55 lines
1.4 KiB
Plaintext
55 lines
1.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,java]
|
|
----
|
|
public void encrypt(String key, String plainText) {
|
|
byte[] bytesIV = "7cVgr5cbdCZVw5WY".getBytes("UTF-8"); // Static initialization vector
|
|
|
|
IvParameterSpec iv = new IvParameterSpec(bytesIV);
|
|
SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES");
|
|
|
|
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
|
|
cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv); // Noncompliant: the IV is hard coded and thus not generated with a secure random generator
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,java]
|
|
----
|
|
public void encrypt(String key, String plainText) {
|
|
SecureRandom random = new SecureRandom();
|
|
byte[] bytesIV = new byte[16];
|
|
random.nextBytes(bytesIV); // Random initialization vector
|
|
|
|
IvParameterSpec iv = new IvParameterSpec(bytesIV);
|
|
SecretKeySpec skeySpec = new SecretKeySpec(strKey.getBytes("UTF-8"), "AES");
|
|
|
|
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
|
|
cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv);
|
|
}
|
|
----
|
|
|
|
|
|
include::../see.adoc[]
|
|
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#STATIC_IV[STATIC_IV]
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|