Hello currently i have to do an AES encription and send it to an external SW but i am having trouble with the sonarqube.
this is the relevant part of my current code:
String encriptedPad = afegir0Multiple8(Hex.encodeHexString(encriptar.getBytes())); String cadenaAmb0 = afegir0Multiple8(encriptar); //Creem un cadena amb la longitut que necessitem byte[] cadenaRes = cadenaAmb0.getBytes(); //Cadena resultant per encriptar //Clau byte[] hexclaub = DatatypeConverter.parseHexBinary(claveCifradoRedsa); SecretKeySpec key = new SecretKeySpec(ArrayUtils.addAll(hexclaub,ArrayUtils.subarray(hexclaub,0,8)), "AES"); //Vector Init String v = vectorInicial; IvParameterSpec ivectorSpecv = new IvParameterSpec(v.getBytes("UTF-8")); //Encriptem Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, key, ivectorSpecv); byte[] encrypted = cipher.doFinal(cadenaRes); Is a little spaguetti cause it´s recyclated for an old code (TripleDES) sorry for that. But we can get the gist of it that`s that we are using an AES configuration with AES/CBC/PKCS5PADDING
the thing is that our sonarqube is getting this output when i send this code:
Could someone explain me a little about oracle padding attacks and if there is some impact using the instance recommended by sonar? I am quite lost with encryption
pd: The SW has accepted to change the configuration but i would like to understand why i have to use one specific configuration above others
thanks
Advertisement
Answer
Well the question is already solved thanks to @Topaco in the comments below. I will update my code here in order to make this question answered.
My current Code looks like this:
@Overridepublic Map execute(Map in) throws Exception { log.info("********** CIFRADO AES ACTION ****************"); Map params = (Map) in.get("request_params"); Map resultado = new HashMap(); resultado.put("clave", encriptarAES((String) in.get("encriptar"),(String) in.get("claveCifrado"),(String) in.get("vectorInicial"))); return resultado;}private String encriptarAES(String encriptar, String claveCifradoRedsa, String vectorInicial) throws Exception { SecretKey key = new SecretKeySpec(claveCifradoRedsa.getBytes(), "AES"); key = new SecretKeySpec(key.getEncoded(), "AES"); //Encriptem GCMParameterSpec ivParameterSpec = new GCMParameterSpec(128, vectorInicial.getBytes()); Cipher cipher = Cipher.getInstance(instance); cipher.init(Cipher.ENCRYPT_MODE, key, ivParameterSpec); byte[] encrypted = cipher.doFinal(encriptar.getBytes()); String codificado64 = Base64.getUrlEncoder().encodeToString(encrypted); log.info(encriptar); log.info(codificado64); log.info("************************ FIN CIFRADO AES ACTION ***********************"); return codificado64;}I think it a pretty clean example of AES encryption, hope it´s useful to someone