Uploaded image for project: 'SonarJava'
  1. SonarJava
  2. SONARJAVA-3321

FP S5542 (EncryptionAlgorithmCheck): should support default security java provider

    XMLWordPrintable

    Details

    • Type: False-Positive
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.3
    • Component/s: Rules
    • Labels:
      None

      Description

      Rule S5542 should cover smoothly Java Security providers that are sometimes inconsistent, for example with Bouncy Castle security provider this code execute without problems:

      Cipher.getInstance("RSA/None/OAEPWITHSHA-256ANDMGF1PADDING");
      

      But with SUN Security Provider (default for openjdk 11 for example) this runtime error appears:

      java.security.NoSuchAlgorithmException: Cannot find any provider supporting RSA/NONE/OAEPWITHSHA-256ANDMGF1PADDING
      

      The only supported cryptographic modes with SUN provider and RSA algorithm are:

      RSA/ECB/*
      

      ECB doesn't make sense for RSA algorithm (RSA is an asymmetric algorithm and ECB mode is for block ciphers but it is how it is done in Java ...)

      Thus the rule should raise an issue when ECB is found except when the algorithm is RSA:

      RSA/ECB/* // Compliant
      AES/ECB/NoPadding // Noncompliant
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              quentin.jaquier Quentin Jaquier
              Reporter:
              eric.therond Eric Therond
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: