You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by jb...@apache.org on 2022/07/20 20:41:03 UTC

[activemq-artemis] branch main updated: ARTEMIS-3899 improve salt calculation

This is an automated email from the ASF dual-hosted git repository.

jbertram pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/activemq-artemis.git


The following commit(s) were added to refs/heads/main by this push:
     new a49066e6b7 ARTEMIS-3899 improve salt calculation
a49066e6b7 is described below

commit a49066e6b75a0a996c5c4b7678fe5dc474ae0b97
Author: Justin Bertram <jb...@apache.org>
AuthorDate: Wed Jul 20 15:15:37 2022 -0500

    ARTEMIS-3899 improve salt calculation
    
    Update the salt calculation to more closely align with the
    "Randomness Recommendations for Security" at
    https://www.ietf.org/rfc/rfc1750.txt.
    
    This was inadvertently changed in
    5965a458945c98f61f1e1e3db418082b68e9df62.
---
 .../artemis/utils/DefaultSensitiveStringCodec.java         | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java
index 6f07a7b80b..59e0ad820b 100644
--- a/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java
+++ b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.java
@@ -23,6 +23,7 @@ import javax.crypto.spec.SecretKeySpec;
 
 import java.math.BigInteger;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Arrays;
 import java.util.Collections;
@@ -111,7 +112,7 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec<String> {
       return algorithm.verify(inputValue, storedValue);
    }
 
-   private abstract class CodecAlgorithm {
+   private abstract static class CodecAlgorithm {
 
       protected Map<String, String> params;
 
@@ -202,7 +203,7 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec<String> {
       }
    }
 
-   private class PBKDF2Algorithm extends CodecAlgorithm {
+   private static class PBKDF2Algorithm extends CodecAlgorithm {
       private static final String SEPARATOR = ":";
       private String sceretKeyAlgorithm = "PBKDF2WithHmacSHA1";
       private String randomScheme = "SHA1PRNG";
@@ -210,10 +211,14 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec<String> {
       private int saltLength = 32;
       private int iterations = 1024;
       private SecretKeyFactory skf;
+      private static SecureRandom sr;
 
       PBKDF2Algorithm(Map<String, String> params) throws NoSuchAlgorithmException {
          super(params);
          skf = SecretKeyFactory.getInstance(sceretKeyAlgorithm);
+         if (sr == null) {
+            sr = SecureRandom.getInstance(randomScheme);
+         }
       }
 
       @Override
@@ -221,8 +226,9 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec<String> {
          throw new IllegalArgumentException("Algorithm doesn't support decoding");
       }
 
-      public byte[] getSalt() throws NoSuchAlgorithmException {
-         byte[] salt = RandomUtil.randomBytes(this.saltLength);
+      public byte[] getSalt() {
+         byte[] salt = new byte[this.saltLength];
+         sr.nextBytes(salt);
          return salt;
       }