java:S5542 has invalid compliant example

reitzmichnicht · March 16, 2020, 4:58pm

Using Sonarqube 8.2 with latest SonarJava we get the following false positive “Use secure mode and padding scheme.” for this code:

cipher = Cipher.getInstance("RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING");

The description of the rule says that only RSA/None/OAEPWITHSHA-256ANDMGF1PADDING is complaint, but Java treats ECB as None and the recommended compliant solution with None is not accepted by Java itself.

eric.therond · March 17, 2020, 9:38am

Hello @reitzmichnicht

Thank you very much for this relevant bug report.

A ticket has been created here to handle this issue.

The support of RSA/None/ transformation depends on the Java security provider used:

not supported by SUN security provider.
supported by BouncyCastle provider provider.

I think code example is correct because RSA with ECB doesn’t make any sense:

RSA is an asymmetric cipher algorithm.
ECB is a block cipher mode thus for symmetric algorithm.

So the ticket will only adjust the rule to not raise when RSA/ECB is found.

Eric

nxkavian · July 16, 2021, 8:56pm

Adding these notes in case anyone else comes along and is frustrated with the “/None/”.

Android only has available “ECB” mode, there isn’t a “None”: Android keystore system | Android Developers

It’s recommended to avoid BouncyCastle due to a “side channel protection issue”: java - Cannot find any provider supporting RSA/None/OAEPWITHSHA-256ANDMGF1PADDING - Stack Overflow

BouncyCastle and Go implementations of the algorithm mistakenly use SHA256 instead of SHA1: How to use AES/CBC/PKCS5Padding and RSA/ECB/OAEPWithSHA-1AndMGF1Padding with Ruby 2.0.0 and Java · GitHub

WebCrypto uses SHA256, but that would be equivalent to using a prgramatically created provider and cipher, i.e. not by using the default “RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING”: Web Cryptography API

eric.therond · July 19, 2021, 7:10am

Hello @nxkavian and welcome to the community!

you are absolutely right

to be honest it’s difficult to come up with a compliant solution for this rule that works for all Java security providers, in theory RSA/None is the most suitable solution, as explained earlier in this thread, because ECB mode doesn’t make sense for asymmetric algorithms like RSA and will be treated as None behind the hood, but since the Android keystore provider only offers ECB mode, it’s also fair to propose this compliant solution in the rule description.

The update will be visible in the next release
Thank you very much for letting us know about this

Eric