Project

General

Profile

Actions

Bug #21669

open

Stop using UUIDs as system token

Added by Alexis Mousset about 1 month ago. Updated 8 days ago.

Status:
Pending release
Priority:
N/A
Category:
Security
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Regression:
No

Description

And use random chars directly from SecureRandom, as done for other tokens.

The current only implementation of StringUuidGenerator uses java.util.UUID.randomUUID, which in turn gets 122 bits (because a part of the uuid is not random) from java.security.SecureRandom, which is suitable for the purpose.

But this is sub-optimal for two reasons:

  • It does not communicate the intent. UUID are meant to be unique, not cryptographically secure.
  • The StringUuidGenerator trait does not carry any garantee about randomness, and one could easily switch implementation and produce predictable tokens.

Subtasks 1 (1 open0 closed)

Bug #21801: Bad init order for the token generator used for system api tokenPending releaseAlexis MoussetActions
Actions #1

Updated by Alexis Mousset about 1 month ago

  • Subject changed from Stop using UUIDs for system token to Stop using UUIDs as system token
Actions #2

Updated by Alexis Mousset about 1 month ago

  • Description updated (diff)
Actions #3

Updated by Alexis Mousset about 1 month ago

  • Description updated (diff)
Actions #4

Updated by Alexis Mousset about 1 month ago

  • Description updated (diff)
Actions #5

Updated by Alexis Mousset about 1 month ago

  • Target version set to 7.3.0~alpha1
Actions #6

Updated by Alexis Mousset 10 days ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #7

Updated by Alexis Mousset 10 days ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Alexis Mousset to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/4490
Actions #8

Updated by Alexis Mousset 10 days ago

  • Status changed from Pending technical review to Pending release
Actions #9

Updated by François ARMAND 8 days ago

  • Subtask #21801 added
Actions

Also available in: Atom PDF