-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replacing Random with SecureRandom. #2815
Comments
Comment from edewata (@edewata) at 2017-05-17 15:33:14 Metadata Update from @edewata:
|
Comment from mharmsen (@mharmsen) at 2017-05-18 13:57:35 Metadata Update from @mharmsen:
|
Comment from mharmsen (@mharmsen) at 2017-05-18 14:15:38 Metadata Update from @mharmsen:
|
Comment from edewata (@edewata) at 2017-05-19 18:40:32 Patch for review: |
Comment from mharmsen (@mharmsen) at 2017-08-03 19:34:53 Metadata Update from @mharmsen:
|
Comment from mharmsen (@mharmsen) at 2017-09-25 17:02:18 Metadata Update from @mharmsen:
|
Comment from mharmsen (@mharmsen) at 2017-09-25 18:01:39 Per CS/DS Meeting 09/25/2017: 10.5 blocker |
Comment from mharmsen (@mharmsen) at 2017-09-25 18:01:44 Metadata Update from @mharmsen:
|
Comment from edewata (@edewata) at 2017-09-26 10:44:35 Metadata Update from @edewata:
|
Comment from jmagne (@jmagne) at 2017-09-28 16:53:51 Metadata Update from @jmagne:
|
Comment from jmagne (@jmagne) at 2017-09-28 16:54:57 Since this has already a patch not sure how much is left to do, but was suggested I take this one. Whatever is left to do. |
Comment from edewata (@edewata) at 2017-09-28 17:05:34 The above patch fixed the random serial number generator to use SecureRandom. There might be other places that still use Random. They need to be changed to use SecureRandom as well. |
Comment from jmagne (@jmagne) at 2017-10-23 14:23:27 Metadata Update from @jmagne:
|
Comment from mharmsen (@mharmsen) at 2017-10-23 14:24:01 Metadata Update from @mharmsen:
|
Comment from mharmsen (@mharmsen) at 2017-10-23 14:28:36 Jack Magne 2017-10-23 14:27:21 EDT Checkin: commit b42b580
|
This issue was migrated from Pagure Issue #2695. Originally filed by edewata (@edewata) on 2017-05-17 15:32:32:
Some parts of the current code are using Java's Random class to generate random numbers for various purposes. It should be changed into SecureRandom using CSPRNG.
The main priority should be the random serial number (see https://github.com/dogtagpki/pki/blob/master/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java).
Note that other parts of the code are already using SecureRandom but not very consistently. Some do not specify the algorithm, some are using SHA1PRNG, and some others are using PK11SecureRandom.
The current web application session ID is already generated using pkcs11prng (see https://github.com/dogtagpki/pki/blob/master/base/ca/tomcat8/conf/Catalina/localhost/ca.xml).
See also ticket 2023 about Randomizing IVParameterSpec.
This will be documented in http://pki.fedoraproject.org/wiki/Random_Number_Generator.
The text was updated successfully, but these errors were encountered: