From e541648a97ae0953c84c5438cdcde561f87c73fd Mon Sep 17 00:00:00 2001
From: Almaz Mingaleev <mingaleev@google.com>
Date: Tue, 14 Mar 2023 14:07:50 +0000
Subject: [PATCH] Use SecureRandom instead of java.util.Random.

The latter might be initialized in the Zygote and return the same
sequence within app restarts.

Bug: 273524418
Fix: 273524418
Test: m
Change-Id: Id85082edffb7b769bb5f78d66b561e5e097227c5
---
 .../security/keystore2/KeyStoreCryptoOperationUtils.java      | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java b/keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java
index 6fa1a694eb67..372e4cb3d72e 100644
--- a/keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java
+++ b/keystore/java/android/security/keystore2/KeyStoreCryptoOperationUtils.java
@@ -40,7 +40,6 @@
 import java.security.SecureRandom;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Random;
 
 /**
  * Assorted utility methods for implementing crypto operations on top of KeyStore.
@@ -50,7 +49,6 @@
 abstract class KeyStoreCryptoOperationUtils {
 
     private static volatile SecureRandom sRng;
-    private static final Random sRandom = new Random();
 
     private KeyStoreCryptoOperationUtils() {}
 
@@ -213,7 +211,7 @@ static long getOrMakeOperationChallenge(KeyStoreOperation operation, AndroidKeyS
         } else {
             // Keystore won't give us an operation challenge if the operation doesn't
             // need user authorization. So we make our own.
-            return sRandom.nextLong();
+            return getRng().nextLong();
         }
     }
 }