Project

General

Profile

Actions

Bug #21669

closed

Stop using UUIDs as system token

Added by Alexis Mousset over 2 years ago. Updated almost 2 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:
No

Description

And use random chars directly from SecureRandom, as done for other tokens.

The current only implementation of StringUuidGenerator uses java.util.UUID.randomUUID, which in turn gets 122 bits (because a part of the uuid is not random) from java.security.SecureRandom, which is suitable for the purpose.

But this is sub-optimal for two reasons:

  • It does not communicate the intent. UUID are meant to be unique, not cryptographically secure.
  • The StringUuidGenerator trait does not carry any garantee about randomness, and one could easily switch implementation and produce predictable tokens.

Subtasks 1 (0 open1 closed)

Bug #21801: Bad init order for the token generator used for system api tokenReleasedAlexis MoussetActions
Actions #1

Updated by Alexis Mousset over 2 years ago

  • Subject changed from Stop using UUIDs for system token to Stop using UUIDs as system token
Actions #2

Updated by Alexis Mousset over 2 years ago

  • Description updated (diff)
Actions #3

Updated by Alexis Mousset over 2 years ago

  • Description updated (diff)
Actions #4

Updated by Alexis Mousset over 2 years ago

  • Description updated (diff)
Actions #5

Updated by Alexis Mousset over 2 years ago

  • Target version set to 7.3.0~beta1
Actions #6

Updated by Alexis Mousset about 2 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #7

Updated by Alexis Mousset about 2 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/4490
Actions #8

Updated by Alexis Mousset about 2 years ago

  • Status changed from Pending technical review to Pending release
Actions #9

Updated by François ARMAND about 2 years ago

  • Subtask #21801 added
Actions #10

Updated by Vincent MEMBRÉ almost 2 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 7.3.0~beta1 which was released today.

Actions

Also available in: Atom PDF