Adrian Anderson created CRYPTO-160:
--------------------------------------
Summary: CryptoRandom implementation classes unnecessarily extend
Random
Key: CRYPTO-160
URL: https://issues.apache.org/jira/browse/CRYPTO-160
Project: Commons Crypto
Issue Type: Bug
Reporter: Adrian Anderson
The CryptoRandom implementation class JavaCryptoRandom extends java.util.Random
when they don't need to and without re-implementing the "protected int next(int
bits)" method.
The issue is that if a developer were to use the CryptoRandomFactory to create
a JavaCryptoRandom instance and to Random wanting to use as a replacement for
code using an instance of Random in existing code the implementation would fall
back to the java.util.Random (inherited) implementation rather than the
CryptoRandom (encapsulated) implementation. For example
{{CryptoRandom cryptoRandom = CryptoRandomFactory.getCryptoRandom(); //instance
of JavaCryptoRandom}}
{{Random rand = (Random)cryptoRandom;}}
{{long randomLong = rand.nextLong(); //returns java.util.Random.nextLong(),
circumventing SecureRandom}}
A simple solution would be to override the "protected int next(int bits)"
method within JavaCryptoRandom to invoke the SecureRandom "next(int bits)"
implementation.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
