multiable Hardcoded Secrets cve #57
Comments
|
Are you talking about the array of bytes? If that's the case these are best described as hardcoded non-secrets, these are expressly null values of these keys. Likely not a bug. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
private static final boolean USE_SYSTEM_AES = hasAESNI() && CryptoCheck.isUnlimited();
Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead.
core/java/src/net/i2p/crypto/CryptixAESEngine.java
Open this link in a new tab
2 steps in 1 file
Hardcoded Secret
} catch (NoSuchMethodError nsme) {
// JamVM, gij
try {
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
SecretKeySpec key = new SecretKeySpec(new byte[32], "AES");
27 line
Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead.
[core/java/src/net/i2p/crypto/CryptoCheck.java]
private static final boolean USE_SYSTEM_AES = hasAESNI() && CryptoCheck.isUnlimited();
line 53
Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead.
core/java/src/net/i2p/crypto/CryptixAESEngine.java
KeyFactory kf = KeyFactory.getInstance("RSA");
// private key is modulus (pubkey) + exponent
BigInteger[] nd = split(pk.getData());
// modulus exponent
KeySpec ks = new RSAPrivateKeySpec(nd[0], nd[1]);
line 513
Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead.
[core/java/src/net/i2p/crypto/SigUtil.java]
The text was updated successfully, but these errors were encountered: