From a49066e6b75a0a996c5c4b7678fe5dc474ae0b97 Mon Sep 17 00:00:00 2001 From: Justin Bertram Date: Wed, 20 Jul 2022 15:15:37 -0500 Subject: [PATCH] ARTEMIS-3899 improve salt calculation Update the salt calculation to more closely align with the "Randomness Recommendations for Security" at https://www.ietf.org/rfc/rfc1750.txt. This was inadvertently changed in 5965a458945c98f61f1e1e3db418082b68e9df62. --- .../artemis/utils/DefaultSensitiveStringCodec.java | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java index 6f07a7b80b..59e0ad820b 100644 --- a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java +++ b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java @@ -23,6 +23,7 @@ import javax.crypto.spec.SecretKeySpec; import java.math.BigInteger; import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.security.spec.InvalidKeySpecException; import java.util.Arrays; import java.util.Collections; @@ -111,7 +112,7 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec { return algorithm.verify(inputValue, storedValue); } - private abstract class CodecAlgorithm { + private abstract static class CodecAlgorithm { protected Map params; @@ -202,7 +203,7 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec { } } - private class PBKDF2Algorithm extends CodecAlgorithm { + private static class PBKDF2Algorithm extends CodecAlgorithm { private static final String SEPARATOR = ":"; private String sceretKeyAlgorithm = "PBKDF2WithHmacSHA1"; private String randomScheme = "SHA1PRNG"; @@ -210,10 +211,14 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec { private int saltLength = 32; private int iterations = 1024; private SecretKeyFactory skf; + private static SecureRandom sr; PBKDF2Algorithm(Map params) throws NoSuchAlgorithmException { super(params); skf = SecretKeyFactory.getInstance(sceretKeyAlgorithm); + if (sr == null) { + sr = SecureRandom.getInstance(randomScheme); + } } @Override @@ -221,8 +226,9 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec { throw new IllegalArgumentException("Algorithm doesn't support decoding"); } - public byte[] getSalt() throws NoSuchAlgorithmException { - byte[] salt = RandomUtil.randomBytes(this.saltLength); + public byte[] getSalt() { + byte[] salt = new byte[this.saltLength]; + sr.nextBytes(salt); return salt; }