dromara/mendmix-cloud

Cryptographic API misuse detected

anam-dodhy opened this issue · 0 comments

Hi, I am currently looking into projects on github which are parametrically misusing cryptographic APIs for my research and I came across a few instances in your project where I found such misuses. These misuses have been highlighted in research papers such as

In your source code file DES.java there are following issues in encrypt(String, String):

  • At line 37
AlgorithmParameterSpec paramSpec = new IvParameterSpec(IV_PARAMS_BYTES);;

The first parameter should be properly randomized using java.security.SecureRandom API.

  • At line 36
Cipher cipher = Cipher.getInstance(ALGORITHM_DES);

The first parameter (with value "DES/CBC/PKCS5Padding") should be any of {AES, Blowfish, DESede, PBEWithHmacSHA224AndAES_128, PBEWithHmacSHA256AndAES_128, PBEWithHmacSHA384AndAES_128, PBEWithHmacSHA512AndAES_128, PBEWithHmacSHA224AndAES_256, PBEWithHmacSHA256AndAES_256, PBEWithHmacSHA384AndAES_256, PBEWithHmacSHA512AndAES_256, RSA}

  • Consequently at line 38
cipher.init(Cipher.ENCRYPT_MODE, secretKey,paramSpec);  

since "paramSpec" was not properly prepared due to the absence of randomzation therefore, here cipher.init() call is compromised as well. Same issues were found in the function "decrypt(String, String)"

Next in your source code file AES.java we found following misuses:

  • At line 54 and 39
Cipher cipher = Cipher.getInstance("AES");  

First parameter (with value "AES") should be any of AES/{CBC, GCM, PCBC, CTR, CTS, CFB, OFB}

Next in your source code file SHA1.java we found following misuses:

  • At line 40
MessageDigest md = MessageDigest.getInstance("SHA-1");

First parameter (with value "SHA-1") should be any of {SHA-256, SHA-384, SHA-512}

Then in your source code file DigestUtils.java we found following misuses:

  • At line 37
MessageDigest md = MessageDigest.getInstance(MD5_NAME);

First parameter (with value "MD5") should be any of {SHA-256, SHA-384, SHA-512}

I believe fixing these issues would help your product be more secure.