From 796a81311c4bcb74de9c2c6a6b7fe796c149ba34 Mon Sep 17 00:00:00 2001 From: Timo Briddigkeit Date: Wed, 13 Jul 2016 14:35:55 +0200 Subject: [PATCH] Fixed predictable pseudorandom number generator --- .../service/impl/UserManagementServiceImpl.java | 3 ++- .../client/extension/util/JWTClientUtil.java | 17 ++++------------- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/UserManagementServiceImpl.java b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/UserManagementServiceImpl.java index 0e8d90ffc01..ffad2e8d81a 100644 --- a/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/UserManagementServiceImpl.java +++ b/components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/impl/UserManagementServiceImpl.java @@ -37,6 +37,7 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import java.net.URI; import java.net.URISyntaxException; +import java.security.SecureRandom; import java.util.*; @Path("/users") @@ -395,7 +396,7 @@ public class UserManagementServiceImpl implements UserManagementService { String lowerCaseCharset = "abcdefghijklmnopqrstuvwxyz"; String upperCaseCharset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; String numericCharset = "0123456789"; - Random randomGenerator = new Random(); + SecureRandom randomGenerator = new SecureRandom(); String totalCharset = lowerCaseCharset + upperCaseCharset + numericCharset; int totalCharsetLength = totalCharset.length(); StringBuilder initialUserPassword = new StringBuilder(); diff --git a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java index dea0b0754cf..2786b7a00db 100644 --- a/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java +++ b/components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java @@ -36,11 +36,11 @@ import org.apache.http.util.EntityUtils; import org.wso2.carbon.base.MultitenantConstants; import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.core.util.KeyStoreManager; -import org.wso2.carbon.identity.jwt.client.extension.service.JWTClientManagerService; import org.wso2.carbon.identity.jwt.client.extension.dto.JWTConfig; import org.wso2.carbon.identity.jwt.client.extension.exception.JWTClientConfigurationException; import org.wso2.carbon.identity.jwt.client.extension.exception.JWTClientException; import org.wso2.carbon.identity.jwt.client.extension.internal.JWTClientExtensionDataHolder; +import org.wso2.carbon.identity.jwt.client.extension.service.JWTClientManagerService; import org.wso2.carbon.registry.core.Registry; import org.wso2.carbon.registry.core.Resource; import org.wso2.carbon.registry.core.exceptions.RegistryException; @@ -48,24 +48,15 @@ import org.wso2.carbon.registry.core.service.RegistryService; import org.wso2.carbon.registry.core.service.TenantRegistryLoader; import org.wso2.carbon.utils.CarbonUtils; -import java.io.BufferedReader; -import java.io.File; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; +import java.io.*; import java.net.URI; import java.net.URL; -import java.security.KeyManagementException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.UnrecoverableKeyException; +import java.security.*; import java.security.cert.CertificateException; import java.security.interfaces.RSAPrivateKey; import java.util.Date; import java.util.List; import java.util.Properties; -import java.util.Random; /** * This is the utility class that is used for JWT Client. @@ -210,7 +201,7 @@ public class JWTClientUtil { long nbf = currentTimeMillis + jwtConfig.getValidityPeriodFromCurrentTime() * 60 * 1000; String jti = jwtConfig.getJti(); if (jti == null) { - String defaultTokenId = currentTimeMillis + "" + new Random().nextInt(); + String defaultTokenId = currentTimeMillis + "" + new SecureRandom().nextInt(); jti = defaultTokenId; } List aud = jwtConfig.getAudiences();