This is an automated email from the ASF dual-hosted git repository.
twolf pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git
The following commit(s) were added to refs/heads/master by this push:
new 90872df67 Use a global SecureRandom instance
90872df67 is described below
commit 90872df67562818d0a23be61b3ec82f67cbc62b6
Author: Thomas Wolf <[email protected]>
AuthorDate: Thu Sep 12 23:40:30 2024 +0200
Use a global SecureRandom instance
In some places the code needs a SecureRandom, but cannot use the Random
set on the Session. Instead of using "new SecureRandom()" everywhere
introduce a single global instance and re-use that.
---
.../config/keys/loader/AbstractPrivateKeyObfuscator.java | 4 ++--
.../keys/writer/openssh/OpenSSHKeyPairResourceWriter.java | 4 ++--
.../main/java/org/apache/sshd/common/random/JceRandom.java | 14 ++++++++++++++
.../apache/sshd/certificate/OpenSshCertificateBuilder.java | 3 ++-
.../main/java/org/apache/sshd/common/kex/SNTRUP761.java | 6 +++---
5 files changed, 23 insertions(+), 8 deletions(-)
diff --git
a/sshd-common/src/main/java/org/apache/sshd/common/config/keys/loader/AbstractPrivateKeyObfuscator.java
b/sshd-common/src/main/java/org/apache/sshd/common/config/keys/loader/AbstractPrivateKeyObfuscator.java
index 45f694272..5f3ac93e1 100644
---
a/sshd-common/src/main/java/org/apache/sshd/common/config/keys/loader/AbstractPrivateKeyObfuscator.java
+++
b/sshd-common/src/main/java/org/apache/sshd/common/config/keys/loader/AbstractPrivateKeyObfuscator.java
@@ -23,7 +23,6 @@ import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
-import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.Objects;
@@ -34,6 +33,7 @@ import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.sshd.common.digest.BuiltinDigests;
+import org.apache.sshd.common.random.JceRandom;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.common.util.ValidateUtils;
import org.apache.sshd.common.util.buffer.BufferUtils;
@@ -59,7 +59,7 @@ public abstract class AbstractPrivateKeyObfuscator implements
PrivateKeyObfuscat
throws GeneralSecurityException {
int ivSize = resolveInitializationVectorLength(encContext);
byte[] initVector = new byte[ivSize];
- Random randomizer = new SecureRandom(); // TODO consider using some
pre-created singleton instance
+ Random randomizer = JceRandom.getGlobalInstance();
randomizer.nextBytes(initVector);
return initVector;
}
diff --git
a/sshd-common/src/main/java/org/apache/sshd/common/config/keys/writer/openssh/OpenSSHKeyPairResourceWriter.java
b/sshd-common/src/main/java/org/apache/sshd/common/config/keys/writer/openssh/OpenSSHKeyPairResourceWriter.java
index 8a9653add..9df264183 100644
---
a/sshd-common/src/main/java/org/apache/sshd/common/config/keys/writer/openssh/OpenSSHKeyPairResourceWriter.java
+++
b/sshd-common/src/main/java/org/apache/sshd/common/config/keys/writer/openssh/OpenSSHKeyPairResourceWriter.java
@@ -30,7 +30,6 @@ import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
-import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.Objects;
@@ -51,6 +50,7 @@ import
org.apache.sshd.common.config.keys.loader.openssh.OpenSSHParserContext;
import org.apache.sshd.common.config.keys.loader.openssh.kdf.BCrypt;
import org.apache.sshd.common.config.keys.loader.openssh.kdf.BCryptKdfOptions;
import org.apache.sshd.common.config.keys.writer.KeyPairResourceWriter;
+import org.apache.sshd.common.random.JceRandom;
import org.apache.sshd.common.random.JceRandomFactory;
import org.apache.sshd.common.random.Random;
import org.apache.sshd.common.util.GenericUtils;
@@ -148,7 +148,7 @@ public class OpenSSHKeyPairResourceWriter implements
KeyPairResourceWriter<OpenS
public static byte[] encodePrivateKey(KeyPair key, String keyType, int
blockSize, String comment)
throws IOException, GeneralSecurityException {
try (SecureByteArrayOutputStream out = new
SecureByteArrayOutputStream()) {
- int check = new SecureRandom().nextInt();
+ int check = JceRandom.getGlobalInstance().nextInt();
KeyEntryResolver.encodeInt(out, check);
KeyEntryResolver.encodeInt(out, check);
KeyEntryResolver.encodeString(out, keyType);
diff --git
a/sshd-common/src/main/java/org/apache/sshd/common/random/JceRandom.java
b/sshd-common/src/main/java/org/apache/sshd/common/random/JceRandom.java
index 4ef8c1f1f..f360b854e 100644
--- a/sshd-common/src/main/java/org/apache/sshd/common/random/JceRandom.java
+++ b/sshd-common/src/main/java/org/apache/sshd/common/random/JceRandom.java
@@ -51,6 +51,20 @@ public class JceRandom extends AbstractRandom {
}
}
+ private static final class Cache {
+
+ static final SecureRandom INSTANCE = getRandom();
+
+ private Cache() {
+ // No instantiation
+ super();
+ }
+ }
+
+ public static SecureRandom getGlobalInstance() {
+ return Cache.INSTANCE;
+ }
+
@Override
public String getName() {
return NAME;
diff --git
a/sshd-core/src/main/java/org/apache/sshd/certificate/OpenSshCertificateBuilder.java
b/sshd-core/src/main/java/org/apache/sshd/certificate/OpenSshCertificateBuilder.java
index da721c682..e8e6597e3 100644
---
a/sshd-core/src/main/java/org/apache/sshd/certificate/OpenSshCertificateBuilder.java
+++
b/sshd-core/src/main/java/org/apache/sshd/certificate/OpenSshCertificateBuilder.java
@@ -40,6 +40,7 @@ import org.apache.sshd.common.config.keys.OpenSshCertificate;
import org.apache.sshd.common.config.keys.OpenSshCertificate.Type;
import org.apache.sshd.common.config.keys.OpenSshCertificateImpl;
import org.apache.sshd.common.keyprovider.KeyPairProvider;
+import org.apache.sshd.common.random.JceRandom;
import org.apache.sshd.common.signature.BuiltinSignatures;
import org.apache.sshd.common.signature.Signature;
import org.apache.sshd.common.signature.SignatureFactory;
@@ -241,7 +242,7 @@ public class OpenSshCertificateBuilder {
if (nonce != null) {
cert.setNonce(nonce);
} else {
- SecureRandom rand = new SecureRandom();
+ SecureRandom rand = JceRandom.getGlobalInstance();
byte[] tempNonce = new byte[32];
rand.nextBytes(tempNonce);
cert.setNonce(tempNonce);
diff --git a/sshd-core/src/main/java/org/apache/sshd/common/kex/SNTRUP761.java
b/sshd-core/src/main/java/org/apache/sshd/common/kex/SNTRUP761.java
index d423d882b..66ef88423 100644
--- a/sshd-core/src/main/java/org/apache/sshd/common/kex/SNTRUP761.java
+++ b/sshd-core/src/main/java/org/apache/sshd/common/kex/SNTRUP761.java
@@ -18,9 +18,9 @@
*/
package org.apache.sshd.common.kex;
-import java.security.SecureRandom;
import java.util.Arrays;
+import org.apache.sshd.common.random.JceRandom;
import org.apache.sshd.common.util.security.SecurityUtils;
import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
import org.bouncycastle.crypto.SecretWithEncapsulation;
@@ -64,7 +64,7 @@ final class SNTRUP761 {
@Override
public void init() {
SNTRUPrimeKeyPairGenerator gen = new SNTRUPrimeKeyPairGenerator();
- gen.init(new SNTRUPrimeKeyGenerationParameters(new SecureRandom(),
SNTRUPrimeParameters.sntrup761));
+ gen.init(new
SNTRUPrimeKeyGenerationParameters(JceRandom.getGlobalInstance(),
SNTRUPrimeParameters.sntrup761));
AsymmetricCipherKeyPair pair = gen.generateKeyPair();
extractor = new
SNTRUPrimeKEMExtractor((SNTRUPrimePrivateKeyParameters) pair.getPrivate());
publicKey = (SNTRUPrimePublicKeyParameters) pair.getPublic();
@@ -104,7 +104,7 @@ final class SNTRUP761 {
throw new IllegalArgumentException("KEM public key too short:
" + publicKey.length);
}
byte[] pk = Arrays.copyOf(publicKey, pkBytes);
- SNTRUPrimeKEMGenerator kemGenerator = new
SNTRUPrimeKEMGenerator(new SecureRandom());
+ SNTRUPrimeKEMGenerator kemGenerator = new
SNTRUPrimeKEMGenerator(JceRandom.getGlobalInstance());
SNTRUPrimePublicKeyParameters params = new
SNTRUPrimePublicKeyParameters(SNTRUPrimeParameters.sntrup761, pk);
value = kemGenerator.generateEncapsulated(params);
return Arrays.copyOfRange(publicKey, pkBytes, publicKey.length);
