ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create rule S6288[java]: Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive (#105)

Browse Source
This commit is contained in:
eric-therond-sonarsource 2021-09-29 09:42:07 +02:00 committed by GitHub
parent c264de77ea
commit fcb6b521e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
rules/S6288/java/rule.adoc
View File

@ -1,4 +1,43 @@
include::../rule.adoc[]
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Noncompliant Code Example
Any user can use the key:
----
KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
KeyGenParameterSpec builder = new KeyGenParameterSpec.Builder("test_secret_key_noncompliant", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT) // Noncompliant
.setBlockModes(KeyProperties.BLOCK_MODE_GCM)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.build();
keyGenerator.init(builder);
----
== Compliant Solution
The use of the key is limited to authenticated users (for a duration of time defined to 60 seconds):
----
KeyGenerator keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
KeyGenParameterSpec builder = new KeyGenParameterSpec.Builder("test_secret_key", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
.setBlockModes(KeyProperties.BLOCK_MODE_GCM)
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
.setUserAuthenticationRequired(true)
.setUserAuthenticationParameters (60, KeyProperties.AUTH_DEVICE_CREDENTIAL)
.build();
keyGenerator.init(builder)
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''