Dynamic (#77)

tests/dynamic_fixtures/crypto/java/vuln.java

@@ -0,0 +1,26 @@
+// Phase 11 (Track J.9) — Java CRYPTO vuln fixture.
+//
+// Models a config-driven crypto endpoint that picks the RNG based on
+// the request payload — `*_WEAK` routes through `java.util.Random`
+// (a non-CSPRNG, seeded from the payload hash, returning a 16-bit
+// key) and `*_STRONG` routes through `java.security.SecureRandom`
+// (a CSPRNG, returning 32 bytes).  This shape is needed by the
+// differential runner: the vuln-payload attempt and the benign-
+// control attempt both load the same fixture, and only the payload-
+// routed weak branch trips the `WeakKeyEntropy` predicate.
+import java.util.Random;
+import java.security.SecureRandom;
+
+public class Vuln {
+    public static byte[] run(String value) {
+        if (value != null && value.contains("STRONG")) {
+            byte[] key = new byte[32];
+            new SecureRandom().nextBytes(key);
+            return key;
+        }
+        Random r = new Random(value == null ? 0L : (long) value.hashCode());
+        byte[] key = new byte[2];
+        r.nextBytes(key);
+        return key;
+    }
+}