Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10077

Coverity, derefere null return value in KeyStoreCredentialStore.saveSecretKey

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.1.0.DR17
    • 7.1.0.DR15
    • Security
    • None

      Coverity found possible null dereference, as encrypt.getIV() could return null in cases when option cryptoAlg is configured to some algorithm, which does not use IV.

      https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=12563831&defectInstanceId=2991544&mergedDefectId=1422739

      KeyStoreCredentialStore.java
              private void saveSecretKey(String ksAlias, ObjectOutputStream oos, KeyStore.SecretKeyEntry entry) throws IOException, GeneralSecurityException {
            ByteArrayOutputStream entryData = new ByteArrayOutputStream(1024);
            ObjectOutputStream entryOos = new ObjectOutputStream(entryData);
            entryOos.writeUTF(ksAlias);
            writeBytes(entry.getSecretKey().getEncoded(), entryOos);
            entryOos.flush();

            encrypt.init(Cipher.ENCRYPT_MODE, storageSecretKey);
            int blockSize = encrypt.getBlockSize();
            Assert.checkMaximumParameter("cipher block size", 256, blockSize);
            byte[] padded = pkcs7Pad(entryData.toByteArray(), blockSize);

            byte[] encrypted = encrypt.doFinal(padded);
            byte[] iv = encrypt.getIV();

            oos.writeInt(SECRET_KEY_ENTRY_TYPE);
            writeBytes(encrypted, oos);
            writeBytes(iv, oos);
        }

              rhn-support-ivassile Ilia Vassilev
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: