Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mosip 33327 #1486

Open
wants to merge 79 commits into
base: develop_module_Wise_Test_Rig
Choose a base branch
from
Open

Mosip 33327 #1486

wants to merge 79 commits into from

Conversation

Sohandey
Copy link
Member

No description provided.

nandhu-kumar and others added 30 commits April 18, 2024 17:43
Signed-off-by: Nandhukumar <[email protected]>
Signed-off-by: Sohan Kumar Dey <[email protected]>
Signed-off-by: Sohan Kumar Dey <[email protected]>
Signed-off-by: Sohan Kumar Dey <[email protected]>
Signed-off-by: Pankaj Godiyal <[email protected]>
MOSIP-30855 MOSIP-30854 MOSIP-30852 MOSIP-30851 MOSIP-30553
MOSIP-30855 MOSIP-30854 MOSIP-30852 MOSIP-30851 MOSIP-30553
MOSIP-30855 MOSIP-30854 MOSIP-30852 MOSIP-30851 MOSIP-30553
Signed-off-by: Nandhukumar <[email protected]>
Signed-off-by: Nandhukumar <[email protected]>
Signed-off-by: Nandhukumar <[email protected]>
Signed-off-by: Nandhukumar <[email protected]>
Signed-off-by: Nandhukumar <[email protected]>
nandhu-kumar and others added 21 commits May 28, 2024 15:17
Signed-off-by: Nandhukumar <[email protected]>
Signed-off-by: Nandhukumar <[email protected]>
Signed-off-by: Nandhukumar <[email protected]>
Signed-off-by: Nandhukumar <[email protected]>
Signed-off-by: Nandhukumar <[email protected]>
Signed-off-by: Nandhukumar <[email protected]>

Cipher cipher;
try {
cipher = Cipher.getInstance(RSA_ECB_OAEP_PADDING);

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High test

Cryptographic algorithm
RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING
is weak and should not be used.
CryptoUtils.verifyData(data);
Cipher cipher;
try {
cipher = Objects.isNull(storeType) ? Cipher.getInstance(RSA_ECB_NO_PADDING) : // NOSONAR using the padding for allowing OAEP padding in PKCS11 library

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High test

Cryptographic algorithm
RSA/ECB/NoPadding
is weak and should not be used.
Cipher cipher;
try {
cipher = Objects.isNull(storeType) ? Cipher.getInstance(RSA_ECB_NO_PADDING) : // NOSONAR using the padding for allowing OAEP padding in PKCS11 library
Cipher.getInstance(RSA_ECB_NO_PADDING, storeType); // NOSONAR using the padding for allowing OAEP padding in PKCS11 library

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High test

Cryptographic algorithm
RSA/ECB/NoPadding
is weak and should not be used.
// Used as a hack for softhsm oeap padding decryption usecase will be when we
// will use in HSM
@SuppressWarnings("java:S106")
private static final String RSA_ECB_NO_PADDING = "RSA/ECB/NoPadding"; // NOSONAR using the padding for allowing OAEP padding in PKCS11 library

Check failure

Code scanning / CodeQL

Use of RSA algorithm without OAEP High test

This specification is used to
initialize an RSA cipher
without OAEP padding.
This specification is used to
initialize an RSA cipher
without OAEP padding.
CryptoUtils.verifyData(data);
Cipher cipher;
try {
cipher = Objects.isNull(storeType) ? Cipher.getInstance(RSA_ECB_NO_PADDING) : // NOSONAR using the padding for allowing OAEP padding in PKCS11 library

Check failure

Code scanning / CodeQL

Use of RSA algorithm without OAEP High test

This specification is used to
initialize an RSA cipher
without OAEP padding.
Cipher cipher;
try {
cipher = Objects.isNull(storeType) ? Cipher.getInstance(RSA_ECB_NO_PADDING) : // NOSONAR using the padding for allowing OAEP padding in PKCS11 library
Cipher.getInstance(RSA_ECB_NO_PADDING, storeType); // NOSONAR using the padding for allowing OAEP padding in PKCS11 library

Check failure

Code scanning / CodeQL

Use of RSA algorithm without OAEP High test

This specification is used to
initialize an RSA cipher
without OAEP padding.
public static void turnOffSslChecking() throws NoSuchAlgorithmException, KeyManagementException {
// Install the all-trusting trust manager
final SSLContext sc = SSLContext.getInstance(Encrypt.SSL);
sc.init(null, UNQUESTIONING_TRUST_MANAGER, null);

Check failure

Code scanning / CodeQL

`TrustManager` that accepts all certificates High test

This uses
TrustManager
, which is defined in
Encrypt$
and trusts any certificate.

}
public static String trimBeginEnd(String pKey) {
pKey = pKey.replaceAll("-*BEGIN([^-]*)-*(\r?\n)?", "");

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data High test

This
regular expression
that depends on a
user-provided value
may run slow on strings with many repetitions of '-'.
}
public static String trimBeginEnd(String pKey) {
pKey = pKey.replaceAll("-*BEGIN([^-]*)-*(\r?\n)?", "");
pKey = pKey.replaceAll("-*END([^-]*)-*(\r?\n)?", "");

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data High test

This
regular expression
that depends on a
user-provided value
may run slow on strings with many repetitions of '-'.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants