svn commit: r1871513 - /pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java

Sat, 14 Dec 2019 05:44:00 -0800 

Author: tilman
Date: Sat Dec 14 13:43:24 2019
New Revision: 1871513

URL: http://svn.apache.org/viewvc?rev=1871513&view=rev
Log:
PDFBOX-3017: use SecureRandom

Modified:
    
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java

Modified: 
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
URL: 
http://svn.apache.org/viewvc/pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java?rev=1871513&r1=1871512&r2=1871513&view=diff
==============================================================================
--- 
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
 (original)
+++ 
pdfbox/branches/2.0/examples/src/main/java/org/apache/pdfbox/examples/signature/cert/OcspHelper.java
 Sat Dec 14 13:43:24 2019
@@ -24,6 +24,7 @@ import java.net.HttpURLConnection;
 import java.net.URL;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.security.Security;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
@@ -85,6 +86,7 @@ public class OcspHelper
     private DEROctetString encodedNonce;
     private X509Certificate ocspResponderCertificate;
     private final JcaX509CertificateConverter certificateConverter = new 
JcaX509CertificateConverter();
+    private static final Random rand = new SecureRandom();
 
     /**
      * @param checkCertificate Certificate to be OCSP-checked
@@ -570,10 +572,7 @@ public class OcspHelper
         Extension responseExtension = new 
Extension(OCSPObjectIdentifiers.id_pkix_ocsp_response,
                 false, new 
DLSequence(OCSPObjectIdentifiers.id_pkix_ocsp_basic).getEncoded());
 
-        Random rand = new Random();
-        byte[] nonce = new byte[16];
-        rand.nextBytes(nonce);
-        encodedNonce = new DEROctetString(new DEROctetString(nonce));
+        encodedNonce = new DEROctetString(new 
DEROctetString(create16BytesNonce()));
         Extension nonceExtension = new 
Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false,
                 encodedNonce);
 
@@ -584,6 +583,14 @@ public class OcspHelper
         return builder.build();
     }
 
+    private byte[] create16BytesNonce()
+    {
+        // replace with SecureRandom.getInstanceStrong() on jdk8 and higher
+        byte[] nonce = new byte[16];
+        rand.nextBytes(nonce);
+        return nonce;
+    }
+
     /**
      * Class to create SHA-1 Digest, used for creation of CertificateID.
      */

Reply via email to