[ https://issues.apache.org/jira/browse/CRYPTO-160?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary D. Gregory updated CRYPTO-160: ----------------------------------- Summary: Package-private class JavaCryptoRandom extends Random but should not (was: Package-private class JavaCryptoRandom extends Random) > Package-private class JavaCryptoRandom extends Random but should not > -------------------------------------------------------------------- > > Key: CRYPTO-160 > URL: https://issues.apache.org/jira/browse/CRYPTO-160 > Project: Commons Crypto > Issue Type: Bug > Reporter: Adrian Anderson > Priority: Major > Fix For: 1.1.1 > > > The CryptoRandom implementation class JavaCryptoRandom extends > java.util.Random when they don't need to and without re-implementing the > "protected int next(int bits)" method. > The issue is that if a developer were to use the CryptoRandomFactory to > create a JavaCryptoRandom instance and to Random wanting to use as a > replacement for code using an instance of Random in existing code the > implementation would fall back to the java.util.Random (inherited) > implementation rather than the CryptoRandom (encapsulated) implementation. > For example > {{CryptoRandom cryptoRandom = CryptoRandomFactory.getCryptoRandom(); > //instance of JavaCryptoRandom}} > {{Random rand = (Random)cryptoRandom;}} > {{long randomLong = rand.nextLong(); //returns java.util.Random.nextLong(), > circumventing SecureRandom}} > A simple solution would be to override the "protected int next(int bits)" > method within JavaCryptoRandom to invoke the SecureRandom "next(int bits)" > implementation. -- This message was sent by Atlassian Jira (v8.20.10#820010)