Added configurable random number generator in JssSubsystem.

The JssSubsystem has been modified to provide a configurable random number generator which uses PK11SecureRandom from JSS by default. The CertificateRepository has been modified to use the new random number generator to generate random serial number. https://pagure.io/dogtagpki/issue/2695 Change-Id: I3289adbd0543000e64404fe23d00c44f32795f75
dogtagpki · May 22, 2017 · b66409b · b66409b
1 parent 8aafe1d
commit b66409b
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 16 deletions.
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
@@ -19,27 +19,18 @@
 
 import java.io.Serializable;
 import java.math.BigInteger;
+import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.util.Arrays;
 import java.util.Date;
 import java.util.Enumeration;
 import java.util.Hashtable;
-import java.util.Random;
 import java.util.Vector;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ThreadFactory;
 import java.util.concurrent.TimeUnit;
 
-import netscape.ldap.LDAPAttributeSet;
-import netscape.ldap.LDAPEntry;
-import netscape.ldap.LDAPSearchResults;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.RevokedCertImpl;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
@@ -62,6 +53,16 @@
 import com.netscape.certsrv.dbs.repository.IRepository;
 import com.netscape.certsrv.dbs.repository.IRepositoryRecord;
 import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cmscore.security.JssSubsystem;
+
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPSearchResults;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
 
 /**
  * A class represents a certificate repository. It
@@ -99,7 +100,6 @@ public class CertificateRepository extends Repository
     private int mTransitMaxRecords = 1000000;
     private int mTransitRecordPageSize = 200;
 
-    private Random mRandom = null;
     private int mBitLength = 0;
     private BigInteger mRangeSize = null;
     private int mMinRandomBitLength = 4;
@@ -169,11 +169,7 @@ public void setEnableRandomSerialNumbers(boolean random, boolean updateMode, boo
     }
 
     private BigInteger getRandomNumber() throws EBaseException {
-        BigInteger randomNumber = null;
 
-        if (mRandom == null) {
-            mRandom = new Random();
-        }
         super.initCacheIfNeeded();
 
         if (mRangeSize == null) {
@@ -189,7 +185,11 @@ private BigInteger getRandomNumber() throws EBaseException {
             CMS.debug("CertificateRepository: getRandomNumber:  Range size is too small to support random certificate serial numbers.");
             throw new EBaseException ("Range size is too small to support random certificate serial numbers.");
         }
-        randomNumber = new BigInteger((mBitLength), mRandom);
+
+        JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
+        SecureRandom random = jssSubsystem.getRandomNumberGenerator();
+
+        BigInteger randomNumber = new BigInteger(mBitLength, random);
         randomNumber = (randomNumber.multiply(mRangeSize)).shiftRight(mBitLength);
         CMS.debug("CertificateRepository: getRandomNumber  randomNumber="+randomNumber);
 

diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java
@@ -32,6 +32,7 @@
 import java.security.NoSuchProviderException;
 import java.security.Principal;
 import java.security.PublicKey;
+import java.security.SecureRandom;
 import java.security.SignatureException;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
@@ -116,6 +117,7 @@ public final class JssSubsystem implements ICryptoSubsystem {
     private boolean mInited = false;
     private ILogger mLogger = null;
     private CryptoManager mCryptoManager = null;
+    private SecureRandom random;
 
     protected PasswordCallback mPWCB = null;
 
@@ -334,11 +336,36 @@ public void init(ISubsystem owner, IConfigStore config)
             throw ex;
         }
 
+        // read jss.random.* properties
+        // by default use PK11SecureRandom from JSS
+        // see http://pki.fedoraproject.org/wiki/Random_Number_Generator
+
+        IConfigStore randomConfig = config.getSubStore("random");
+        CMS.debug("JssSubsystem: random:");
+
+        String algorithm = randomConfig.getString("algorithm", "pkcs11prng");
+        CMS.debug("JssSubsystem: - algorithm: " + algorithm);
+
+        String provider = randomConfig.getString("provider", "Mozilla-JSS");
+        CMS.debug("JssSubsystem: - provider: " + provider);
+
+        try {
+            random = SecureRandom.getInstance(algorithm, provider);
+
+        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+            CMS.debug(e);
+            throw new EBaseException(e);
+        }
+
         mInited = true;
 
         CMS.debug("JssSubsystem: initialization complete");
     }
 
+    public SecureRandom getRandomNumberGenerator() {
+        return random;
+    }
+
     public String getCipherVersion() throws EBaseException {
         return "cipherdomestic";
     }