Use of insecure random function rand() for temp file name

[hannob]

The file src/Attestation/Format/FormatBase.php contains a call to rand(), which is PHP's legacy/insecure random number function. It is used to generate a temp file name:

            $this->_x5c_tempFile = \sys_get_temp_dir() . '/x5c_chain_' . \base_convert(\rand(), 10, 36) . '.pem';

This could lead to a temp file race vulnerability, as the output of rand() may be predictable.

If you want close to identical behavior, but with secure random numbers, you could use 'random_int(0, 2147483647);' instead of rand(). However, it's probably better to use a dedicated function to create secure temp files. In this case, tempnam would probably be the right one. It would mean that the file would not have a ".pem" extension, but I guess that doesn't really matter for a temp file.

So it'd be something like:

$this->_x5c_tempFile = \tempnam(\sys_get_temp_dir(), "/x5c_chain_");

[lbuchs]

Thanks, fixed in e73ff007e8a1099e72e0dbdd9d0884057409fc54