CogniCrypt icon indicating copy to clipboard operation
CogniCrypt copied to clipboard

Published 20 hours ago verified publisher icon eclipse-cognicrypt

CogniCrypt error during Signature usage

Open CROSSINGExtServices opened this issue 4 years ago • 0 comments

User Issue Description Where does this error come from? How to write secure code? (qTESLA employed but same situation with ECDSA or RSA)

Configuration:

  • Eclipse version: 4.12.0.v20190605-1800
  • Java version: 1.8.0_262
  • OS: linux

CogniCrypt Error Information:

  • Violated CrySL rule: java.security.Signature
  • Error type: requiredPredicateError
  • Error message: First parameter was not properly generated as generated Privkey
  • Severity: Info

Java Code

Error line: sig.initSign(pk);

void foo_incorrect() throws NoSuchAlgorithmException, SignatureException, InvalidKeyException {
  byte[] mess={1,2};
  KeyPairGenerator generator=KeyPairGenerator.getInstance("QTESLAP3");
  generator.initialize(0);
  KeyPair kp=generator.generateKeyPair();
  PrivateKey pk=kp.getPrivate();
  Signature sig=Signature.getInstance("QTESLAP3");
  sig.initSign(pk);
  sig.update(mess);
  byte[] sign=sig.sign();
  System.out.print(sign);
  System.out.print(pk);
}

Jimple Code

    void foo_incorrect() throws java.security.NoSuchAlgorithmException, java.security.SignatureException, java.security.InvalidKeyException
    {
        byte[] $stack7, mess, sign;
        java.security.KeyPairGenerator generator;
        java.security.KeyPair kp;
        java.security.PrivateKey pk;
        java.security.Signature sig;
        java.io.PrintStream $stack13, $stack14;
        Test03b_SignatureGeneration this;
        int varReplacer41;
        java.lang.String varReplacer42, varReplacer43;

        nop;

        this := @this: Test03b_SignatureGeneration;

        $stack7 = newarray (byte)[2];

        $stack7[0] = 1;

        $stack7[1] = 2;

        mess = $stack7;

        varReplacer42 = "QTESLAP3";

        generator = staticinvoke <java.security.KeyPairGenerator: java.security.KeyPairGenerator getInstance(java.lang.String)>(varReplacer42);

        varReplacer41 = 0;

        virtualinvoke generator.<java.security.KeyPairGenerator: void initialize(int)>(varReplacer41);

        kp = virtualinvoke generator.<java.security.KeyPairGenerator: java.security.KeyPair generateKeyPair()>();

        pk = virtualinvoke kp.<java.security.KeyPair: java.security.PrivateKey getPrivate()>();

        varReplacer43 = "QTESLAP3";

        sig = staticinvoke <java.security.Signature: java.security.Signature getInstance(java.lang.String)>(varReplacer43);

        virtualinvoke sig.<java.security.Signature: void initSign(java.security.PrivateKey)>(pk);

        virtualinvoke sig.<java.security.Signature: void update(byte[])>(mess);

        sign = virtualinvoke sig.<java.security.Signature: byte[] sign()>();

        $stack13 = <java.lang.System: java.io.PrintStream out>;

        virtualinvoke $stack13.<java.io.PrintStream: void print(java.lang.Object)>(sign);

        $stack14 = <java.lang.System: java.io.PrintStream out>;

        virtualinvoke $stack14.<java.io.PrintStream: void print(java.lang.Object)>(pk);

        return;
    }

CROSSINGExtServices avatar Nov 10 '20 11:11 CROSSINGExtServices