Commit 3506c5da authored by Tobias Wich's avatar Tobias Wich
Browse files

Replace SecureRandom instances with singletons

TLS connections use a shared SecureRandom which is defined in ReusableSecureRandom.
parent ae8979d9
......@@ -10,6 +10,7 @@ target
.directory
.checkstyle
nb-configuration.xml
nbactions-*.xml
dependency-reduced-pom.xml
/.idea/
*.iml
......
......@@ -55,6 +55,7 @@ import org.openecard.common.util.Pair;
import org.openecard.common.util.TR03112Utils;
import org.openecard.crypto.tls.ClientCertDefaultTlsClient;
import org.openecard.crypto.tls.ClientCertTlsClient;
import org.openecard.crypto.tls.ReusableSecureRandom;
import org.openecard.crypto.tls.auth.DynamicAuthentication;
import org.openecard.transport.httpcore.HttpRequestHelper;
import org.openecard.transport.httpcore.HttpUtils;
......@@ -225,7 +226,8 @@ public class ResourceContext {
// connect tls client
tlsClient.setClientVersion(ProtocolVersion.TLSv12);
Socket socket = ProxySettings.getDefault().getSocket(hostname, port);
h = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), new SecureRandom());
SecureRandom sr = ReusableSecureRandom.getInstance();
h = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), sr);
logger.debug("Performing TLS handshake.");
h.connect(tlsClient);
logger.debug("TLS handshake performed.");
......
......@@ -50,6 +50,7 @@ import org.openecard.crypto.tls.proxy.ProxySettings;
import static org.openecard.binding.tctoken.ex.ErrorTranslations.*;
import org.openecard.common.OpenecardProperties;
import org.openecard.common.util.UrlBuilder;
import org.openecard.crypto.tls.ReusableSecureRandom;
/**
......@@ -231,7 +232,8 @@ public class TlsConnectionHandler {
// TLS
InputStream sockIn = socket.getInputStream();
OutputStream sockOut = socket.getOutputStream();
TlsClientProtocol handler = new TlsClientProtocol(sockIn, sockOut, new SecureRandom());
SecureRandom sr = ReusableSecureRandom.getInstance();
TlsClientProtocol handler = new TlsClientProtocol(sockIn, sockOut, sr);
handler.connect(tlsClient);
return handler;
......
/****************************************************************************
* Copyright (C) 2012-2014 ecsec GmbH.
* Copyright (C) 2012-2015 ecsec GmbH.
* All rights reserved.
* Contact: ecsec GmbH (info@ecsec.de)
*
......@@ -47,11 +47,27 @@ import org.slf4j.LoggerFactory;
/**
* Implements an abstract key for chip authentication.
*
* @author Moritz Horsch <horsch@cdc.informatik.tu-darmstadt.de>
* @author Moritz Horsch
*/
public final class CAKey {
private static final Logger logger = LoggerFactory.getLogger(CAKey.class);
private static final Logger logger;
private static final SecureRandom rand;
private static long counter;
static {
logger = LoggerFactory.getLogger(CAKey.class);
rand = new SecureRandom();
rand.setSeed(rand.generateSeed(32));
counter = 0;
}
private static void reseed() {
counter++;
rand.setSeed(counter);
rand.setSeed(System.nanoTime());
}
private AsymmetricKeyParameter sk;
private AsymmetricKeyParameter pk;
private final CADomainParameter cdp;
......@@ -105,10 +121,11 @@ public final class CAKey {
* Generate a key pair.
*/
public void generateKeyPair() {
reseed();
if (cdp.isDH()) {
ElGamalParameterSpec p = (ElGamalParameterSpec) cdp.getParameter();
int numBits = p.getG().bitLength();
BigInteger d = new BigInteger(numBits, new SecureRandom());
BigInteger d = new BigInteger(numBits, rand);
ElGamalParameters egp = new ElGamalParameters(p.getP(), p.getG());
sk = new ElGamalPrivateKeyParameters(d, egp);
......@@ -117,7 +134,7 @@ public final class CAKey {
} else if (cdp.isECDH()) {
ECParameterSpec p = (ECParameterSpec) cdp.getParameter();
int numBits = p.getN().bitLength();
BigInteger d = new BigInteger(numBits, new SecureRandom());
BigInteger d = new BigInteger(numBits, rand);
ECDomainParameters ecp = new ECDomainParameters(p.getCurve(), p.getG(), p.getN(), p.getH());
sk = new ECPrivateKeyParameters(d, ecp);
......
/****************************************************************************
* Copyright (C) 2012 ecsec GmbH.
* Copyright (C) 2012-2015 ecsec GmbH.
* All rights reserved.
* Contact: ecsec GmbH (info@ecsec.de)
*
......@@ -56,8 +56,8 @@ import org.slf4j.LoggerFactory;
/**
*
* @author Moritz Horsch <horsch@cdc.informatik.tu-darmstadt.de>
* @author Johannes Schmölz <johannes.schmoelz@ecsec.de>
* @author Moritz Horsch
* @author Johannes Schmölz
*/
public final class RichClient {
......
/****************************************************************************
* Copyright (C) 2012 ecsec GmbH.
* Copyright (C) 2012-2015 ecsec GmbH.
* All rights reserved.
* Contact: ecsec GmbH (info@ecsec.de)
*
......@@ -29,10 +29,25 @@ import java.util.UUID;
/**
* Implements convenience methods to generates random values.
*
* @author Tobias Wich <tobias.wich@ecsec.de>
* @author Tobias Wich
*/
public class ValueGenerators {
private static final SecureRandom rand;
private static long counter;
static {
rand = new SecureRandom();
rand.setSeed(rand.generateSeed(32));
counter = 0;
}
private static void reseed() {
counter++;
rand.setSeed(counter);
rand.setSeed(System.nanoTime());
}
/**
* Generates a new pre-shared key (PSK).
*
......@@ -138,7 +153,8 @@ public class ValueGenerators {
/**
* Generates a secure random value.
* Using 'java.security.SecureRandom'.
* Using 'java.security.SecureRandom'. The random instance is reseeded with a counter and the current system time in
* order to provide better random numbers.
*
* @param nibbleLength Length of the random in nibbles
* @return Secure random value
......@@ -150,8 +166,8 @@ public class ValueGenerators {
nibbleLength = (nibbleLength / 2 + nibbleLength % 2);
SecureRandom rand = new SecureRandom();
byte[] randomBytes = new byte[nibbleLength];
reseed();
rand.nextBytes(randomBytes);
return randomBytes;
......
/****************************************************************************
* Copyright (C) 2015 ecsec GmbH.
* All rights reserved.
* Contact: ecsec GmbH (info@ecsec.de)
*
* This file is part of the Open eCard App.
*
* GNU General Public License Usage
* This file may be used under the terms of the GNU General Public
* License version 3.0 as published by the Free Software Foundation
* and appearing in the file LICENSE.GPL included in the packaging of
* this file. Please review the following information to ensure the
* GNU General Public License version 3.0 requirements will be met:
* http://www.gnu.org/copyleft/gpl.html.
*
* Other Usage
* Alternatively, this file may be used in accordance with the terms
* and conditions contained in a signed written agreement between
* you and ecsec GmbH.
*
***************************************************************************/
package org.openecard.crypto.tls;
import java.security.SecureRandom;
/**
* SecureRandom singleton.
*
* @author Tobias Wich
*/
public class ReusableSecureRandom extends SecureRandom {
private static final ReusableSecureRandom instance;
static {
instance = new ReusableSecureRandom();
}
private ReusableSecureRandom() {
setSeed(this.generateSeed(32));
}
/**
* Gets a singleton instance of the systems default SecureRandom.
* The instance is properly seeded and ready to use.
*
* @return Seeded {@link SecureRandom} instance.
*/
public static SecureRandom getInstance() {
return instance;
}
}
......@@ -40,6 +40,7 @@ import org.openecard.bouncycastle.crypto.tls.TlsClientProtocol;
import org.openecard.bouncycastle.util.encoders.Base64;
import org.openecard.crypto.tls.CertificateVerifier;
import org.openecard.crypto.tls.ClientCertDefaultTlsClient;
import org.openecard.crypto.tls.ReusableSecureRandom;
import org.openecard.crypto.tls.SocketWrapper;
import org.openecard.crypto.tls.auth.CertificateVerifierBuilder;
import org.openecard.crypto.tls.auth.DynamicAuthentication;
......@@ -140,8 +141,8 @@ public final class HttpConnectProxy extends Proxy {
}
}
tlsClient.setAuthentication(tlsAuth);
SecureRandom rand = new SecureRandom();
TlsClientProtocol proto = new TlsClientProtocol(sock.getInputStream(), sock.getOutputStream(), rand);
SecureRandom sr = ReusableSecureRandom.getInstance();
TlsClientProtocol proto = new TlsClientProtocol(sock.getInputStream(), sock.getOutputStream(), sr);
proto.connect(tlsClient);
// wrap socket
Socket tlsSock = new SocketWrapper(sock, proto.getInputStream(), proto.getOutputStream());
......
......@@ -26,6 +26,7 @@ import java.io.IOException;
import java.net.Socket;
import java.security.SecureRandom;
import org.openecard.bouncycastle.crypto.tls.TlsClientProtocol;
import org.openecard.crypto.tls.ReusableSecureRandom;
import org.testng.SkipException;
import org.testng.annotations.Test;
import static org.testng.Assert.*;
......@@ -51,7 +52,8 @@ public class JavaSecVerifierTest {
assertFalse(socket.isClosed());
// connect client
c = new DefaultTlsClientImpl(hostName);
handler = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), new SecureRandom());
SecureRandom sr = ReusableSecureRandom.getInstance();
handler = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), sr);
} catch (Exception ex) {
throw new SkipException("Unable to create TLS client.");
}
......@@ -74,7 +76,8 @@ public class JavaSecVerifierTest {
assertFalse(socket.isClosed());
// connect client
c = new DefaultTlsClientImpl(hostName);
handler = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), new SecureRandom());
SecureRandom sr = ReusableSecureRandom.getInstance();
handler = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), sr);
} catch (Exception ex) {
throw new SkipException("Unable to create TLS client.");
}
......
/****************************************************************************
* Copyright (C) 2012 ecsec GmbH.
* Copyright (C) 2012-2015 ecsec GmbH.
* All rights reserved.
* Contact: ecsec GmbH (info@ecsec.de)
*
......@@ -22,7 +22,6 @@
package org.openecard.ifd.scio.wrapper;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.ConcurrentSkipListMap;
......@@ -31,6 +30,7 @@ import javax.smartcardio.CardException;
import javax.smartcardio.CardTerminal;
import javax.smartcardio.CardTerminals;
import org.openecard.common.ECardConstants;
import org.openecard.common.util.ValueGenerators;
import org.openecard.ifd.scio.IFDException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -45,20 +45,16 @@ public class SCWrapper {
private static final Logger _logger = LoggerFactory.getLogger(SCWrapper.class);
private final CardTerminals terminals;
private final SecureRandom secureRandom;
private final ConcurrentSkipListMap<String,SCTerminal> scTerminals;
public SCWrapper() throws IFDException {
terminals = new DeadAndAliveTerminals();
secureRandom = new SecureRandom();
scTerminals = new ConcurrentSkipListMap<String, SCTerminal>();
scTerminals = new ConcurrentSkipListMap<>();
}
public byte[] createHandle(int size) {
byte[] handle = new byte[size];
secureRandom.nextBytes(handle);
return handle;
return ValueGenerators.generateRandom(size * 2);
}
......@@ -149,7 +145,7 @@ public class SCWrapper {
if (update) {
updateTerminals();
}
ArrayList<SCTerminal> list = new ArrayList<SCTerminal>(scTerminals.values());
ArrayList<SCTerminal> list = new ArrayList<>(scTerminals.values());
return list;
}
......@@ -167,19 +163,19 @@ public class SCWrapper {
if (update) {
updateTerminals();
}
ArrayList<String> list = new ArrayList<String>(scTerminals.keySet());
ArrayList<String> list = new ArrayList<>(scTerminals.keySet());
return list;
}
public synchronized void updateTerminals() {
ConcurrentSkipListSet<String> deleted = new ConcurrentSkipListSet<String>(scTerminals.keySet());
ConcurrentSkipListSet<String> deleted = new ConcurrentSkipListSet<>(scTerminals.keySet());
// get list and check all entries
List<CardTerminal> ts;
try {
ts = terminals.list();
} catch (CardException ex) {
ts = new ArrayList<CardTerminal>(0); // empty list because list call can fail with exception on some systems
ts = new ArrayList<>(0); // empty list because list call can fail with exception on some systems
}
for (CardTerminal t : ts) {
if (scTerminals.containsKey(t.getName())) {
......
......@@ -39,18 +39,32 @@ import org.openecard.bouncycastle.math.ec.ECPoint;
import org.openecard.common.tlv.TLV;
import org.openecard.common.util.ByteUtils;
import org.openecard.crypto.common.asn1.eac.PACEDomainParameter;
import org.openecard.ifd.protocol.pace.PACEImplementation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
*
* @author Moritz Horsch <horsch@cdc.informatik.tu-darmstadt.de>
* @author Moritz Horsch
*/
public final class PACEKey {
private static final Logger logger = LoggerFactory.getLogger(PACEImplementation.class);
private static final Logger logger;
private static final SecureRandom rand;
private static long counter;
static {
logger = LoggerFactory.getLogger(PACEKey.class);
rand = new SecureRandom();
rand.setSeed(rand.generateSeed(32));
counter = 0;
}
private static void reseed() {
counter++;
rand.setSeed(counter);
rand.setSeed(System.nanoTime());
}
private AsymmetricKeyParameter sk;
private AsymmetricKeyParameter pk;
......@@ -103,10 +117,11 @@ public final class PACEKey {
* Generate a key pair.
*/
public void generateKeyPair() {
reseed();
if (pdp.isDH()) {
ElGamalParameterSpec p = (ElGamalParameterSpec) pdp.getParameter();
int numBits = p.getG().bitLength();
BigInteger d = new BigInteger(numBits, new SecureRandom());
BigInteger d = new BigInteger(numBits, rand);
ElGamalParameters egp = new ElGamalParameters(p.getP(), p.getG());
sk = new ElGamalPrivateKeyParameters(d, egp);
......@@ -115,7 +130,7 @@ public final class PACEKey {
} else if (pdp.isECDH()) {
ECParameterSpec p = (ECParameterSpec) pdp.getParameter();
int numBits = p.getN().bitLength();
BigInteger d = new BigInteger(numBits, new SecureRandom());
BigInteger d = new BigInteger(numBits, rand);
ECDomainParameters ecp = new ECDomainParameters(p.getCurve(), p.getG(), p.getN(), p.getH());
sk = new ECPrivateKeyParameters(d, ecp);
......
......@@ -46,7 +46,7 @@ import org.testng.annotations.BeforeClass;
/**
*
* @author Tobias Wich <tobias.wich@ecsec.de>
* @author Tobias Wich
*/
@Test(groups = "it")
public class StreamHttpClientConnectionTest {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment