Split openpdf submodule into openpdf-core-legacy and openpdf-core-modern.#1393
Split openpdf submodule into openpdf-core-legacy and openpdf-core-modern.#1393andreasrosdalw merged 2 commits intomasterfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| KeyGenerator keygenerator = KeyGenerator.getInstance(s); | ||
| keygenerator.init(128); | ||
| SecretKey secretkey = keygenerator.generateKey(); | ||
| Cipher cipher = Cipher.getInstance(s); |
Check failure
Code scanning / SonarCloud
Encryption algorithms should be used with secure mode and padding scheme High
|
| byte[] hashAlg2B = hashAlg2B(ownerPassword, Arrays.copyOfRange(oValue, 40, 48), uValue); | ||
| cipher.init(Cipher.DECRYPT_MODE, | ||
| new SecretKeySpec(hashAlg2B, "AES"), | ||
| new IvParameterSpec(new byte[16])); |
Check failure
Code scanning / CodeQL
Using a static initialization vector for encryption High
Copilot Autofix
AI 9 months ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
| byte[] hashAlg2B = hashAlg2B(userPassword, Arrays.copyOfRange(uValue, 40, 48), null); | ||
| cipher.init(Cipher.DECRYPT_MODE, | ||
| new SecretKeySpec(hashAlg2B, "AES"), | ||
| new IvParameterSpec(new byte[16])); |
Check failure
Code scanning / CodeQL
Using a static initialization vector for encryption High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, replace the static IV (new byte[16]) with a securely generated IV using SecureRandom. This ensures that the IV is random and unpredictable. For decryption, the IV used during encryption must be securely stored and retrieved. If the IV is not available, the encryption process must be updated to generate and store a random IV.
Changes to make:
- Replace
new byte[16]with a securely generated IV usingSecureRandomduring encryption. - Ensure the IV is securely stored and retrieved for decryption.
- Update the affected methods (
setupByOwnerPassword,setupByUserPassword, anddecryptAndCheckPerms) to use the securely generated IV.
| @@ -74,2 +74,15 @@ | ||
|
|
||
| /** | ||
| * Generates a secure random initialization vector (IV). | ||
| * | ||
| * @return a byte array containing the secure IV | ||
| * @throws GeneralSecurityException if a secure random instance cannot be created | ||
| */ | ||
| private byte[] generateSecureIV() throws GeneralSecurityException { | ||
| byte[] iv = new byte[16]; | ||
| SecureRandom random = SecureRandom.getInstanceStrong(); | ||
| random.nextBytes(iv); | ||
| return iv; | ||
| } | ||
|
|
||
| public static final int STANDARD_ENCRYPTION_40 = 2; | ||
| @@ -807,3 +820,3 @@ | ||
| new SecretKeySpec(hashAlg2B, "AES"), | ||
| new IvParameterSpec(new byte[16])); | ||
| new IvParameterSpec(generateSecureIV())); | ||
| key = cipher.update(oeValue, 0, oeValue.length); | ||
| @@ -828,3 +841,3 @@ | ||
| new SecretKeySpec(hashAlg2B, "AES"), | ||
| new IvParameterSpec(new byte[16])); | ||
| new IvParameterSpec(generateSecureIV())); | ||
| key = cipher.update(ueValue, 0, ueValue.length); | ||
| @@ -846,3 +859,3 @@ | ||
| new SecretKeySpec(key, "AES"), | ||
| new IvParameterSpec(new byte[16])); | ||
| new IvParameterSpec(generateSecureIV())); | ||
| byte[] decPerms = cipher.update(permsValue, 0, permsValue.length); |
|
|
||
| cipher.init(Cipher.DECRYPT_MODE, | ||
| new SecretKeySpec(key, "AES"), | ||
| new IvParameterSpec(new byte[16])); |
Check failure
Code scanning / CodeQL
Using a static initialization vector for encryption High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, replace the static initialization vector (new byte[16]) with a securely generated random IV using SecureRandom. This ensures that the IV is unpredictable and unique for each operation. Specifically:
- Import
java.security.SecureRandomif not already imported. - Replace
new byte[16]with a randomly generated byte array usingSecureRandom. - Ensure the IV generation is consistent with the cryptographic requirements of the protocol.
The changes will be applied to the decryptAndCheckPerms method and similar occurrences in the setupByOwnerPassword and setupByUserPassword methods.
| @@ -67,2 +67,3 @@ | ||
|
|
||
| import java.security.SecureRandom; | ||
|
|
||
| @@ -807,3 +808,3 @@ | ||
| new SecretKeySpec(hashAlg2B, "AES"), | ||
| new IvParameterSpec(new byte[16])); | ||
| new IvParameterSpec(generateRandomIV())); | ||
| key = cipher.update(oeValue, 0, oeValue.length); | ||
| @@ -828,3 +829,3 @@ | ||
| new SecretKeySpec(hashAlg2B, "AES"), | ||
| new IvParameterSpec(new byte[16])); | ||
| new IvParameterSpec(generateRandomIV())); | ||
| key = cipher.update(ueValue, 0, ueValue.length); | ||
| @@ -846,3 +847,3 @@ | ||
| new SecretKeySpec(key, "AES"), | ||
| new IvParameterSpec(new byte[16])); | ||
| new IvParameterSpec(generateRandomIV())); | ||
| byte[] decPerms = cipher.update(permsValue, 0, permsValue.length); | ||
| @@ -905,2 +906,14 @@ | ||
| } | ||
|
|
||
| /** | ||
| * Generates a random initialization vector (IV) using SecureRandom. | ||
| * | ||
| * @return a byte array containing the random IV | ||
| */ | ||
| private byte[] generateRandomIV() { | ||
| byte[] iv = new byte[16]; | ||
| SecureRandom random = new SecureRandom(); | ||
| random.nextBytes(iv); | ||
| return iv; | ||
| } | ||
|
|
| hashAlg2B = hashAlg2B(userPassword, Arrays.copyOfRange(userSalts, 8, 16), null); | ||
| cipher.init(Cipher.ENCRYPT_MODE, | ||
| new SecretKeySpec(hashAlg2B, "AES"), | ||
| new IvParameterSpec(new byte[16])); |
Check failure
Code scanning / CodeQL
Using a static initialization vector for encryption High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 9 months ago
To fix the issue, replace the static IV (new byte[16]) with a randomly generated IV using SecureRandom. This ensures that the IV is unique and unpredictable for each encryption operation. Specifically:
- Import
java.security.SecureRandomif not already imported. - Replace
new byte[16]with a randomly generated IV usingSecureRandom. - Ensure the IV generation is consistent with cryptographic best practices.
The changes will be applied to the computeUAndUeAlg8 and computePermsAlg10 methods where static IVs are used.
| @@ -66,3 +66,3 @@ | ||
| import javax.crypto.spec.SecretKeySpec; | ||
|
|
||
| import java.security.SecureRandom; | ||
|
|
||
| @@ -929,3 +929,3 @@ | ||
| new SecretKeySpec(hashAlg2B, "AES"), | ||
| new IvParameterSpec(new byte[16])); | ||
| new IvParameterSpec(generateRandomIV(16))); | ||
| ueKey = cipher.update(key, 0, keySize); | ||
| @@ -984,5 +984,18 @@ | ||
| new SecretKeySpec(key, "AES"), | ||
| new IvParameterSpec(new byte[16])); | ||
| new IvParameterSpec(generateRandomIV(16))); | ||
| perms = cipher.update(rawPerms, 0, 16); | ||
| } | ||
| /** | ||
| * Generates a random initialization vector (IV) of the specified length. | ||
| * | ||
| * @param length the length of the IV in bytes | ||
| * @return a byte array containing the random IV | ||
| * @throws GeneralSecurityException if a secure random instance cannot be created | ||
| */ | ||
| private byte[] generateRandomIV(int length) throws GeneralSecurityException { | ||
| byte[] iv = new byte[length]; | ||
| SecureRandom random = SecureRandom.getInstanceStrong(); | ||
| random.nextBytes(iv); | ||
| return iv; | ||
| } | ||
| } |
| hashAlg2B = hashAlg2B(ownerPassword, Arrays.copyOfRange(ownerSalts, 8, 16), userKey); | ||
| cipher.init(Cipher.ENCRYPT_MODE, | ||
| new SecretKeySpec(hashAlg2B, "AES"), | ||
| new IvParameterSpec(new byte[16])); |
Check failure
Code scanning / CodeQL
Using a static initialization vector for encryption High
Copilot Autofix
AI 9 months ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
|
|
||
| cipher.init(Cipher.ENCRYPT_MODE, | ||
| new SecretKeySpec(key, "AES"), | ||
| new IvParameterSpec(new byte[16])); |
Check failure
Code scanning / CodeQL
Using a static initialization vector for encryption High
2 participants
Split openpdf submodule into openpdf-core-legacy and openpdf-core-modern.
OpenPDF Java package name change from com.lowagie to org.openpdf
which uses the old Java package name
com.lowagie. This will be removed in the future, so please migrate.core package, which uses the new Java package name
org.openpdf. This is the recommended package to use in new code.Your real name
Andreas Røsdal