Skip to content

Commit

Permalink
Use a global SecureRandom instance
Browse files Browse the repository at this point in the history 
In some places the code needs a SecureRandom, but cannot use the Random
set on the Session. Instead of using "new SecureRandom()" everywhere
introduce a single global instance and re-use that.
  • Loading branch information
@tomaswolf
tomaswolf committed Sep 12, 2024
1 parent 2fff9b4 commit 90872df
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 8 deletions.
4 changes: 2 additions & 2 deletions ...src/main/java/org/apache/sshd/common/config/keys/loader/AbstractPrivateKeyObfuscator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.Objects;
Expand All @@ -34,6 +33,7 @@
import javax.crypto.spec.SecretKeySpec;

import org.apache.sshd.common.digest.BuiltinDigests;
import org.apache.sshd.common.random.JceRandom;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.common.util.ValidateUtils;
import org.apache.sshd.common.util.buffer.BufferUtils;
Expand All @@ -59,7 +59,7 @@ public byte[] generateInitializationVector(PrivateKeyEncryptionContext encContex
throws GeneralSecurityException {
int ivSize = resolveInitializationVectorLength(encContext);
byte[] initVector = new byte[ivSize];
Random randomizer = new SecureRandom(); // TODO consider using some pre-created singleton instance
Random randomizer = JceRandom.getGlobalInstance();
randomizer.nextBytes(initVector);
return initVector;
}
Expand Down
4 changes: 2 additions & 2 deletions .../java/org/apache/sshd/common/config/keys/writer/openssh/OpenSSHKeyPairResourceWriter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.Objects;
Expand All @@ -51,6 +50,7 @@
import org.apache.sshd.common.config.keys.loader.openssh.kdf.BCrypt;
import org.apache.sshd.common.config.keys.loader.openssh.kdf.BCryptKdfOptions;
import org.apache.sshd.common.config.keys.writer.KeyPairResourceWriter;
import org.apache.sshd.common.random.JceRandom;
import org.apache.sshd.common.random.JceRandomFactory;
import org.apache.sshd.common.random.Random;
import org.apache.sshd.common.util.GenericUtils;
Expand Down Expand Up @@ -148,7 +148,7 @@ public static OpenSSHKeyEncryptionContext determineEncryption(OpenSSHKeyEncrypti
public static byte[] encodePrivateKey(KeyPair key, String keyType, int blockSize, String comment)
throws IOException, GeneralSecurityException {
try (SecureByteArrayOutputStream out = new SecureByteArrayOutputStream()) {
int check = new SecureRandom().nextInt();
int check = JceRandom.getGlobalInstance().nextInt();
KeyEntryResolver.encodeInt(out, check);
KeyEntryResolver.encodeInt(out, check);
KeyEntryResolver.encodeString(out, keyType);
Expand Down
14 changes: 14 additions & 0 deletions sshd-common/src/main/java/org/apache/sshd/common/random/JceRandom.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,20 @@ private static SecureRandom getRandom() {
}
}

private static final class Cache {

static final SecureRandom INSTANCE = getRandom();

private Cache() {
// No instantiation
super();
}
}

public static SecureRandom getGlobalInstance() {
return Cache.INSTANCE;
}

@Override
public String getName() {
return NAME;
Expand Down
3 changes: 2 additions & 1 deletion sshd-core/src/main/java/org/apache/sshd/certificate/OpenSshCertificateBuilder.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
import org.apache.sshd.common.config.keys.OpenSshCertificate.Type;
import org.apache.sshd.common.config.keys.OpenSshCertificateImpl;
import org.apache.sshd.common.keyprovider.KeyPairProvider;
import org.apache.sshd.common.random.JceRandom;
import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.signature.SignatureFactory;
Expand Down Expand Up @@ -241,7 +242,7 @@ public OpenSshCertificate sign(KeyPair caKeypair, String signatureAlgorithm) thr
if (nonce != null) {
cert.setNonce(nonce);
} else {
SecureRandom rand = new SecureRandom();
SecureRandom rand = JceRandom.getGlobalInstance();
byte[] tempNonce = new byte[32];
rand.nextBytes(tempNonce);
cert.setNonce(tempNonce);
Expand Down
6 changes: 3 additions & 3 deletions sshd-core/src/main/java/org/apache/sshd/common/kex/SNTRUP761.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@
*/
package org.apache.sshd.common.kex;

import java.security.SecureRandom;
import java.util.Arrays;

import org.apache.sshd.common.random.JceRandom;
import org.apache.sshd.common.util.security.SecurityUtils;
import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
import org.bouncycastle.crypto.SecretWithEncapsulation;
Expand Down Expand Up @@ -64,7 +64,7 @@ static class Client implements KeyEncapsulationMethod.Client {
@Override
public void init() {
SNTRUPrimeKeyPairGenerator gen = new SNTRUPrimeKeyPairGenerator();
gen.init(new SNTRUPrimeKeyGenerationParameters(new SecureRandom(), SNTRUPrimeParameters.sntrup761));
gen.init(new SNTRUPrimeKeyGenerationParameters(JceRandom.getGlobalInstance(), SNTRUPrimeParameters.sntrup761));
AsymmetricCipherKeyPair pair = gen.generateKeyPair();
extractor = new SNTRUPrimeKEMExtractor((SNTRUPrimePrivateKeyParameters) pair.getPrivate());
publicKey = (SNTRUPrimePublicKeyParameters) pair.getPublic();
Expand Down Expand Up @@ -104,7 +104,7 @@ public byte[] init(byte[] publicKey) {
throw new IllegalArgumentException("KEM public key too short: " + publicKey.length);
}
byte[] pk = Arrays.copyOf(publicKey, pkBytes);
SNTRUPrimeKEMGenerator kemGenerator = new SNTRUPrimeKEMGenerator(new SecureRandom());
SNTRUPrimeKEMGenerator kemGenerator = new SNTRUPrimeKEMGenerator(JceRandom.getGlobalInstance());
SNTRUPrimePublicKeyParameters params = new SNTRUPrimePublicKeyParameters(SNTRUPrimeParameters.sntrup761, pk);
value = kemGenerator.generateEncapsulated(params);
return Arrays.copyOfRange(publicKey, pkBytes, publicKey.length);
Expand Down

0 comments on commit 90872df

Please sign in to comment.