GUACAMOLE-210: Use cryptographically-sound nonce generator.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/9159ca42 Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/9159ca42 Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/9159ca42 Branch: refs/heads/master Commit: 9159ca4289cc1a13d78afdea17067c64b7ea27d8 Parents: d27ba44 Author: Michael Jumper <[email protected]> Authored: Mon Jun 13 00:01:08 2016 -0700 Committer: Michael Jumper <[email protected]> Committed: Mon Sep 25 13:06:43 2017 -0700 ---------------------------------------------------------------------- .../auth/oauth/form/OAuthTokenField.java | 22 ++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/9159ca42/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthTokenField.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthTokenField.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthTokenField.java index 84484e5..5d6599f 100644 --- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthTokenField.java +++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/oauth/form/OAuthTokenField.java @@ -20,8 +20,9 @@ package org.apache.guacamole.auth.oauth.form; import java.io.UnsupportedEncodingException; +import java.math.BigInteger; import java.net.URLEncoder; -import java.util.UUID; +import java.security.SecureRandom; import org.apache.guacamole.form.Field; /** @@ -43,6 +44,23 @@ public class OAuthTokenField extends Field { private final String authorizationURI; /** + * Cryptographically-secure random number generator for generating the + * required nonce. + */ + private static final SecureRandom random = new SecureRandom(); + + /** + * Generates a cryptographically-secure nonce value. The nonce is intended + * to be used to prevent replay attacks. + * + * @return + * A cryptographically-secure nonce value. + */ + private static String generateNonce() { + return new BigInteger(130, random).toString(32); + } + + /** * Creates a new OAuth "id_token" field which links to the given OAuth * service using the provided client ID. Successful authentication at the * OAuth service will result in the client being redirected to the specified @@ -76,7 +94,7 @@ public class OAuthTokenField extends Field { + "&response_type=id_token" + "&client_id=" + URLEncoder.encode(clientID, "UTF-8") + "&redirect_uri=" + URLEncoder.encode(redirectURI, "UTF-8") - + "&nonce=" + UUID.randomUUID().toString(); + + "&nonce=" + generateNonce(); } // Java is required to provide UTF-8 support
