-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
68 additions
and
15 deletions.
There are no files selected for viewing
33 changes: 33 additions & 0 deletions
33
demos/android/MASVS-CRYPTO/MASTG-DEMO-0015/MastgTest_reversed.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
package org.owasp.mastestapp; | ||
|
||
import android.content.Context; | ||
import android.util.Base64; | ||
import javax.crypto.Cipher; | ||
import javax.crypto.spec.SecretKeySpec; | ||
import kotlin.Metadata; | ||
import kotlin.jvm.internal.Intrinsics; | ||
import kotlin.text.Charsets; | ||
|
||
/* compiled from: MastgTest.kt */ | ||
@Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u0007"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48) | ||
/* loaded from: classes4.dex */ | ||
public final class MastgTest { | ||
public static final int $stable = 8; | ||
private final Context context; | ||
|
||
public MastgTest(Context context) { | ||
Intrinsics.checkNotNullParameter(context, "context"); | ||
this.context = context; | ||
} | ||
|
||
public final String mastgTest() { | ||
byte[] keyBytes = {108, 97, 107, 100, 115, 108, 106, 107, 97, 108, 107, 106, 108, 107, 108, 115}; | ||
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); | ||
SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES"); | ||
cipher.init(1, secretKey); | ||
byte[] bytes = "my secret here".getBytes(Charsets.UTF_8); | ||
Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)"); | ||
SecretKeySpec badSecretKeySpec = new SecretKeySpec(bytes, "AES"); | ||
return "SUCCESS!!\n\nThe keys were generated and used successfully with the following details:\n\nHardcoded AES Encryption Key: " + Base64.encodeToString(keyBytes, 0) + "\nHardcoded Key from string: " + Base64.encodeToString(badSecretKeySpec.getEncoded(), 0) + '\n'; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,18 @@ | ||
|
||
|
||
┌─────────────────┐ | ||
│ 3 Code Findings │ | ||
└─────────────────┘ | ||
|
||
MastgTest_reversed.java | ||
❯❯❱ hardcoded-crypto-key-test | ||
Hardcoded cryptographic keys are found in use. | ||
|
||
24┆ byte[] keyBytes = {108, 97, 107, 100, 115, 108, 106, 107, 97, 108, 107, 106, 108, 107, 108, | ||
115}; | ||
25┆ Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); | ||
26┆ SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES"); | ||
⋮┆---------------------------------------- | ||
26┆ SecretKeySpec secretKey = new SecretKeySpec(keyBytes, "AES"); | ||
⋮┆---------------------------------------- | ||
30┆ SecretKeySpec badSecretKeySpec = new SecretKeySpec(bytes, "AES"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
semgrep -c ../rules/mastg-android-hardcoded-crypto-keys-usage.yml ./hardcoded-key-in-use.java --text -o output.txt | ||
semgrep -c ../rules/mastg-android-hardcoded-crypto-keys-usage.yml ./MastgTest_reversed.java --text -o output.txt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
rules: | ||
- id: hardcoded-crypto-key-test | ||
pattern-either: | ||
- pattern: | | ||
new SecretKeySpec($KEY.getBytes(), $ALGO) | ||
- pattern: | | ||
byte[] $KEY = "...".getBytes(); | ||
... | ||
new SecretKeySpec($KEY, $ALGO); | ||
message: >- | ||
Hardcoded cryptographic keys are found in use. | ||
languages: | ||
- java | ||
severity: WARNING | ||
severity: WARNING | ||
metadata: | ||
summary: This rule scans for hardcoded getting used. | ||
message: Hardcoded cryptographic keys are found in use. | ||
pattern-either: | ||
- pattern: SecretKeySpec $_ = new SecretKeySpec($KEY, $ALGO); | ||
- pattern: |- | ||
byte[] $KEY = {...}; | ||
... | ||
new SecretKeySpec($KEY, $ALGO); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters