Added configurable random number generator in JssSubsystem.

The JssSubsystem has been modified to provide a configurable random number generator which uses PK11SecureRandom from JSS by default. The CertificateRepository has been modified to use the new random number generator to generate random serial number. https://pagure.io/dogtagpki/issue/2695 Change-Id: I3289adbd0543000e64404fe23d00c44f32795f75
author: Endi S. Dewata <edewata@redhat.com> 2017-05-20 00:06:41 +0200
committer: Endi S. Dewata <edewata@redhat.com> 2017-05-23 00:21:49 +0200
commit: b66409ba4a9ffa8cb58f643e891a4a50a67fb29a (patch)
tree: fddb47c51b3ee03c8c05916b201c595fa883adcc /base/server
parent: 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb (diff)
download: pki-b66409ba4a9ffa8cb58f643e891a4a50a67fb29a.tar.gz
pki-b66409ba4a9ffa8cb58f643e891a4a50a67fb29a.tar.xz
pki-b66409ba4a9ffa8cb58f643e891a4a50a67fb29a.zip
2 files changed, 43 insertions, 16 deletions
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
index 8406f367b..9a333fe19 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CertificateRepository.java
@@ -19,27 +19,18 @@ package com.netscape.cmscore.dbs;
 
 import java.io.Serializable;
 import java.math.BigInteger;
+import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.util.Arrays;
 import java.util.Date;
 import java.util.Enumeration;
 import java.util.Hashtable;
-import java.util.Random;
 import java.util.Vector;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ThreadFactory;
 import java.util.concurrent.TimeUnit;
 
-import netscape.ldap.LDAPAttributeSet;
-import netscape.ldap.LDAPEntry;
-import netscape.ldap.LDAPSearchResults;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.RevokedCertImpl;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
@@ -62,6 +53,16 @@ import com.netscape.certsrv.dbs.certdb.RenewableCertificateCollection;
 import com.netscape.certsrv.dbs.repository.IRepository;
 import com.netscape.certsrv.dbs.repository.IRepositoryRecord;
 import com.netscape.certsrv.logging.ILogger;
+import com.netscape.cmscore.security.JssSubsystem;
+
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPSearchResults;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
 
 /**
  * A class represents a certificate repository. It
@@ -99,7 +100,6 @@ public class CertificateRepository extends Repository
     private int mTransitMaxRecords = 1000000;
     private int mTransitRecordPageSize = 200;
 
-    private Random mRandom = null;
     private int mBitLength = 0;
     private BigInteger mRangeSize = null;
     private int mMinRandomBitLength = 4;
@@ -169,11 +169,7 @@ public class CertificateRepository extends Repository
     }
 
     private BigInteger getRandomNumber() throws EBaseException {
-        BigInteger randomNumber = null;
 
-        if (mRandom == null) {
-            mRandom = new Random();
-        }
         super.initCacheIfNeeded();
 
         if (mRangeSize == null) {
@@ -189,7 +185,11 @@ public class CertificateRepository extends Repository
             CMS.debug("CertificateRepository: getRandomNumber:  Range size is too small to support random certificate serial numbers.");
             throw new EBaseException ("Range size is too small to support random certificate serial numbers.");
         }
-        randomNumber = new BigInteger((mBitLength), mRandom);
+
+        JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
+        SecureRandom random = jssSubsystem.getRandomNumberGenerator();
+
+        BigInteger randomNumber = new BigInteger(mBitLength, random);
         randomNumber = (randomNumber.multiply(mRangeSize)).shiftRight(mBitLength);
         CMS.debug("CertificateRepository: getRandomNumber  randomNumber="+randomNumber);
 
diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java
index 9031a9261..d346a128e 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java
@@ -32,6 +32,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.Principal;
 import java.security.PublicKey;
+import java.security.SecureRandom;
 import java.security.SignatureException;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
@@ -116,6 +117,7 @@ public final class JssSubsystem implements ICryptoSubsystem {
     private boolean mInited = false;
     private ILogger mLogger = null;
     private CryptoManager mCryptoManager = null;
+    private SecureRandom random;
 
     protected PasswordCallback mPWCB = null;
 
@@ -334,11 +336,36 @@ public final class JssSubsystem implements ICryptoSubsystem {
             throw ex;
         }
 
+        // read jss.random.* properties
+        // by default use PK11SecureRandom from JSS
+        // see http://pki.fedoraproject.org/wiki/Random_Number_Generator
+
+        IConfigStore randomConfig = config.getSubStore("random");
+        CMS.debug("JssSubsystem: random:");
+
+        String algorithm = randomConfig.getString("algorithm", "pkcs11prng");
+        CMS.debug("JssSubsystem: - algorithm: " + algorithm);
+
+        String provider = randomConfig.getString("provider", "Mozilla-JSS");
+        CMS.debug("JssSubsystem: - provider: " + provider);
+
+        try {
+            random = SecureRandom.getInstance(algorithm, provider);
+
+        } catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+            CMS.debug(e);
+            throw new EBaseException(e);
+        }
+
         mInited = true;
 
         CMS.debug("JssSubsystem: initialization complete");
     }
 
+    public SecureRandom getRandomNumberGenerator() {
+        return random;
+    }
+
     public String getCipherVersion() throws EBaseException {
         return "cipherdomestic";
     }
author	Endi S. Dewata <edewata@redhat.com>	2017-05-20 00:06:41 +0200
committer	Endi S. Dewata <edewata@redhat.com>	2017-05-23 00:21:49 +0200
commit	b66409ba4a9ffa8cb58f643e891a4a50a67fb29a (patch)
tree	fddb47c51b3ee03c8c05916b201c595fa883adcc /base/server
parent	8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb (diff)
download	pki-b66409ba4a9ffa8cb58f643e891a4a50a67fb29a.tar.gz pki-b66409ba4a9ffa8cb58f643e891a4a50a67fb29a.tar.xz pki-b66409ba4a9ffa8cb58f643e891a4a50a67fb29a.zip