You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Gary D. Gregory (Jira)" <ji...@apache.org> on 2022/12/12 22:22:00 UTC

[jira] [Commented] (CRYPTO-160) Package-private class JavaCryptoRandom extends Random but should not

    [ https://issues.apache.org/jira/browse/CRYPTO-160?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17646350#comment-17646350 ] 

Gary D. Gregory commented on CRYPTO-160:
----------------------------------------

Note that while it is true that {{JavaCryptoRandom}} extends {{Random}} and does not need to; an app casting a {{CryptoRandom}} to a {{Random}} is IMO out of bounds and unsupported since it is not documented and the app has to force the cast. This was not the intended use case anyway. The next release will not extend {{Random}} and still maintain binary compatibility since the class is package-private.

> Package-private class JavaCryptoRandom extends Random but should not
> --------------------------------------------------------------------
>
>                 Key: CRYPTO-160
>                 URL: https://issues.apache.org/jira/browse/CRYPTO-160
>             Project: Commons Crypto
>          Issue Type: Bug
>            Reporter: Adrian Anderson
>            Priority: Major
>             Fix For: 1.2.0
>
>
> The CryptoRandom implementation class JavaCryptoRandom extends java.util.Random when they don't need to and without re-implementing the "protected int next(int bits)" method. 
> The issue is that if a developer were to use the CryptoRandomFactory to create a JavaCryptoRandom instance and  to Random wanting to use as a replacement for code using an instance of Random in existing code the implementation would fall back to the java.util.Random (inherited) implementation rather than the CryptoRandom (encapsulated) implementation. For example
> {{CryptoRandom cryptoRandom = CryptoRandomFactory.getCryptoRandom(); //instance of JavaCryptoRandom}}
> {{Random rand = (Random)cryptoRandom;}}
> {{long randomLong = rand.nextLong(); //returns java.util.Random.nextLong(), circumventing SecureRandom}}
> A simple solution would be to override the "protected int next(int bits)" method within JavaCryptoRandom to invoke the SecureRandom "next(int bits)" implementation. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)