svn commit: r1871511 - /pdfbox/branches/issue4569/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java

Sat, 14 Dec 2019 05:44:00 -0800 

Author: tilman
Date: Sat Dec 14 13:43:16 2019
New Revision: 1871511

URL: http://svn.apache.org/viewvc?rev=1871511&view=rev
Log:
PDFBOX-3017: use SecureRandom

Modified:
    
pdfbox/branches/issue4569/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java

Modified: 
pdfbox/branches/issue4569/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
URL: 
http://svn.apache.org/viewvc/pdfbox/branches/issue4569/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java?rev=1871511&r1=1871510&r2=1871511&view=diff
==============================================================================
--- 
pdfbox/branches/issue4569/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
 (original)
+++ 
pdfbox/branches/issue4569/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
 Sat Dec 14 13:43:16 2019
@@ -24,6 +24,7 @@ import java.net.HttpURLConnection;
 import java.net.URL;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.security.Security;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
@@ -84,6 +85,7 @@ public class OcspHelper
     private DEROctetString encodedNonce;
     private X509Certificate ocspResponderCertificate;
     private final JcaX509CertificateConverter certificateConverter = new 
JcaX509CertificateConverter();
+    private static Random rand = null;
 
     /**
      * @param checkCertificate Certificate to be OCSP-checked
@@ -559,10 +561,7 @@ public class OcspHelper
         Extension responseExtension = new 
Extension(OCSPObjectIdentifiers.id_pkix_ocsp_response,
                 false, new 
DLSequence(OCSPObjectIdentifiers.id_pkix_ocsp_basic).getEncoded());
 
-        Random rand = new Random();
-        byte[] nonce = new byte[16];
-        rand.nextBytes(nonce);
-        encodedNonce = new DEROctetString(new DEROctetString(nonce));
+        encodedNonce = new DEROctetString(new 
DEROctetString(create16BytesNonce()));
         Extension nonceExtension = new 
Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false,
                 encodedNonce);
 
@@ -573,6 +572,26 @@ public class OcspHelper
         return builder.build();
     }
 
+    private byte[] create16BytesNonce() throws IOException
+    {
+        if (rand == null)
+        {
+            try
+            {
+                // SecureRandom is preferred to Random
+                // late init because of NoSuchAlgorithmException
+                rand = SecureRandom.getInstanceStrong();
+            }
+            catch (NoSuchAlgorithmException ex)
+            {
+                throw new IOException(ex);
+            }
+        }
+        byte[] nonce = new byte[16];
+        rand.nextBytes(nonce);
+        return nonce;
+    }
+
     /**
      * Class to create SHA-1 Digest, used for creation of CertificateID.
      */

Reply via email to