Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
The CryptoRandom implementation class JavaCryptoRandom extends java.util.Random when they don't need to and without re-implementing the "protected int next(int bits)" method.
The issue is that if a developer were to use the CryptoRandomFactory to create a JavaCryptoRandom instance and to Random wanting to use as a replacement for code using an instance of Random in existing code the implementation would fall back to the java.util.Random (inherited) implementation rather than the CryptoRandom (encapsulated) implementation. For example
CryptoRandom cryptoRandom = CryptoRandomFactory.getCryptoRandom(); //instance of JavaCryptoRandom
Random rand = (Random)cryptoRandom;
long randomLong = rand.nextLong(); //returns java.util.Random.nextLong(), circumventing SecureRandom
A simple solution would be to override the "protected int next(int bits)" method within JavaCryptoRandom to invoke the SecureRandom "next(int bits)" implementation.