From b66409ba4a9ffa8cb58f643e891a4a50a67fb29a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 20 May 2017 00:06:41 +0200 Subject: [PATCH] Added configurable random number generator in JssSubsystem. The JssSubsystem has been modified to provide a configurable random number generator which uses PK11SecureRandom from JSS by default. The CertificateRepository has been modified to use the new random number generator to generate random serial number. https://pagure.io/dogtagpki/issue/2695 Change-Id: I3289adbd0543000e64404fe23d00c44f32795f75 --- .../cmscore/dbs/CertificateRepository.java | 32 +++++++++---------- .../cmscore/security/JssSubsystem.java | 27 ++++++++++++++++ 2 files changed, 43 insertions(+), 16 deletions(-) diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java index 8406f367b3f..9a333fe1944 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java @@ -19,27 +19,18 @@ import java.io.Serializable; import java.math.BigInteger; +import java.security.SecureRandom; import java.security.cert.Certificate; import java.util.Arrays; import java.util.Date; import java.util.Enumeration; import java.util.Hashtable; -import java.util.Random; import java.util.Vector; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.ThreadFactory; import java.util.concurrent.TimeUnit; -import netscape.ldap.LDAPAttributeSet; -import netscape.ldap.LDAPEntry; -import netscape.ldap.LDAPSearchResults; -import netscape.security.x509.CertificateValidity; -import netscape.security.x509.RevokedCertImpl; -import netscape.security.x509.X500Name; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509CertInfo; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; @@ -62,6 +53,16 @@ import com.netscape.certsrv.dbs.repository.IRepository; import com.netscape.certsrv.dbs.repository.IRepositoryRecord; import com.netscape.certsrv.logging.ILogger; +import com.netscape.cmscore.security.JssSubsystem; + +import netscape.ldap.LDAPAttributeSet; +import netscape.ldap.LDAPEntry; +import netscape.ldap.LDAPSearchResults; +import netscape.security.x509.CertificateValidity; +import netscape.security.x509.RevokedCertImpl; +import netscape.security.x509.X500Name; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509CertInfo; /** * A class represents a certificate repository. It @@ -99,7 +100,6 @@ public class CertificateRepository extends Repository private int mTransitMaxRecords = 1000000; private int mTransitRecordPageSize = 200; - private Random mRandom = null; private int mBitLength = 0; private BigInteger mRangeSize = null; private int mMinRandomBitLength = 4; @@ -169,11 +169,7 @@ public void setEnableRandomSerialNumbers(boolean random, boolean updateMode, boo } private BigInteger getRandomNumber() throws EBaseException { - BigInteger randomNumber = null; - if (mRandom == null) { - mRandom = new Random(); - } super.initCacheIfNeeded(); if (mRangeSize == null) { @@ -189,7 +185,11 @@ private BigInteger getRandomNumber() throws EBaseException { CMS.debug("CertificateRepository: getRandomNumber: Range size is too small to support random certificate serial numbers."); throw new EBaseException ("Range size is too small to support random certificate serial numbers."); } - randomNumber = new BigInteger((mBitLength), mRandom); + + JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); + SecureRandom random = jssSubsystem.getRandomNumberGenerator(); + + BigInteger randomNumber = new BigInteger(mBitLength, random); randomNumber = (randomNumber.multiply(mRangeSize)).shiftRight(mBitLength); CMS.debug("CertificateRepository: getRandomNumber randomNumber="+randomNumber); diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java index 9031a92615c..d346a128e58 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java @@ -32,6 +32,7 @@ import java.security.NoSuchProviderException; import java.security.Principal; import java.security.PublicKey; +import java.security.SecureRandom; import java.security.SignatureException; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; @@ -116,6 +117,7 @@ public final class JssSubsystem implements ICryptoSubsystem { private boolean mInited = false; private ILogger mLogger = null; private CryptoManager mCryptoManager = null; + private SecureRandom random; protected PasswordCallback mPWCB = null; @@ -334,11 +336,36 @@ public void init(ISubsystem owner, IConfigStore config) throw ex; } + // read jss.random.* properties + // by default use PK11SecureRandom from JSS + // see http://pki.fedoraproject.org/wiki/Random_Number_Generator + + IConfigStore randomConfig = config.getSubStore("random"); + CMS.debug("JssSubsystem: random:"); + + String algorithm = randomConfig.getString("algorithm", "pkcs11prng"); + CMS.debug("JssSubsystem: - algorithm: " + algorithm); + + String provider = randomConfig.getString("provider", "Mozilla-JSS"); + CMS.debug("JssSubsystem: - provider: " + provider); + + try { + random = SecureRandom.getInstance(algorithm, provider); + + } catch (NoSuchAlgorithmException | NoSuchProviderException e) { + CMS.debug(e); + throw new EBaseException(e); + } + mInited = true; CMS.debug("JssSubsystem: initialization complete"); } + public SecureRandom getRandomNumberGenerator() { + return random; + } + public String getCipherVersion() throws EBaseException { return "cipherdomestic"; }