fixed CLOUDSTACK-7090 Console proxy key store password should be securely generated

2014-07-25 13:38:15 +05:30 · 2014-07-25 13:38:15 +05:30 · ea740aa0e1
parent c61c636ce8
commit ea740aa0e1
1 changed files with 19 additions and 11 deletions
--- a/server/src/com/cloud/consoleproxy/AgentHookBase.java
+++ b/server/src/com/cloud/consoleproxy/AgentHookBase.java
@ -17,9 +17,11 @@

 package com.cloud.consoleproxy;

+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.util.Date;
-import java.util.Random;

+import org.apache.commons.codec.binary.Base64;
 import org.apache.log4j.Logger;

 import com.google.gson.Gson;
@ -65,7 +67,6 @@ public abstract class AgentHookBase implements AgentHook {
    ConfigurationDao _configDao;
    AgentManager _agentMgr;
    KeystoreManager _ksMgr;
-    final Random _random = new Random(System.currentTimeMillis());
    KeysManager _keysMgr;

    public AgentHookBase(VMInstanceDao instanceDao, HostDao hostDao, ConfigurationDao cfgDao, KeystoreManager ksMgr, AgentManager agentMgr, KeysManager keysMgr) {
@ -187,17 +188,22 @@ public abstract class AgentHookBase implements AgentHook {
    @Override
    public void startAgentHttpHandlerInVM(StartupProxyCommand startupCmd) {
        StartConsoleProxyAgentHttpHandlerCommand cmd = null;
-        String storePassword = String.valueOf(_random.nextLong());
-        byte[] ksBits = _ksMgr.getKeystoreBits(ConsoleProxyManager.CERTIFICATE_NAME, ConsoleProxyManager.CERTIFICATE_NAME, storePassword);
-
-        assert (ksBits != null);
-        if (ksBits == null) {
-            s_logger.error("Could not find and construct a valid SSL certificate");
-        }
-        cmd = new StartConsoleProxyAgentHttpHandlerCommand(ksBits, storePassword);
-        cmd.setEncryptorPassword(getEncryptorPassword());

        try {
+            SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
+
+            byte[] randomBytes = new byte[16];
+            random.nextBytes(randomBytes);
+            String storePassword = Base64.encodeBase64String(randomBytes);
+
+            byte[] ksBits = _ksMgr.getKeystoreBits(ConsoleProxyManager.CERTIFICATE_NAME, ConsoleProxyManager.CERTIFICATE_NAME, storePassword);
+
+            assert (ksBits != null);
+            if (ksBits == null) {
+                s_logger.error("Could not find and construct a valid SSL certificate");
+            }
+            cmd = new StartConsoleProxyAgentHttpHandlerCommand(ksBits, storePassword);
+            cmd.setEncryptorPassword(getEncryptorPassword());

            HostVO consoleProxyHost = findConsoleProxyHost(startupCmd);

@ -209,6 +215,8 @@ public abstract class AgentHookBase implements AgentHook {
            } else {
                s_logger.info("Successfully sent out command to start HTTP handling in console proxy agent");
            }
+        }catch (NoSuchAlgorithmException e) {
+            s_logger.error("Unexpected exception in SecureRandom Algorithm selection ", e);
        } catch (AgentUnavailableException e) {
            s_logger.error("Unable to send http handling startup command to the console proxy resource for proxy:" + startupCmd.getProxyVmId(), e);
        } catch (OperationTimedoutException e) {