42 lines
993 B
Plaintext
42 lines
993 B
Plaintext
|
== How to fix it in Java SE
|
||
|
|
|
||
|
|
=== Code examples
|
||
|
|
|
||
|
|
include::../../common/fix/code-rationale.adoc[]
|
||
|
|
|
||
|
|
==== Noncompliant code example
|
||
|
|
|
||
|
|
[source,kotlin,diff-id=1,diff-type=noncompliant]
|
||
|
|
----
|
||
|
|
import javax.crypto.spec.PBEParameterSpec
|
||
|
|
|
||
|
|
fun hash() {
|
||
|
|
val salt = "salty".toByteArray()
|
||
|
|
val cipherSpec = PBEParameterSpec(salt, 10000) // Noncompliant
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
==== Compliant solution
|
||
|
|
|
||
|
|
[source,kotlin,diff-id=1,diff-type=compliant]
|
||
|
|
----
|
||
|
|
import java.security.SecureRandom
|
||
|
|
import javax.crypto.spec.PBEParameterSpec
|
||
|
|
|
||
|
|
fun hash() {
|
||
|
|
val random = SecureRandom()
|
||
|
|
val salt = ByteArray(16)
|
||
|
|
random.nextBytes(salt)
|
||
|
|
val cipherSpec = PBEParameterSpec(salt, 10000)
|
||
|
|
}
|
||
|
|
----
|
||
|
|
|
||
|
|
=== How does this work?
|
||
|
|
|
||
|
|
include::../../common/fix/salt.adoc[]
|
||
|
|
|
||
|
|
Here, the compliant code example ensures the salt is random and has a sufficient
|
||
|
|
length by calling the `nextBytes` method from the `SecureRandom` class with a
|
||
|
|
salt buffer of 16 bytes. This class implements a cryptographically secure
|
||
|
|
pseudo-random number generator.
|