Sign upLogin

encryptorcode/iam-oauth

View on GitHub
Star
src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java

Summary

Maintainability
A
0 mins
Test Coverage

Use a dynamically-generated, random IV.
Open

            IvParameterSpec iv = new IvParameterSpec(ivBytes);
Severity: Critical
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by sonar-java

When encrypting data with the Cipher Block Chaining (CBC) mode an Initialization Vector (IV) is used to randomize the encryption, ie under a given key the same plaintext doesn't always produce the same ciphertext. The IV doesn't need to be secret but should be unpredictable to avoid "Chosen-Plaintext Attack".

To generate Initialization Vectors, NIST recommends to use a secure random number generator.

Noncompliant Code Example

public class MyCbcClass {

  public String applyCBC(String strKey, String plainText) {
    byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes("UTF-8");

    /* KEY + IV setting */
    IvParameterSpec iv = new IvParameterSpec(bytesIV);
    SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES");

    /* Ciphering */
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv);  // Noncompliant: the IV is hard coded and thus not generated with a secure random generator
    byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8"));
    return DatatypeConverter.printBase64Binary(bytesIV)
            + ";" + DatatypeConverter.printBase64Binary(encryptedBytes);
  }
}

Compliant Solution

public class MyCbcClass {

  SecureRandom random = new SecureRandom();

  public String applyCBC(String strKey, String plainText) {
    byte[] bytesIV = new byte[16];
    random.nextBytes(bytesIV);

    /* KEY + IV setting */
    IvParameterSpec iv = new IvParameterSpec(bytesIV);
    SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES");

    /* Ciphering */
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Compliant
    byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8"));
    return DatatypeConverter.printBase64Binary(bytesIV)
            + ";" + DatatypeConverter.printBase64Binary(encryptedBytes);
  }
}

See

Use a dynamically-generated, random IV.
Open

            IvParameterSpec iv = new IvParameterSpec(ivBytes);
Severity: Critical
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by sonar-java

When encrypting data with the Cipher Block Chaining (CBC) mode an Initialization Vector (IV) is used to randomize the encryption, ie under a given key the same plaintext doesn't always produce the same ciphertext. The IV doesn't need to be secret but should be unpredictable to avoid "Chosen-Plaintext Attack".

To generate Initialization Vectors, NIST recommends to use a secure random number generator.

Noncompliant Code Example

public class MyCbcClass {

  public String applyCBC(String strKey, String plainText) {
    byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes("UTF-8");

    /* KEY + IV setting */
    IvParameterSpec iv = new IvParameterSpec(bytesIV);
    SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES");

    /* Ciphering */
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv);  // Noncompliant: the IV is hard coded and thus not generated with a secure random generator
    byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8"));
    return DatatypeConverter.printBase64Binary(bytesIV)
            + ";" + DatatypeConverter.printBase64Binary(encryptedBytes);
  }
}

Compliant Solution

public class MyCbcClass {

  SecureRandom random = new SecureRandom();

  public String applyCBC(String strKey, String plainText) {
    byte[] bytesIV = new byte[16];
    random.nextBytes(bytesIV);

    /* KEY + IV setting */
    IvParameterSpec iv = new IvParameterSpec(bytesIV);
    SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES");

    /* Ciphering */
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
    cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Compliant
    byte[] encryptedBytes = cipher.doFinal(plainText.getBytes("UTF-8"));
    return DatatypeConverter.printBase64Binary(bytesIV)
            + ";" + DatatypeConverter.printBase64Binary(encryptedBytes);
  }
}

See

Wrong lexicographical order for 'java.security.InvalidKeyException' import. Should be before 'javax.crypto.spec.SecretKeySpec'.
Open

import java.security.InvalidKeyException;
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks that the groups of import declarations appear in the order specifiedby the user. If there is an import but its group is not specified in theconfiguration such an import should be placed at the end of the import list.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

Line is longer than 100 characters (found 111).
Open

        System.arraycopy(randomBytes, 0, rawSessionIdWithRandom, sessionIdTemplate.length, randomBytes.length);
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks for long lines.

Rationale: Long lines are hard to read in printouts or if developershave limited screen space for the source code, e.g. if the IDEdisplays additional information like project tree, class hierarchy,etc.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

Extra separation in import group before 'javax.crypto.*'
Open

import javax.crypto.*;
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks that the groups of import declarations appear in the order specifiedby the user. If there is an import but its group is not specified in theconfiguration such an import should be placed at the end of the import list.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

Wrong lexicographical order for 'java.security.NoSuchAlgorithmException' import. Should be before 'javax.crypto.spec.SecretKeySpec'.
Open

import java.security.NoSuchAlgorithmException;
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks that the groups of import declarations appear in the order specifiedby the user. If there is an import but its group is not specified in theconfiguration such an import should be placed at the end of the import list.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

Wrong lexicographical order for 'java.util.logging.Level' import. Should be before 'javax.crypto.spec.SecretKeySpec'.
Open

import java.util.logging.Level;
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks that the groups of import declarations appear in the order specifiedby the user. If there is an import but its group is not specified in theconfiguration such an import should be placed at the end of the import list.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

Wrong lexicographical order for 'java.util.logging.Logger' import. Should be before 'javax.crypto.spec.SecretKeySpec'.
Open

import java.util.logging.Logger;
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks that the groups of import declarations appear in the order specifiedby the user. If there is an import but its group is not specified in theconfiguration such an import should be placed at the end of the import list.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

Wrong lexicographical order for 'java.security.InvalidAlgorithmParameterException' import. Should be before 'javax.crypto.spec.SecretKeySpec'.
Open

import java.security.InvalidAlgorithmParameterException;
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks that the groups of import declarations appear in the order specifiedby the user. If there is an import but its group is not specified in theconfiguration such an import should be placed at the end of the import list.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

Line is longer than 100 characters (found 180).
Open

        } catch (NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException | InvalidAlgorithmParameterException e) {
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks for long lines.

Rationale: Long lines are hard to read in printouts or if developershave limited screen space for the source code, e.g. if the IDEdisplays additional information like project tree, class hierarchy,etc.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

Using the '.*' form of import should be avoided - javax.crypto.*.
Open

import javax.crypto.*;
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks that there are no import statements that use the * notation.

Rationale: Importing all classes from a package or staticmembers from a class leads to tight coupling between packagesor classes and might lead to problems when a new version of alibrary introduces name clashes.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

Class type name 'User' must match pattern '(^[A-Z][0-9]?)$|([A-Z][a-zA-Z0-9]*[T]$)'.
Open

public abstract class BaseSecurityHandler<User extends AUser> extends ASecurityHandler<User> {
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks that class type parameter names conform to a specified pattern.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

Line is longer than 100 characters (found 213).
Open

        } catch (NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException | IllegalBlockSizeException | BadPaddingException | InvalidAlgorithmParameterException | ArrayIndexOutOfBoundsException e) {
Severity: Minor
Found in src/main/java/io/github/encryptorcode/implementation/security/BaseSecurityHandler.java by checkstyle

Checks for long lines.

Rationale: Long lines are hard to read in printouts or if developershave limited screen space for the source code, e.g. if the IDEdisplays additional information like project tree, class hierarchy,etc.

This documentation is written and maintained by the Checkstyle community and is covered under the same license as the Checkstyle project.

There are no issues that match your filters.

Category
Status