Generate more obfuscated noise files during installation

[pki-bot]

This issue was migrated from Pagure Issue #2559. Originally filed by stlaz (@stlaz) on 2016-12-08 15:27:58:

• Assigned to nobody

---

I noticed that during pkispawn a lot of noise files generated to work with certutil contain just the string "not_so_random_data". I do not think that "It's not used anyway" comment from the code justifies this behavior. It may not be used now but if there's a use to it in the future, it'd be hard to notice and would instantly cause a CVE to pop out.

I think that reading bytes from /dev/random should be cheap enough operation and should be used instead.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2016-12-13 02:01:11

Per CS/DS Meeting of 12/12/2016: 10.4 - minor

REASON PROVIDED BY RRELYEA: A modern nss running on a modern box. NSS's own entropy, which uses dev urandom, is very good and using a bad noise file will be of little consequence at this point.

PROPOSED SOLUTION: Either remove noise file, or populate it with random data (use NSS method).

[pki-bot]

Comment from stlaz (@stlaz) at 2017-02-27 14:05:43

Metadata Update from @stlaz:

• Issue set to the milestone: 10.4

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-09 16:52:37

Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-09 16:52:37

Metadata Update from @mharmsen:

• Custom field feature adjusted to None
• Custom field proposedmilestone adjusted to None
• Custom field proposedpriority adjusted to None
• Custom field reviewer adjusted to None
• Custom field version adjusted to None
• Issue close_status updated to: None
• Issue set to the milestone: FUTURE (was: 10.4)