rspec/rules/S7203/secrets/rule.adoc

include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

include::../../../shared_content/secrets/impact/private_key_disclosure.adoc[]

include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]

If a third party gets access to a keystore containingan Android upload key or app signing key, this person could sign and distribute malicious apps under the same identity as the original app.

== How to fix it

include::../../../shared_content/secrets/fix/store_separatly.adoc[]

include::../../../shared_content/secrets/fix/revoke.adoc[]

In most cases, if the key is used as part of a larger trust model (X509, PGP,
etc), it is necessary to issue and publish a revocation certificate. Doing so
will ensure that all people and assets that rely on this key for security
operations are aware of its compromise and stop trusting it.

include::../../../shared_content/secrets/fix/recent_use.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

==== Noncompliant code example

[source,shell,diff-id=1,diff-type=noncompliant]
----
keytool -genkey \
    -keystore release.jks \
    -alias release \
    -keyalg RSA \
    -keysize 2048 \
    -validity 1000 \
    -dname "CN=com.example" \
    -storepass release # Noncompliant, keystore password is easy to guess
----

==== Compliant solution

Keychain files whould created using a strong password.

[source,shell,diff-id=1,diff-type=compliant]
----
echo $STRONG_PWD | keytool -genkey \
    -keystore release.jks \
    -alias release \
    -keyalg RSA \
    -keysize 2048 \
    -validity 1000 \
    -dname "CN=com.example"
----

Files containing cryptographic key should not be commitied with the application codebase and should be distributed separatly.

//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]

* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage[Mobile Top 10 2024 Category M1 - Improper Credential Usage]
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m2-inadequate-supply-chain-security[Mobile Top 10 2024 Category M2 - Inadequate Supply Chain Security]
* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography]

//=== Benchmarks
Create rule S7203: Java Keystore files should not disclose cryptographic private keys (#4685) 2025-02-28 08:05:15 +00:00			`include::../../../shared_content/secrets/description.adoc[]`

			`== Why is this an issue?`

			`include::../../../shared_content/secrets/rationale.adoc[]`

			`=== What is the potential impact?`

			`include::../../../shared_content/secrets/impact/private_key_disclosure.adoc[]`

			`include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]`

			`If a third party gets access to a keystore containingan Android upload key or app signing key, this person could sign and distribute malicious apps under the same identity as the original app.`

			`== How to fix it`

			`include::../../../shared_content/secrets/fix/store_separatly.adoc[]`

			`include::../../../shared_content/secrets/fix/revoke.adoc[]`

			`In most cases, if the key is used as part of a larger trust model (X509, PGP,`
			`etc), it is necessary to issue and publish a revocation certificate. Doing so`
			`will ensure that all people and assets that rely on this key for security`
			`operations are aware of its compromise and stop trusting it.`

			`include::../../../shared_content/secrets/fix/recent_use.adoc[]`

			`include::../../../shared_content/secrets/fix/vault.adoc[]`

			`=== Code examples`

			`==== Noncompliant code example`

			`[source,shell,diff-id=1,diff-type=noncompliant]`
			`----`
			`keytool -genkey \`
			`-keystore release.jks \`
			`-alias release \`
			`-keyalg RSA \`
			`-keysize 2048 \`
			`-validity 1000 \`
			`-dname "CN=com.example" \`
			`-storepass release # Noncompliant, keystore password is easy to guess`
			`----`

			`==== Compliant solution`

			`Keychain files whould created using a strong password.`

			`[source,shell,diff-id=1,diff-type=compliant]`
			`----`
			`echo $STRONG_PWD \| keytool -genkey \`
			`-keystore release.jks \`
			`-alias release \`
			`-keyalg RSA \`
			`-keysize 2048 \`
			`-validity 1000 \`
			`-dname "CN=com.example"`
			`----`

			`Files containing cryptographic key should not be commitied with the application codebase and should be distributed separatly.`

			`//=== How does this work?`

			`//=== Pitfalls`

			`//=== Going the extra mile`

			`== Resources`

			`include::../../../shared_content/secrets/resources/standards.adoc[]`

			`* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m1-improper-credential-usage[Mobile Top 10 2024 Category M1 - Improper Credential Usage]`
			`* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m2-inadequate-supply-chain-security[Mobile Top 10 2024 Category M2 - Inadequate Supply Chain Security]`
			`* OWASP - https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography[Mobile Top 10 2024 Category M10 - Insufficient Cryptography]`

			`//=== Benchmarks`