search

ebics-java / ebics-java-client

Java open source EBICS client - Support for French, German and Swiss banks
GNU Lesser General Public License v2.1
36 stars 35 forks source link

use different values for nonce and transaction key #31

Closed uwemaurer closed 2 years ago

uwemaurer commented 2 years ago

fixes #30

uwemaurer commented 2 years ago

Thanks. I will make this change

Am Fr., 8. Apr. 2022 um 14:40 Uhr schrieb lme-nca @.***

:

@.**** requested changes on this pull request.

In src/main/java/org/kopi/ebics/utils/Utils.java https://github.com/ebics-java/ebics-java-client/pull/31#discussion_r846065053 :

  • try {
  • secureRandom = SecureRandom.getInstance("SHA1PRNG");
  • return secureRandom.generateSeed(16);
  • } catch (NoSuchAlgorithmException e) {
  • throw new EbicsException(e.getMessage());
  • }
  • public static byte[] generateKey() {
  • return secureRandom.generateSeed(16);

Actually generateSeed is not the right call to use (i did not even see this the first time), you should be using "nextBytes" or "next" for generating cryptographically secure secure numbers. "generateseed" is used to generate a seed value to be used to seed another random generator. While underwater it should also use a cryptographically strong source of random this is not the intended use-case and these requirements are not guaranteed.

In src/main/java/org/kopi/ebics/utils/Utils.java https://github.com/ebics-java/ebics-java-client/pull/31#discussion_r846066176 :

*/
  • public static byte[] generateNonce() throws EbicsException {
  • SecureRandom secureRandom;
  • public static byte[] generateNonce() {
  • return secureRandom.generateSeed(16);

so also here use "nextBytes"

In src/main/java/org/kopi/ebics/certificate/KeyUtil.java https://github.com/ebics-java/ebics-java-client/pull/31#discussion_r846068674 :

@@ -68,16 +67,8 @@ public static KeyPair makeKeyPair(int keyLen) throws NoSuchAlgorithmException{

  • @return the password */ public static String generatePassword() {
  • SecureRandom random;
  • try {
  • random = SecureRandom.getInstance("SHA1PRNG");
  • String pwd = Base64.encodeBase64String(random.generateSeed(5));
  • String pwd = Base64.encodeBase64String(Utils.secureRandom.generateSeed(5));

use nextBytes

— Reply to this email directly, view it on GitHub https://github.com/ebics-java/ebics-java-client/pull/31#pullrequestreview-936375142, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA46VFJVKSCCJVVOMRGGFTVEASMNANCNFSM5S3ZUD3A . You are receiving this because you modified the open/close state.Message ID: @.***>