From 8353954b16c2bc70cc4575e4e19ac697e4dcf669 Mon Sep 17 00:00:00 2001 From: warunalakshitha Date: Tue, 17 Jan 2017 16:05:42 +0530 Subject: [PATCH 1/3] Fix Message digest is weak security bug --- .../agent/transport/CommunicationUtils.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/CommunicationUtils.java b/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/CommunicationUtils.java index bb445a3d9..46a43a0ba 100644 --- a/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/CommunicationUtils.java +++ b/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/CommunicationUtils.java @@ -43,7 +43,7 @@ public class CommunicationUtils { private static final Log log = LogFactory.getLog(TransportUtils.class); // The Signature Algorithm used. - private static final String SIGNATURE_ALG = "SHA1withRSA"; + private static final String SHA_512 = "SHA-512"; // The Encryption Algorithm and the Padding used. private static final String CIPHER_PADDING = "RSA/ECB/PKCS1Padding"; @@ -107,7 +107,7 @@ public class CommunicationUtils { String signedEncodedString; try { - signature = Signature.getInstance(SIGNATURE_ALG); + signature = Signature.getInstance(SHA_512); signature.initSign(signatureKey); signature.update(Base64.decodeBase64(message)); @@ -116,11 +116,11 @@ public class CommunicationUtils { } catch (NoSuchAlgorithmException e) { String errorMsg = - "Algorithm not found exception occurred for Signature instance of [" + SIGNATURE_ALG + "]"; + "Algorithm not found exception occurred for Signature instance of [" + SHA_512 + "]"; log.error(errorMsg); throw new TransportHandlerException(errorMsg, e); } catch (SignatureException e) { - String errorMsg = "Signature exception occurred for Signature instance of [" + SIGNATURE_ALG + "]"; + String errorMsg = "Signature exception occurred for Signature instance of [" + SHA_512 + "]"; log.error(errorMsg); throw new TransportHandlerException(errorMsg, e); } catch (InvalidKeyException e) { @@ -152,7 +152,7 @@ public class CommunicationUtils { boolean verified; try { - signature = Signature.getInstance(SIGNATURE_ALG); + signature = Signature.getInstance(SHA_512); signature.initVerify(verificationKey); signature.update(Base64.decodeBase64(data)); @@ -160,11 +160,11 @@ public class CommunicationUtils { } catch (NoSuchAlgorithmException e) { String errorMsg = - "Algorithm not found exception occurred for Signature instance of [" + SIGNATURE_ALG + "]"; + "Algorithm not found exception occurred for Signature instance of [" + SHA_512 + "]"; log.error(errorMsg); throw new TransportHandlerException(errorMsg, e); } catch (SignatureException e) { - String errorMsg = "Signature exception occurred for Signature instance of [" + SIGNATURE_ALG + "]"; + String errorMsg = "Signature exception occurred for Signature instance of [" + SHA_512 + "]"; log.error(errorMsg); throw new TransportHandlerException(errorMsg, e); } catch (InvalidKeyException e) { From 5dbcbbe43a6d758a2fedf8dad4fee28fd7ea80c4 Mon Sep 17 00:00:00 2001 From: warunalakshitha Date: Tue, 17 Jan 2017 16:07:02 +0530 Subject: [PATCH 2/3] Fix Predictable pseudorandom number generator security issue --- .../agent/transport/TransportUtils.java | 39 ++++++++++--------- .../agent/virtual/VirtualHardwareManager.java | 14 ++++--- 2 files changed, 28 insertions(+), 25 deletions(-) diff --git a/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java b/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java index 11ebc04bf..b55aee02d 100644 --- a/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java +++ b/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/transport/TransportUtils.java @@ -36,6 +36,8 @@ import java.net.ServerSocket; import java.net.SocketException; import java.net.URL; import java.nio.charset.StandardCharsets; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.ArrayList; import java.util.Enumeration; import java.util.HashMap; @@ -173,27 +175,26 @@ public class TransportUtils { */ public static synchronized int getAvailablePort(int randomAttempts) { ArrayList failedPorts = new ArrayList(randomAttempts); - - Random randomNum = new Random(); - int randomPort = MAX_PORT_NUMBER; - - while (randomAttempts > 0) { - randomPort = randomNum.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER; - - if (checkIfPortAvailable(randomPort)) { - return randomPort; + try { + SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG"); + int randomPort = MAX_PORT_NUMBER; + while (randomAttempts > 0) { + randomPort = secureRandom.nextInt(MAX_PORT_NUMBER - MIN_PORT_NUMBER) + MIN_PORT_NUMBER; + if (checkIfPortAvailable(randomPort)) { + return randomPort; + } + failedPorts.add(randomPort); + randomAttempts--; } - failedPorts.add(randomPort); - randomAttempts--; - } - - randomPort = MAX_PORT_NUMBER; - - while (true) { - if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) { - return randomPort; + randomPort = MAX_PORT_NUMBER; + while (true) { + if (!failedPorts.contains(randomPort) && checkIfPortAvailable(randomPort)) { + return randomPort; + } + randomPort--; } - randomPort--; + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException("SHA1PRNG algorithm could not be found."); } } diff --git a/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java b/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java index 3b777cf75..61135c58a 100644 --- a/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java +++ b/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/virtual/VirtualHardwareManager.java @@ -33,6 +33,8 @@ import javax.sound.sampled.Clip; import javax.swing.*; import java.io.IOException; import java.io.InputStream; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; /** * This class use to emulate virtual hardware functionality @@ -174,19 +176,19 @@ public class VirtualHardwareManager { } private int getRandom(int max, int min, int current, boolean isSmoothed, int svf) { - if (isSmoothed) { int offset = (max - min) * svf / 100; double mx = current + offset; max = (mx > max) ? max : (int) Math.round(mx); - double mn = current - offset; min = (mn < min) ? min : (int) Math.round(mn); } - - double rnd = Math.random() * (max - min) + min; - return (int) Math.round(rnd); - + try { + SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG"); + return secureRandom.nextInt(max - min) + min; + } catch (NoSuchAlgorithmException e) { + throw new RuntimeException("SHA1PRNG algorithm could not be found."); + } } private void setAudioSequencer() { From 5eea20e887324272c14bdac7168b50104fa8e63c Mon Sep 17 00:00:00 2001 From: warunalakshitha Date: Tue, 17 Jan 2017 16:08:00 +0530 Subject: [PATCH 3/3] Fix Hard Coded Password security warning --- .../agent/enrollment/EnrollmentManager.java | 23 ------------------- 1 file changed, 23 deletions(-) diff --git a/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/enrollment/EnrollmentManager.java b/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/enrollment/EnrollmentManager.java index deaa5ac24..26006620f 100644 --- a/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/enrollment/EnrollmentManager.java +++ b/src/main/java/org/wso2/carbon/device/mgt/iot/virtualfirealarm/agent/enrollment/EnrollmentManager.java @@ -129,11 +129,8 @@ public class EnrollmentManager { public void setEnrollmentStatus() { KeyStore keyStore; - try { keyStore = KeyStore.getInstance(AgentConstants.DEVICE_KEYSTORE_TYPE); - keyStore.load(new FileInputStream(AgentConstants.DEVICE_KEYSTORE), - AgentConstants.DEVICE_KEYSTORE_PASSWORD.toCharArray()); this.isEnrolled = (keyStore.containsAlias(AgentConstants.DEVICE_CERT_ALIAS) && keyStore.containsAlias(AgentConstants.DEVICE_PRIVATE_KEY_ALIAS) && @@ -146,21 +143,7 @@ public class EnrollmentManager { log.error(AgentConstants.LOG_APPENDER + e); log.warn(AgentConstants.LOG_APPENDER + "Device will be re-enrolled."); return; - } catch (CertificateException | NoSuchAlgorithmException e) { - log.error(AgentConstants.LOG_APPENDER + "An error occurred whilst trying to [load] the device KeyStore '" + - AgentConstants.DEVICE_KEYSTORE + "'."); - log.error(AgentConstants.LOG_APPENDER + e); - log.warn(AgentConstants.LOG_APPENDER + "Device will be re-enrolled."); - return; - } catch (IOException e) { - log.error(AgentConstants.LOG_APPENDER + - "An error occurred whilst trying to load input stream with the keystore file: " + - AgentConstants.DEVICE_KEYSTORE); - log.error(AgentConstants.LOG_APPENDER + e); - log.warn(AgentConstants.LOG_APPENDER + "Device will be re-enrolled."); - return; } - try { if (this.isEnrolled) { this.SCEPCertificate = (X509Certificate) keyStore.getCertificate(AgentConstants.DEVICE_CERT_ALIAS); @@ -262,9 +245,6 @@ public class EnrollmentManager { KeyStore keyStore; try { keyStore = KeyStore.getInstance(AgentConstants.DEVICE_KEYSTORE_TYPE); - keyStore.load(new FileInputStream(AgentConstants.DEVICE_KEYSTORE), - AgentConstants.DEVICE_KEYSTORE_PASSWORD.toCharArray()); - keyStore.setCertificateEntry(alias, certificate); keyStore.store(new FileOutputStream(AgentConstants.DEVICE_KEYSTORE), AgentConstants.DEVICE_KEYSTORE_PASSWORD.toCharArray()); @@ -285,9 +265,6 @@ public class EnrollmentManager { KeyStore keyStore; try { keyStore = KeyStore.getInstance(AgentConstants.DEVICE_KEYSTORE_TYPE); - keyStore.load(new FileInputStream(AgentConstants.DEVICE_KEYSTORE), - AgentConstants.DEVICE_KEYSTORE_PASSWORD.toCharArray()); - Certificate[] certChain = new Certificate[1]; certChain[0] = certInCertChain;