From 47630e58ec78b405bea7a4afc5450d4527e2f6b3 Mon Sep 17 00:00:00 2001
From: llunaCreixent <llunac@riseup.net>
Date: Thu, 26 Sep 2019 21:53:10 +0300
Subject: [PATCH] Secure random slow.
 https://www.synopsys.com/blogs/software-security/proper-use-of-javas-securerandom/

---
 .../scoutsfev/cudu/services/UsuarioService.java   | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/backend/src/main/java/org/scoutsfev/cudu/services/UsuarioService.java b/backend/src/main/java/org/scoutsfev/cudu/services/UsuarioService.java
index ae31a552..00bb0a8c 100644
--- a/backend/src/main/java/org/scoutsfev/cudu/services/UsuarioService.java
+++ b/backend/src/main/java/org/scoutsfev/cudu/services/UsuarioService.java
@@ -61,7 +61,15 @@ public UsuarioService(UsuarioRepository usuarioRepository, TokenRepository token
         this.asociadoRepository = asociadoRepository;
         this.emailService = emailService;
         this.captchaService = captchaService;
-        this.secureRandom = SecureRandom.getInstanceStrong();
+        //this.secureRandom = SecureRandom.getInstanceStrong();
+        this.secureRandom = SecureRandom.getInstance("SHA1PRNG");
+        int intValue = 232323;
+        byte[] byteValue = new byte[] {
+            (byte)(intValue >>> 24),
+            (byte)(intValue >>> 16),
+            (byte)(intValue >>> 8),
+            (byte)intValue};
+        secureRandom.nextBytes(byteValue);
     }
 
     @Override
@@ -88,7 +96,7 @@ public void nuevaApikey(String email) {
         if (!usuario.isActivo() ) {
             throw new AccountExpiredException("El asociado " + email + " está desactivado.");
         }
-
+        secureRandom.generateSeed(25);
         String oneTimeCode = new BigInteger(130, secureRandom).toString(32);
         Duration duracionToken = Duration.ofDays(3650);
         Token token = new Token(usuario.getEmail(), oneTimeCode, Instant.now(), duracionToken);
@@ -110,7 +118,7 @@ public void resetPassword(String email, boolean comprobarQueElUsuarioEstaActivo)
         if (comprobarQueElUsuarioEstaActivo && (!usuario.isActivo() || !usuario.isUsuarioActivo())) {
             throw new AccountExpiredException("El usuario " + email + " está desactivado.");
         }
-
+        secureRandom.generateSeed(23);
         String oneTimeCode = new BigInteger(130, secureRandom).toString(32);
         Duration duracionToken = Duration.ofSeconds(duracionTokenEnSegundos);
         Token token = new Token(usuario.getEmail(), oneTimeCode, Instant.now(), duracionToken);
@@ -226,6 +234,7 @@ private String obtenerDireccionIp(HttpServletRequest request) {
     // TODO Test: solo se marca como que requiere captcha cuando se lanza BadCredentialsException, el resto se delegan a spring
 
     private String logError(String mensaje, Token token) {
+        secureRandom.generateSeed(24);
         String codigoError = "E" + Strings.padStart(new BigInteger(16, secureRandom).toString(16).toUpperCase(), 4, '0');
         if (token != null)
             logger.error("[{0}] {1}. Token {2}, email: {3}, creado: {4}", codigoError, mensaje, token.getToken(), token.getEmail(), token.getCreado());