Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CogniCrypt fails to track static fields #292

Closed
ericbodden opened this issue May 15, 2019 · 4 comments
Closed

CogniCrypt fails to track static fields #292

ericbodden opened this issue May 15, 2019 · 4 comments
Assignees

Comments

@ericbodden
Copy link

Linghui has a test case in which the program uses too few rounds for key derivation but the round value "20" is stored in a static fields. CogniCrypt fails to report this rule violation.

@johspaeth
Copy link
Contributor

Thanks for reporting @linghuiluo can you share the code?

@johspaeth
Copy link
Contributor

I found minimal working and non-working code:

No error:

private static String INSTANCE = "AES";

public static void main(String...args) throws GeneralSecurityException {
	Cipher cip = Cipher.getInstance(INSTANCE);
	cip.doFinal();
}

but an error is shown when we explicitly assign the field to a variable

private static String INSTANCE;

public static void main(String...args) throws GeneralSecurityException {
	String var = "AES";
	INSTANCE = var;
	Cipher cip = Cipher.getInstance(INSTANCE);
	cip.doFinal();
}

@johspaeth johspaeth self-assigned this May 15, 2019
@linghuiluo
Copy link

@johspaeth example here

private static int count = 20;

  public static Key foo(String text, byte[] salt) {
    try {
      char[] textCharArray = text.toCharArray();
      PBEKeySpec pbe = new PBEKeySpec(textCharArray, salt, count, 128);
      SecretKeyFactory skf;
      skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
      SecretKey key=skf.generateSecret(pbe);
      return new SecretKeySpec(key.getEncoded(), "AES");
    } catch (Exception e) {
      throw new RuntimeException(e);
    }
  }

@kruegers kruegers pinned this issue May 30, 2019
@johspaeth johspaeth unpinned this issue Jun 10, 2019
@kruegers
Copy link
Member

kruegers commented May 7, 2020

Closing this issue because it is a duplicate to CROSSINGTUD/CryptoAnalysis#97.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants