Use SecureRandom instead of java.util.Random.

The latter might be initialized in the Zygote and return the same sequence within app restarts. Bug: 273524418 Fix: 273524418 Test: m Change-Id: Id85082edffb7b769bb5f78d66b561e5e097227c5
GrapheneOS-Archive · May 1, 2023 · e541648 · e541648
1 parent c3ba98d
commit e541648
Showing 1 changed file with 1 addition and 3 deletions.
diff --git a/keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java b/keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java
@@ -40,7 +40,6 @@
 import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Random;
 
 /**
  * Assorted utility methods for implementing crypto operations on top of KeyStore.
@@ -50,7 +49,6 @@
 abstract class KeyStoreCryptoOperationUtils {
 
     private static volatile SecureRandom sRng;
-    private static final Random sRandom = new Random();
 
     private KeyStoreCryptoOperationUtils() {}
 
@@ -213,7 +211,7 @@ static long getOrMakeOperationChallenge(KeyStoreOperation operation, AndroidKeyS
         } else {
             // Keystore won't give us an operation challenge if the operation doesn't
             // need user authorization. So we make our own.
-            return sRandom.nextLong();
+            return getRng().nextLong();
         }
     }
 }