Win a copy of Pipeline as Code this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Rob Spoor
  • Henry Wong
  • Liutauras Vilda
Saloon Keepers:
  • Tim Moores
  • Carey Brown
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
Bartenders:
  • Frits Walraven
  • Himai Minh
  • Jj Roberts

Hard-coded Cryptographic Key (CWE: 321) in Java

 
Ranch Hand
Posts: 210
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm seeing the following vulnerability (https://cwe.mitre.org/data/definitions/321.html) being detected on the following code:



I'm unable to ascertain as to how I am to mitigate this issue... Are those hexadecimal "byte" values supposed to be dynamically generated? and how so?
 
Saloon Keeper
Posts: 12816
278
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No.

You're supposed to generate a secret key and store it in a key file using a separate tool, then load it in your application using KeyStore.

If you google Java KeyStore you can probably easily find more info on how to do this.
 
M Richardson
Ranch Hand
Posts: 210
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:No.

You're supposed to generate a secret key and store it in a key file using a separate tool, then load it in your application using KeyStore.

If you google Java KeyStore you can probably easily find more info on how to do this.



I see. I understand that I will pass the keystore file, and the password to obtain a KeyStore object.
Can you please explain as to what specifically in the code needs to get processed by my external library?
I'm a little unclear as to how this integrates with my existing code.

 
Stephan van Hulst
Saloon Keeper
Posts: 12816
278
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You don't need an external library.

You can just use the keytool command to generate a key store file, and you use KeyStore from within your application to retrieve the secret you generated.
 
M Richardson
Ranch Hand
Posts: 210
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:You don't need an external library.

You can just use the keytool command to generate a key store file, and you use KeyStore from within your application to retrieve the secret you generated.



I see. But this is an enterprise application where no such ability will be provided to the user - or the user may not be that savvy to be able to do that.
How is the vulnerability mitigated in that case? (and when I say mitigated, I mean to make the static code analyzer happy)
 
Stephan van Hulst
Saloon Keeper
Posts: 12816
278
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Are you saying that you don't trust the system administrator who will be installing the application to be able to generate secret keys, given instructions?

To make it easier for them, you can write a small tool that will generate the key file. You can do this with KeyStore as well.
 
Put a gun against his head, pulled my trigger, now he's dead, that tiny ad sure bled
SKIP - a book about connecting industrious people with elderly land owners
https://coderanch.com/t/skip-book
reply
    Bookmark Topic Watch Topic
  • New Topic