Git Product home page Git Product logo

Comments (5)

kategray avatar kategray commented on September 17, 2024 1

PR updated per feedback from @frankmorgner .

from jcardsim.

kategray avatar kategray commented on September 17, 2024

BouncyCastle's SecureRandom implementation calls setSeed(System.currentTimeMillis()); in order to make their SecureRandom more random. As the jCardSim ALG_SECURE_RANDOM documentation says that the random numbers should be cryptographically secure, I added a pull request #140 to help make that possible.

This patch only kicks in if ALG_SECURE_RANDOM is present; ALG_PSEUDO_RANDOM should still function the same, if someone wants to have deterministic "randomness" in their test suites.

from jcardsim.

kategray avatar kategray commented on September 17, 2024

With my patch, behaviour is as expected:

Gradle suite > Gradle test > tests.AppletTest.hello STANDARD_OUT
    Connecting to card... Done.
    --> [00C00000080000000000000000] 13
    <-- D4EEC11B9AA895EF22BCC8782EA5669EBA2BE73E9C7375B2A3C6E3144C89A45C 9000 (32)
    ResponseAPDU: 34 bytes, SW=9000

Gradle suite > Gradle test > tests.AppletTest.hello2 STANDARD_OUT
    Connecting to card... Done.
    --> [00C00000080000000000000000] 13
    <-- 4267C24D9E10EEB173148B7706D1B634BFC3BA99734548CD275A585C7EDE37DB 9000 (32)
    ResponseAPDU: 34 bytes, SW=9000

Gradle suite > Gradle test > tests.AppletTest.hello3 STANDARD_OUT
    Connecting to card... Done.
    --> [00C00000080000000000000000] 13
    <-- EDDE80F7B2641DADE83FA3B2F547B21A6A4825EACA9EDD9320869EB5FD07476D 9000 (32)
    ResponseAPDU: 34 bytes, SW=9000

from jcardsim.

frankmorgner avatar frankmorgner commented on September 17, 2024

Bouncycastle only provides PRNGs, if you want secure random numbers, you should use java.security.SecureRandom, which delegates to a platform dependent generator that should have way more entropy.

from jcardsim.

kategray avatar kategray commented on September 17, 2024

I was trying to keep compatibility with the existing code, and it good enough to test.

I guess it really depends on the likelihood of someone doing something silly, like virtualizing their smart card using jcardsim and using it for web-based applications. From an IT standpoint, I can think of plenty of reasons to do that, and from a security standpoint, I can think of many reasons not to.

from jcardsim.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.