I noticed that during pkispawn a lot of noise files generated to work with certutil contain just the string "not_so_random_data". I do not think that "It's not used anyway" comment from the code justifies this behavior. It may not be used now but if there's a use to it in the future, it'd be hard to notice and would instantly cause a CVE to pop out.
I think that reading bytes from /dev/random should be cheap enough operation and should be used instead.
Per CS/DS Meeting of 12/12/2016: 10.4 - minor
REASON PROVIDED BY RRELYEA: A modern nss running on a modern box. NSS's own entropy, which uses dev urandom, is very good and using a bad noise file will be of little consequence at this point.
PROPOSED SOLUTION: Either remove noise file, or populate it with random data (use NSS method).
Metadata Update from @stlaz: - Issue set to the milestone: 10.4
Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.
Metadata Update from @mharmsen: - Custom field feature adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field version adjusted to None - Issue close_status updated to: None - Issue set to the milestone: FUTURE (was: 10.4)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2679
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.