Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-958

Coverity static analysis: Dereference null return value in KeyUtil (Elytron)

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 1.1.0.Beta28
    • 1.1.0.Beta24
    • None
    • None

    Description

      Coverity static analysis found possible use of null object comming from RawPBEKey.getSalt() passed into javax.crypto.spec.PBEParameterSpec.PBEParameterSpec

      javax.crypto.spec.PBEParameterSpec.java
      public PBEParameterSpec(byte[] salt, int iterationCount) {
    this.salt = salt.clone();
    this.iterationCount = iterationCount;
}

      Responsible elytron code:

      KeyUtils.java
      if (key instanceof PBEKey && paramSpecClass.isAssignableFrom(PBEParameterSpec.class)) {
            final PBEKey pbeKey = (PBEKey) key;
            // TODO: we miss the IV here
            return paramSpecClass.cast(new PBEParameterSpec(pbeKey.getSalt(), pbeKey.getIterationCount()));
        }

      https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=8490615&defectInstanceId=2123254&mergedDefectId=1389515

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-8497 Coverity static analysis: Dereference null return value in KeyUtil (Elytron)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              rhn-support-ivassile Ilia Vassilev
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: