Security of ValueLinkApi.java

[vraychev]

In our static observation of the code, we see some strange things in ValueLinkApi.java and DesCrypt.java. Would it be possible for the protocols to be secured?

Initialization vector are set to 0s, which is insecure:

byte[] zeros = { 0, 0, 0, 0, 0, 0, 0, 0 }; IvParameterSpec iv = new IvParameterSpec(zeros);

DES is used, which is old and insecure.

[minifreak]

The url used for ValueLink uses already https, if that's what you mean. Check payment.properties

payment.valuelink.url=https://www.callit.com/vltest/api1.asp

Be aware that ValueLink integration may be outdated.

---

As for DES, you probably right. We must look into it ASAP. I'll keep you posted.

BTW, it would be great if you can split into different tickets next time. It's more manageable for us in that way.

[pplx]

Thanks for reporting this to us. Both the zero IV and DES usage are inherited from the upstream project, where it hasn't changed either, probably from lack of use. So we'll have to decide how to handle that case.

[madppiper]

We contacted the makers of ValueLink (First Data), to see whether ValueLink is still supported. They migrated to a different product line sometime in 2013, so it is unclear whether the current API is supported at all.

It is a rarely used functionality atm, so we haven't had a chance to check into it in full yet. We will see whether the API has changed before updating the sources, since it makes sense to do it both at the same time. We will keep this ticket open, but it seems as if the overall effect on Scipio ERP is low otherwise.