Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replacing Random with SecureRandom. #2815

Closed
pki-bot opened this issue Oct 3, 2020 · 15 comments
Closed

Replacing Random with SecureRandom. #2815

pki-bot opened this issue Oct 3, 2020 · 15 comments
Labels
Closed: Fixed
Milestone
10.5.0

Comments

@pki-bot
Copy link

pki-bot commented Oct 3, 2020

This issue was migrated from Pagure Issue #2695. Originally filed by edewata (@edewata) on 2017-05-17 15:32:32:

Some parts of the current code are using Java's Random class to generate random numbers for various purposes. It should be changed into SecureRandom using CSPRNG.

The main priority should be the random serial number (see https://github.com/dogtagpki/pki/blob/master/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java).

Note that other parts of the code are already using SecureRandom but not very consistently. Some do not specify the algorithm, some are using SHA1PRNG, and some others are using PK11SecureRandom.

The current web application session ID is already generated using pkcs11prng (see https://github.com/dogtagpki/pki/blob/master/base/ca/tomcat8/conf/Catalina/localhost/ca.xml).

<Manager secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>

See also ticket 2023 about Randomizing IVParameterSpec.

This will be documented in http://pki.fedoraproject.org/wiki/Random_Number_Generator.
@pki-bot pki-bot added this to the 10.5.0 milestone Oct 3, 2020
@pki-bot pki-bot closed this as completed Oct 3, 2020
@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from edewata (@edewata) at 2017-05-17 15:33:14

Metadata Update from @edewata:

  • Custom field component adjusted to General
  • Custom field feature adjusted to ''
  • Custom field origin adjusted to Community
  • Custom field proposedmilestone adjusted to ''
  • Custom field proposedpriority adjusted to ''
  • Custom field reviewer adjusted to ''
  • Custom field type adjusted to defect
  • Custom field version adjusted to ''
  • Issue priority set to: critical
  • Issue set to the milestone: 10.4

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-05-18 13:57:35

Metadata Update from @mharmsen:

  • Issue assigned to edewata

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-05-18 14:15:38

Metadata Update from @mharmsen:

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from edewata (@edewata) at 2017-05-19 18:40:32

Patch for review:

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-08-03 19:34:53

Metadata Update from @mharmsen:

  • Issue set to the milestone: 10.5 (was: 10.4)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-09-25 17:02:18

Metadata Update from @mharmsen:

  • Issue priority set to: major (was: critical)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-09-25 18:01:39

Per CS/DS Meeting 09/25/2017: 10.5 blocker

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-09-25 18:01:44

Metadata Update from @mharmsen:

  • Issue priority set to: blocker (was: major)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from edewata (@edewata) at 2017-09-26 10:44:35

Metadata Update from @edewata:

  • Assignee reset

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from jmagne (@jmagne) at 2017-09-28 16:53:51

Metadata Update from @jmagne:

  • Issue assigned to jmagne

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from jmagne (@jmagne) at 2017-09-28 16:54:57

Since this has already a patch not sure how much is left to do, but was suggested I take this one. Whatever is left to do.

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from edewata (@edewata) at 2017-09-28 17:05:34

The above patch fixed the random serial number generator to use SecureRandom. There might be other places that still use Random. They need to be changed to use SecureRandom as well.

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from jmagne (@jmagne) at 2017-10-23 14:23:27

Metadata Update from @jmagne:

  • Issue close_status updated to: fixed
  • Issue status updated to: Closed (was: Open)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-10-23 14:24:01

Metadata Update from @mharmsen:

  • Issue set to the milestone: 10.5.0 (was: 10.5)

@pki-bot
Copy link
Author

pki-bot commented Oct 3, 2020

Comment from mharmsen (@mharmsen) at 2017-10-23 14:28:36

Jack Magne 2017-10-23 14:27:21 EDT

Checkin:

commit b42b580
Author: Jack Magne jmagne@redhat.com
Date: Thu Oct 5 11:55:12 2017 -0700

Fix: 2695 Replacing Random with SecureRandom.

This is addressed by creating one centralized method to get
the SecureRandom number generator in JssSubsytem, which alread exists.

Another fix by edewata allowed us to be able to access the
JssSubsystem from most other server code. Thus only one method
required.

In a future ticket we can centralize the method calls TO the secure
random object to allows us to easily log when they are called.

Added a centralized method to CryptoUtil, which can be used by java clients.

Change-Id: I092a6c16b43ddc6bb33ff0b6084ece1f34285844

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Closed: Fixed
Projects
None yet
Milestone
10.5.0
Development

No branches or pull requests
1 participant
@pki-bot