Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 7.1.0.DR14
Affects Version/s: 7.1.0.DR11
Component/s: Security
Labels:
- static_analysis
- utilities

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Coverity static analysis found possible use of null object comming from RawPBEKey.getSalt() passed into javax.crypto.spec.PBEParameterSpec.PBEParameterSpec

javax.crypto.spec.PBEParameterSpec.java

public PBEParameterSpec(byte[] salt, int iterationCount) {
    this.salt = salt.clone();
    this.iterationCount = iterationCount;
}

Responsible elytron code:

KeyUtils.java

if (key instanceof PBEKey && paramSpecClass.isAssignableFrom(PBEParameterSpec.class)) {
            final PBEKey pbeKey = (PBEKey) key;
            // TODO: we miss the IV here
            return paramSpecClass.cast(new PBEParameterSpec(pbeKey.getSalt(), pbeKey.getIterationCount()));
        }

https://scan7.coverity.com/reports.htm#v23632/p11778/fileInstanceId=8490615&defectInstanceId=2123254&mergedDefectId=1389515

is cloned by

ELY-958 Coverity static analysis: Dereference null return value in KeyUtil (Elytron)

Resolved

Assignee:: Ilia Vassilev

Reporter:: Martin Choma

Tester:: Martin Choma

QA Contact:: Martin Choma

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2017/01/25 3:51 AM

Updated:: 2024/09/02 4:38 PM

Resolved:: 2017/03/14 3:26 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates