Hi Nicholas, Are you saying that if registering Bouncy Castle as a provider for the DRBG (well, you need to include it anyway for Apache MINA to use it), then the Bouncy Castle DRBG can be used, at least when JCE Secure Random is chosen? Would overriding "securerandom.strongAlgorithms" propery in java.security would make the trick?
However, the BC RandomFactory is used for the manager.getRandomFactory(), and I don't see a way to override this. Thanks, Alejandro On 12/14/2020 10:29 AM, Nicholas Williams wrote: > On a perhaps-related note, I would love to see a way to specify a random > factory either by setting a Java system property or implementing a method in > SecurityProviderRegistrar (or both). My organization implemented a > SecurityProviderRegistrar for Bouncy Castle FIPS, but MINA SSHD is still > using the JCE SecureRandom, because I can’t find a non-invasive** way to give > it a FIPSSecureRandom. > > What are the thoughts here on my submitting a patch that 1) adds something > like this to the SecurityProviderRegistrar interface: > > default RandomFactory getRandomFactory() { > return null; > } > > And then 2) updates SecurityUtils.getRandomFactory() to check a system > property org.apache.sshd.security.random_factory first, then check the > registrars? > > **We aren’t using MINA SSHD directly. We’re using it by way of its inclusion > in BitBucket Server for SSHD access to repositories. So we can’t control how > the SSHD code is used in order to e.g. call setRandomFactory. Our only areas > of control are Java system properties and our > BouncyCastleFIPSSecurityProviderRegistrar implementation. > > Nick > >> On Dec 14, 2020, at 7:00 AM, Alejandro Fabio Masino <amas...@atsec.com> >> wrote: >> >> Hi, >> >> I'm reviewing the source code of Apache MINA 2.0.21 and SSHD 2.5.1, in >> order to find out how Apache MINA uses Bouncy Castle for random numbers. >> >> As far as I could see, Apache MINA SSHD verifies whether the BC provider >> is registered, and if so, it uses the needed crypto algorithms. >> >> However, I don't see any reference to instantiate the DRBG. Instead, >> Apache Mina seems to initialize the randomFactory by using the >> VMPCRandomGenerator() method implemented in BC, instead of the DRBG >> implementations. >> >> Is there any way to override this setting from the calling application, >> that is, using one of the SP800-90A DRBG methods implemented in Bouncy >> Castle for SSH key exchange? >> >> Thanks, >> Alejandro >> >> -- >> Alejandro Masino >> atsec information security corporation >> http://www.atsec.com >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@mina.apache.org >> For additional commands, e-mail: users-h...@mina.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@mina.apache.org > For additional commands, e-mail: users-h...@mina.apache.org > -- Alejandro Masino atsec information security corporation http://www.atsec.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@mina.apache.org For additional commands, e-mail: users-h...@mina.apache.org