From f5e17350d12f7abb149910d56e25a32f4487618e Mon Sep 17 00:00:00 2001
From: Jochen Wiedmann <jochen.wiedmann@gmail.com>
Date: Fri, 10 Jun 2022 10:25:46 +0200
Subject: [PATCH] CRYPTO-160: Improve quality for methods, that
 JavaCryptoRandom inherits from Random.

---
 pom.xml                                       |  2 +-
 src/changes/changes.xml                       | 22 ++++++++----------
 .../crypto/random/JavaCryptoRandom.java       | 20 ++++++++++++++++
 .../crypto/random/JavaCryptoRandomTest.java   | 23 ++++++++++++++++++-
 4 files changed, 53 insertions(+), 14 deletions(-)

diff --git a/pom.xml b/pom.xml
index 29bf1dff3..53a2d1627 100644
--- a/pom.xml
+++ b/pom.xml
@@ -585,7 +585,7 @@ The following provides more details on the included cryptographic software:
               <goal>run</goal>
             </goals>
             <configuration>
-              <target name="make">
+              <target name="make" unless="maven.make.skip">
                 <taskdef resource="net/sf/antcontrib/antcontrib.properties" classpathref="maven.plugin.classpath" />
                 <exec executable="make" failonerror="true" dir="${project.basedir}">
                   <env key="VERSION" value="${project.version}" />
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index e99c571d4..9643f8568 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -62,6 +62,7 @@
 
   <body>
     <release version="1.1.1" date="20YY-MM-DD" description="TBD">
+      <action issue="CRYPTO-160" type="fix" dev="jochen">Enhance the quality of JavaCryptoRandom as a subclass of Random by overwriting Random.next(inz).</action>
       <!-- FIX -->
       <action issue="CRYPTO-154" type="fix">License header should be plain a comment #113.</action>
       <action                    type="fix" dev="ggregory" due-to="Arturo Bernal">Fix PMD warning and don't init to defaults #128.</action>
@@ -69,28 +70,25 @@
       <action                    type="fix" dev="ggregory" due-to="Gary Gregory">Port from pre-Java 8 javah tool to Java 8 and up javac with the -h option.</action>
       <action                    type="fix" dev="ggregory" due-to="Gary Gregory">Fix build on Java 11.</action>
       <action                    type="fix" dev="ggregory" due-to="Gary Gregory">Fix build on Java 17.</action>
-      <!-- ADD -->
-      <action                    type="fix" dev="ggregory" due-to="Gary Gregory, Dependabot">Add github/codeql-action 2 #159.</action>
       <!-- UPDATE -->
-      <action                    type="update" dev="ggregory" due-to="Dependabot, Gary Gregory">Bump actions/cache from 2.1.7 to 3.0.4 #150.</action>
       <action                    type="update" dev="ggregory" due-to="Dependabot">Bump actions/checkout from 2 to 3 #149.</action>
+      <action                    type="update" dev="ggregory" due-to="Dependabot, Gary Gregory">Bump actions/cache from 2.1.7 to 3.0.3 #150.</action>
       <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump actions/setup-java from 2 to 3.</action>
+      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Update commons.jacoco.version 0.8.5 to 0.8.7 (Fixes Java 15 builds).</action>
       <action issue="CRYPTO-155" type="update" due-to="Arturo Bernal">Minor improvement #115, #125.</action>
       <action issue="CRYPTO-151" type="update" due-to="Arturo Bernal">Migrate to Junit 5 #114.</action>
       <action                    type="update" dev="ggregory" due-to="Dependabot">Bump jna from 5.5.0 to 5.11.0 #123, #139, #153.</action>
-      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump commons.japicmp.version from 0.14.3 to 0.15.7.</action>
+      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Update commons.japicmp.version 0.14.3 -> 0.15.7.</action>
       <action                    type="update" dev="ggregory" due-to="Dependabot">Bump maven-checkstyle-plugin from 3.1.1 to 3.1.2 #130.</action>
-      <action                    type="update" dev="ggregory" due-to="Dependabot">Bump jmh.version from 1.12 to 1.35 #119, #157.</action>
+      <action                    type="update" dev="ggregory" due-to="Dependabot">Bump jmh.version from 1.12 to 1.34 #119.</action>
       <action                    type="update" dev="ggregory" due-to="Dependabot">Bump exec-maven-plugin from 1.6.0 to 3.0.0 #121.</action>
-      <action                    type="update" dev="ggregory" due-to="Dependabot">Bump maven-antrun-plugin from 1.8 to 3.1.0 #120, #158.</action>
-      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump commons.japicmp.version from 0.15.2 to 0.15.7 #138.</action>
-      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump jacoco-maven-plugin from 0.6.6 to 0.8.8 #138, #154.</action>
-      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump commons.javadoc.version from 3.2.0 to 3.4.0 #138.</action>
+      <action                    type="update" dev="ggregory" due-to="Dependabot">Bump maven-antrun-plugin from 1.8 to 3.0.0 #120.</action>
+      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump commons.japicmp.version 0.15.2 -> 0.15.7 #138.</action>
+      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump jacoco-maven-plugin 0.6.6 -> 0.8.8 #138, #154.</action>
+      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump commons.javadoc.version 3.2.0 -> 3.3.2 #138.</action>
       <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump maven-pmd-plugin from 3.14.0 to 3.16.0 #140.</action>
       <action                    type="update" dev="ggregory" due-to="Dependabot">Bump taglist-maven-plugin from 2.4 to 3.0.0 #147.</action>
-      <action                    type="update" dev="ggregory" due-to="Dependabot">Bump spotbugs-maven-plugin from 4.5.3.0 to 4.7.0.0 #152, #160.</action>
-      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump commons-parent from 52 to 53.</action>
-      <action                    type="update" dev="ggregory" due-to="Gary Gregory">Bump commons.surefire.version from 3.0.0-M5 to 3.0.0-M7.</action>
+      <action                    type="update" dev="ggregory" due-to="Dependabot">Bump spotbugs-maven-plugin from 4.5.3.0 to 4.6.0.0 #152.</action>
     </release>
     <release version="1.1.0" date="2020-08-28" description="Minor release (Java 8 and OpenSSL 1.1.1)">
       <action issue="CRYPTO-59" type="add">Support Galois/Counter Mode (GCM).</action>
diff --git a/src/main/java/org/apache/commons/crypto/random/JavaCryptoRandom.java b/src/main/java/org/apache/commons/crypto/random/JavaCryptoRandom.java
index 519eb65d5..5e65cea63 100644
--- a/src/main/java/org/apache/commons/crypto/random/JavaCryptoRandom.java
+++ b/src/main/java/org/apache/commons/crypto/random/JavaCryptoRandom.java
@@ -22,6 +22,8 @@
 import java.util.Properties;
 import java.util.Random;
 
+import org.apache.commons.crypto.utils.Utils;
+
 /**
  * A CryptoRandom of Java implementation.
  */
@@ -76,4 +78,22 @@ public void close() {
     public void nextBytes(final byte[] bytes) {
         instance.nextBytes(bytes);
     }
+
+    /**
+     * Overrides Random#next(). Generates an integer containing the
+     * user-specified number of random bits(right justified, with leading
+     * zeros).
+     *
+     * @param numBits number of random bits to be generated, where 0
+     *        {@literal <=} {@code numBits} {@literal <=} 32.
+     * @return int an {@code int} containing the user-specified number of
+     *         random bits (right justified, with leading zeros).
+     */
+    @Override
+    protected int next(final int numBits) {
+        Utils.checkArgument(numBits >= 0 && numBits <= 32);
+		// Can't simply invoke instance.next(bits) here, because that is package protected.
+		// But, this should do.
+		return  instance.nextInt() >>> (Integer.SIZE - numBits);
+    }
 }
diff --git a/src/test/java/org/apache/commons/crypto/random/JavaCryptoRandomTest.java b/src/test/java/org/apache/commons/crypto/random/JavaCryptoRandomTest.java
index 0f942c2e7..12f29ae90 100644
--- a/src/test/java/org/apache/commons/crypto/random/JavaCryptoRandomTest.java
+++ b/src/test/java/org/apache/commons/crypto/random/JavaCryptoRandomTest.java
@@ -17,13 +17,19 @@
  */
 package org.apache.commons.crypto.random;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.security.GeneralSecurityException;
 import java.util.Properties;
+import java.util.Random;
 
-public class JavaCryptoRandomTest extends AbstractRandomTest {
+import org.apache.commons.crypto.utils.Utils;
+import org.junit.jupiter.api.Test;
 
+public class JavaCryptoRandomTest extends AbstractRandomTest {
     @Override
     public CryptoRandom getCryptoRandom() throws GeneralSecurityException {
         final Properties props = new Properties();
@@ -37,4 +43,19 @@ public CryptoRandom getCryptoRandom() throws GeneralSecurityException {
         return random;
     }
 
+    @Test
+    public void testNextIntIsntActuallyRandomNextInt() throws Exception {
+    	final CryptoRandom cr = getCryptoRandom();
+    	final Random r = (Random) cr;
+    	final long seed = 1654421930011l; // System.getCurrentMillis() on 2022-June-05, 11:39
+    	final Random otherRandom = new Random(seed);
+    	final Random otherRandom2 = new Random();
+    	otherRandom2.setSeed(seed);
+    	r.setSeed(seed);
+    	final long l1 = r.nextLong();
+    	final long l2 = otherRandom.nextLong();
+    	final long l3 = otherRandom2.nextLong();
+    	assertEquals(l2, l3);
+    	assertNotEquals(l1, l2);
+    }
 }