If Bouncy Castle is registered as a MINA security provider, this class will be used to provide the random implementation: https://github.com/apache/mina-sshd/blob/master/sshd-common/src/main/java/org/apache/sshd/common/util/security/bouncycastle/BouncyCastleRandomFactory.java. I do not believe that enables Bouncy Castle DBRG, but I am not sure. My suggestions below are for making the random factory more configurable. Right now, it is basically hardcoded to either the builtin SecureRandom or BouncyCastleRamdom.
Nick > On Dec 14, 2020, at 08:14, Alejandro Fabio Masino <[email protected]> wrote: > > Hi Nicholas, > > Are you saying that if registering Bouncy Castle as a provider for the > DRBG (well, you need to include it anyway for Apache MINA to use it), > then the Bouncy Castle DRBG can be used, at least when JCE Secure Random > is chosen? Would overriding "securerandom.strongAlgorithms" propery in > java.security would make the trick? > > However, the BC RandomFactory is used for the > manager.getRandomFactory(), and I don't see a way to override this. > > Thanks, > Alejandro > >> On 12/14/2020 10:29 AM, Nicholas Williams wrote: >> On a perhaps-related note, I would love to see a way to specify a random >> factory either by setting a Java system property or implementing a method in >> SecurityProviderRegistrar (or both). My organization implemented a >> SecurityProviderRegistrar for Bouncy Castle FIPS, but MINA SSHD is still >> using the JCE SecureRandom, because I can’t find a non-invasive** way to >> give it a FIPSSecureRandom. >> >> What are the thoughts here on my submitting a patch that 1) adds something >> like this to the SecurityProviderRegistrar interface: >> >> default RandomFactory getRandomFactory() { >> return null; >> } >> >> And then 2) updates SecurityUtils.getRandomFactory() to check a system >> property org.apache.sshd.security.random_factory first, then check the >> registrars? >> >> **We aren’t using MINA SSHD directly. We’re using it by way of its inclusion >> in BitBucket Server for SSHD access to repositories. So we can’t control how >> the SSHD code is used in order to e.g. call setRandomFactory. Our only areas >> of control are Java system properties and our >> BouncyCastleFIPSSecurityProviderRegistrar implementation. >> >> Nick >> >>>> On Dec 14, 2020, at 7:00 AM, Alejandro Fabio Masino <[email protected]> >>>> wrote: >>> >>> Hi, >>> >>> I'm reviewing the source code of Apache MINA 2.0.21 and SSHD 2.5.1, in >>> order to find out how Apache MINA uses Bouncy Castle for random numbers. >>> >>> As far as I could see, Apache MINA SSHD verifies whether the BC provider >>> is registered, and if so, it uses the needed crypto algorithms. >>> >>> However, I don't see any reference to instantiate the DRBG. Instead, >>> Apache Mina seems to initialize the randomFactory by using the >>> VMPCRandomGenerator() method implemented in BC, instead of the DRBG >>> implementations. >>> >>> Is there any way to override this setting from the calling application, >>> that is, using one of the SP800-90A DRBG methods implemented in Bouncy >>> Castle for SSH key exchange? >>> >>> Thanks, >>> Alejandro >>> >>> -- >>> Alejandro Masino >>> atsec information security corporation >>> http://www.atsec.com >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > -- > Alejandro Masino > atsec information security corporation > http://www.atsec.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
