCryptoRandom(); //instance of JavaCryptoRandom}} {{Random rand = (Random)cryptoRandom;}} {{long randomLong = rand.nextLong(); //returns java.util.Random.nextLong(), circumventing SecureRandom}} A simple solution would be to override the "protected int next(int bits)" method within JavaCryptoRandom to invoke the SecureRandom "next(int bits)" implementation. -- This message was sent by Atlassian Jira (v8.20.7#820007)