[SONARKT-50] Rule S6288: Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive - SonarSource

XML

Word

Printable

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.1
Component/s: None
Labels:
- Rules

Description

New rule to implement

s6288 should raise an issue on KeyGenParameterSpec.Builder when the call to setUserAuthenticationRequired set to true is missing or if setUserAuthenticationRequired is called but set to false:

val keyGenerator: KeyGenerator = 
var builder: KeyGenParameterSpec = KeyGenParameterSpec.Builder("test_secret_key", KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT) // Noncompliant 
   .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
   .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
   .build()

var builder: KeyGenParameterSpec = KeyGenParameterSpec.Builder("test_secret_key", KeyProperties.PURPOSE_ENCRYPT or KeyProperties.PURPOSE_DECRYPT) // Noncompliant 
   .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
   .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
   .setUserAuthenticationRequired(false) // Noncompliant secondary location
   .build()

Attachments

Issue Links

implements

RSPEC-6288 Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive

Active

Activity

People

Assignee:: Margarita Nedzelska

Reporter:: Eric Therond (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Due:: 05/Jul/21

Created:: 02/Jun/21 9:13 AM

Updated:: 09/Aug/21 2:30 PM

Resolved:: 01/Jul/21 4:20 PM