Some parts of the current code are using Java's Random class to generate random numbers for various purposes. It should be changed into SecureRandom using CSPRNG.
The main priority should be the random serial number (see https://github.com/dogtagpki/pki/blob/master/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java).
Note that other parts of the code are already using SecureRandom but not very consistently. Some do not specify the algorithm, some are using SHA1PRNG, and some others are using PK11SecureRandom.
The current web application session ID is already generated using pkcs11prng (see https://github.com/dogtagpki/pki/blob/master/base/ca/tomcat8/conf/Catalina/localhost/ca.xml).
<Manager secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
See also ticket #2023 about Randomizing IVParameterSpec.
This will be documented in http://pki.fedoraproject.org/wiki/Random_Number_Generator.
Metadata Update from @edewata: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue priority set to: critical - Issue set to the milestone: 10.4
Metadata Update from @mharmsen: - Issue assigned to edewata
Metadata Update from @mharmsen: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1452347
Patch for review:
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5 (was: 10.4)
Metadata Update from @mharmsen: - Issue priority set to: major (was: critical)
Per CS/DS Meeting 09/25/2017: 10.5 blocker
Metadata Update from @mharmsen: - Issue priority set to: blocker (was: major)
Metadata Update from @edewata: - Assignee reset
Metadata Update from @jmagne: - Issue assigned to jmagne
Since this has already a patch not sure how much is left to do, but was suggested I take this one. Whatever is left to do.
The above patch fixed the random serial number generator to use SecureRandom. There might be other places that still use Random. They need to be changed to use SecureRandom as well.
Metadata Update from @jmagne: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.0 (was: 10.5)
Jack Magne 2017-10-23 14:27:21 EDT
Checkin:
commit b42b58024b801e5c9874e11dfb52de2b45c3a285 Author: Jack Magne jmagne@redhat.com Date: Thu Oct 5 11:55:12 2017 -0700
Fix: #2695 Replacing Random with SecureRandom. This is addressed by creating one centralized method to get the SecureRandom number generator in JssSubsytem, which alread exists. Another fix by edewata allowed us to be able to access the JssSubsystem from most other server code. Thus only one method required. In a future ticket we can centralize the method calls TO the secure random object to allows us to easily log when they are called. Added a centralized method to CryptoUtil, which can be used by java clients. Change-Id: I092a6c16b43ddc6bb33ff0b6084ece1f34285844
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2815
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.