Use RandomNumberGenerator.Fill()

src/Antiforgery/src/Internal/BinaryBlob.cs

@@ -15,7 +15,6 @@ namespace Microsoft.AspNetCore.Antiforgery
     [DebuggerDisplay("{DebuggerString}")]
     internal sealed class BinaryBlob : IEquatable<BinaryBlob>
     {
-        private static readonly RandomNumberGenerator _randomNumberGenerator = RandomNumberGenerator.Create();
         private readonly byte[] _data;
 
         // Generates a new token using a specified bit length.
@@ -92,7 +91,7 @@ public override int GetHashCode()
         private static byte[] GenerateNewToken(int bitLength)
         {
             var data = new byte[bitLength / 8];
-            _randomNumberGenerator.GetBytes(data);
+            RandomNumberGenerator.Fill(data);
             return data;
         }
 

src/Antiforgery/test/DefaultAntiforgeryTokenGeneratorTest.cs

@@ -149,10 +149,7 @@ public void GenerateRequestToken_ClaimsBasedIdentity()
             httpContext.User = new ClaimsPrincipal(identity);
 
             byte[] data = new byte[256 / 8];
-            using (var rng = RandomNumberGenerator.Create())
-            {
-                rng.GetBytes(data);
-            }
+            RandomNumberGenerator.Fill(data);
             var base64ClaimUId = Convert.ToBase64String(data);
             var expectedClaimUid = new BinaryBlob(256, data);
 

src/Components/Server/src/Circuits/CircuitIdFactory.cs

@@ -20,7 +20,6 @@ internal class CircuitIdFactory
         private const int SecretLength = 64;
         private const int IdLength = 32;
 
-        private readonly RandomNumberGenerator _generator = RandomNumberGenerator.Create();
         private readonly IDataProtector _protector;
 
         public CircuitIdFactory(IDataProtectionProvider provider)
@@ -35,7 +34,7 @@ public CircuitIdFactory(IDataProtectionProvider provider)
         public CircuitId CreateCircuitId()
         {
             var buffer = new byte[SecretLength];
-            _generator.GetBytes(buffer);
+            RandomNumberGenerator.Fill(buffer);
 
             var id = new byte[IdLength];
             Array.Copy(

src/Hosting/TestHost/src/WebSocketClient.cs

@@ -109,8 +109,7 @@ public async Task<WebSocket> ConnectAsync(Uri uri, CancellationToken cancellatio
         private string CreateRequestKey()
         {
             byte[] data = new byte[16];
-            var rng = RandomNumberGenerator.Create();
-            rng.GetBytes(data);
+            RandomNumberGenerator.Fill(data);
             return Convert.ToBase64String(data);
         }
 

src/Middleware/Session/src/DistributedSession.cs

@@ -16,7 +16,6 @@ namespace Microsoft.AspNetCore.Session
 {
     public class DistributedSession : ISession
     {
-        private static readonly RandomNumberGenerator CryptoRandom = RandomNumberGenerator.Create();
         private const int IdByteCount = 16;
 
         private const byte SerializationRevision = 2;
@@ -104,7 +103,7 @@ private byte[] IdBytes
                 if (IsAvailable && _sessionIdBytes == null)
                 {
                     _sessionIdBytes = new byte[IdByteCount];
-                    CryptoRandom.GetBytes(_sessionIdBytes);
+                    RandomNumberGenerator.Fill(_sessionIdBytes);
                 }
                 return _sessionIdBytes;
             }

src/Middleware/Session/src/SessionMiddleware.cs

@@ -20,7 +20,6 @@ namespace Microsoft.AspNetCore.Session
     /// </summary>
     public class SessionMiddleware
     {
-        private static readonly RandomNumberGenerator CryptoRandom = RandomNumberGenerator.Create();
         private const int SessionKeyLength = 36; // "382c74c3-721d-4f34-80e5-57657b6cbc27"
         private static readonly Func<bool> ReturnTrue = () => true;
         private readonly RequestDelegate _next;
@@ -91,7 +90,7 @@ public async Task Invoke(HttpContext context)
             {
                 // No valid cookie, new session.
                 var guidBytes = new byte[16];
-                CryptoRandom.GetBytes(guidBytes);
+                RandomNumberGenerator.Fill(guidBytes);
                 sessionKey = new Guid(guidBytes).ToString();
                 cookieValue = CookieProtection.Protect(_dataProtector, sessionKey);
                 var establisher = new SessionEstablisher(context, cookieValue, _options);

src/Security/Authentication/Core/src/RemoteAuthenticationHandler.cs

@@ -18,8 +18,6 @@ public abstract class RemoteAuthenticationHandler<TOptions> : AuthenticationHand
         private const string CorrelationMarker = "N";
         private const string AuthSchemeKey = ".AuthScheme";
 
-        private static readonly RandomNumberGenerator CryptoRandom = RandomNumberGenerator.Create();
-
         protected string SignInScheme => Options.SignInScheme;
 
         /// <summary>
@@ -194,7 +192,7 @@ protected virtual void GenerateCorrelationId(AuthenticationProperties properties
             }
 
             var bytes = new byte[32];
-            CryptoRandom.GetBytes(bytes);
+            RandomNumberGenerator.Fill(bytes);
             var correlationId = Base64UrlTextEncoder.Encode(bytes);
 
             var cookieOptions = Options.CorrelationCookie.Build(Context, Clock.UtcNow);

src/Security/Authentication/MicrosoftAccount/src/MicrosoftAccountHandler.cs

@@ -20,8 +20,6 @@ namespace Microsoft.AspNetCore.Authentication.MicrosoftAccount
 {
     public class MicrosoftAccountHandler : OAuthHandler<MicrosoftAccountOptions>
     {
-        private static readonly RandomNumberGenerator CryptoRandom = RandomNumberGenerator.Create();
-
         public MicrosoftAccountHandler(IOptionsMonitor<MicrosoftAccountOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock)
             : base(options, logger, encoder, clock)
         { }
@@ -64,7 +62,7 @@ protected override string BuildChallengeUrl(AuthenticationProperties properties,
             if (Options.UsePkce)
             {
                 var bytes = new byte[32];
-                CryptoRandom.GetBytes(bytes);
+                RandomNumberGenerator.Fill(bytes);
                 var codeVerifier = Base64UrlTextEncoder.Encode(bytes);
 
                 // Store this for use during the code redemption.

src/Security/Authentication/OAuth/src/OAuthHandler.cs

@@ -22,7 +22,6 @@ namespace Microsoft.AspNetCore.Authentication.OAuth
 {
     public class OAuthHandler<TOptions> : RemoteAuthenticationHandler<TOptions> where TOptions : OAuthOptions, new()
     {
-        private static readonly RandomNumberGenerator CryptoRandom = RandomNumberGenerator.Create();
         protected HttpClient Backchannel => Options.Backchannel;
 
         /// <summary>
@@ -274,7 +273,7 @@ protected virtual string BuildChallengeUrl(AuthenticationProperties properties,
             if (Options.UsePkce)
             {
                 var bytes = new byte[32];
-                CryptoRandom.GetBytes(bytes);
+                RandomNumberGenerator.Fill(bytes);
                 var codeVerifier = Base64UrlTextEncoder.Encode(bytes);
 
                 // Store this for use during the code redemption.

src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs

@@ -34,8 +34,6 @@ public class OpenIdConnectHandler : RemoteAuthenticationHandler<OpenIdConnectOpt
         private const string NonceProperty = "N";
         private const string HeaderValueEpocDate = "Thu, 01 Jan 1970 00:00:00 GMT";
 
-        private static readonly RandomNumberGenerator CryptoRandom = RandomNumberGenerator.Create();
-
         private OpenIdConnectConfiguration _configuration;
 
         protected HttpClient Backchannel => Options.Backchannel;
@@ -371,7 +369,7 @@ private async Task HandleChallengeAsyncInternal(AuthenticationProperties propert
             if (Options.UsePkce && Options.ResponseType == OpenIdConnectResponseType.Code)
             {
                 var bytes = new byte[32];
-                CryptoRandom.GetBytes(bytes);
+                RandomNumberGenerator.Fill(bytes);
                 var codeVerifier = Base64UrlTextEncoder.Encode(bytes);
 
                 // Store this for use during the code redemption. See RunAuthorizationCodeReceivedEventAsync.