aliyun/aliyun-oss-java-sdk

RSA key is passed as string instead of byte[]

akwick opened this issue · 3 comments

During an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub, we randomly inspected a few of the misuses. One of the misuses for which we could confirm as a true positive of the analysis, CogniCryptSAST, is in this project.
In the class SimpleRSAEncryptionMaterials, a key, e.g. line 196 is passed as a string and that is considered insecure. In Java, strings are immutable and stay in memory until collected by Java's garbage collector. Thus, they are longer visible in memory for attackers than necessary and outside of the direct control of the developer. The suggested data types by the JCA are bytes. JCA Documentation

Thus, the observed usage is a misuse of the JCA API.

Steps to reproduce

  1. Apply CogniCryptSAST to the project
  2. Inspect the misuses reported
akwick commented

During a study to label real-world JCA usages, we, @schlichtig and I, observed the use of a string for sensitive information in another case.

In the method getPrivateKeyFromPemPKCS8 a private key is handled as a string.