Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[master] JCEEncryptor default encryption algorithm upgrade #2004

Merged
merged 10 commits into from
Dec 1, 2023
Merged

[master] JCEEncryptor default encryption algorithm upgrade #2004

merged 10 commits into from
Dec 1, 2023

Conversation

rfelcman
Copy link
Contributor

JCEEncryptor default encryption algorithm upgrade from AES/CBC/PKCS5Padding to AES/GCM/NoPadding .

Plus extended unit test to verify backwards compatibility.

@rfelcman
JCEEncryptor default encryption algorithm upgrade from AES/CBC/PKCS5P…
8e48054 
…adding to AES/GCM/NoPadding .

Plus extended unit test.

Signed-off-by: Radek Felcman <[email protected]>
@rfelcman
For AES/GCM/NoPadding random initialization vector (IV) instead of st…
f08d1c8 
…atic one.

Signed-off-by: Radek Felcman <[email protected]>
@rfelcman
AES/GCM/NoPadding random initialization vector (IV) moved to the clas…
ba0959d 
…s static context

Signed-off-by: Radek Felcman <[email protected]>
@rfelcman
JCEEncryptor warning message for old algorithm and new JCEEncryptorCm…
7e19e1d 
…d to re-encrypt password.

Signed-off-by: Radek Felcman <[email protected]>
@rfelcman
shell scripts added, resource strings moved to localization bundle
87fc855 
DBWS builder test fix

Signed-off-by: Radek Felcman <[email protected]>
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 30, 2023
View reviewed changes
...e.persistence.core/src/main/java/org/eclipse/persistence/tools/security/JCEEncryptorCmd.java
SecretKey sk = JCEEncryptorCmd.Synergizer.getAESCBCMultitasker();
IvParameterSpec iv = JCEEncryptorCmd.Synergizer.getIvSpec();
decryptCipherAES_CBC = Cipher.getInstance(AES_CBC);
decryptCipherAES_CBC.init(Cipher.DECRYPT_MODE, sk, iv);

Check failure

Code scanning / CodeQL

Using a static initialization vector for encryption High

A
static initialization vector
Loading
should not be used for encryption.
...e.persistence.core/src/main/java/org/eclipse/persistence/tools/security/JCEEncryptorCmd.java
private final Cipher decryptCipherAES_CBC;

public JCEEncryptorCmd() throws Exception {
decryptCipherDES_ECB = Cipher.getInstance(DES_ECB);

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High

Cryptographic algorithm
DES/ECB/PKCS5Padding
Loading
is weak and should not be used.
...e.persistence.core/src/main/java/org/eclipse/persistence/tools/security/JCEEncryptorCmd.java
decryptCipherDES_ECB = Cipher.getInstance(DES_ECB);
decryptCipherDES_ECB.init(Cipher.DECRYPT_MODE, JCEEncryptorCmd.Synergizer.getDESMultitasker());

decryptCipherAES_ECB = Cipher.getInstance(AES_ECB);

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High

Cryptographic algorithm
AES/ECB/PKCS5Padding
Loading
is weak and should not be used.
...e.persistence.core/src/main/java/org/eclipse/persistence/tools/security/JCEEncryptorCmd.java

SecretKey sk = JCEEncryptorCmd.Synergizer.getAESCBCMultitasker();
IvParameterSpec iv = JCEEncryptorCmd.Synergizer.getIvSpec();
decryptCipherAES_CBC = Cipher.getInstance(AES_CBC);

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High

Cryptographic algorithm
AES/CBC/PKCS5Padding
Loading
is weak and should not be used.
...e.persistence.core/src/main/java/org/eclipse/persistence/tools/security/JCEEncryptorCmd.java
private static class Synergizer {

private static SecretKey getDESMultitasker() throws Exception {
SecretKeyFactory factory = SecretKeyFactory.getInstance("DES");

Check failure

Code scanning / CodeQL

Use of a broken or risky cryptographic algorithm High

Cryptographic algorithm
DES
Loading
is weak and should not be used.
@rfelcman rfelcman merged commit 149e9ce into eclipse-ee4j:master Dec 1, 2023
4 of 6 checks passed
@rfelcman rfelcman deleted the encryptor_upgrade branch December 6, 2023 08:22
rfelcman added a commit to rfelcman/eclipselink that referenced this pull request Apr 30, 2024
@rfelcman
JCEEncryptor default encryption algorithm upgrade (eclipse-ee4j#2004)
68bcc55 
JCEEncryptor default encryption algorithm upgrade from AES/CBC/PKCS5Padding to AES/GCM/NoPadding .
Plus extended unit test.
- for AES/GCM/NoPadding random initialization vector (IV) instead of static one.
- shell scripts added, resource strings moved to localization bundle
DBWS builder test fix

Signed-off-by: Radek Felcman <[email protected]>

(cherry picked from commit 149e9ce)
Signed-off-by: Radek Felcman <[email protected]>
rfelcman added a commit that referenced this pull request Apr 30, 2024
@rfelcman
JCEEncryptor default encryption algorithm upgrade (#2004) (#2122)
a92ca07 
JCEEncryptor default encryption algorithm upgrade from AES/CBC/PKCS5Padding to AES/GCM/NoPadding .
Plus extended unit test.
- for AES/GCM/NoPadding random initialization vector (IV) instead of static one.
- shell scripts added, resource strings moved to localization bundle
DBWS builder test fix



(cherry picked from commit 149e9ce)

Signed-off-by: Radek Felcman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukasj lukasj lukasj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rfelcman @lukasj