Matthias Sohn
7 vuotta sitten
2 muutettua tiedostoa jossa 71 lisäystä ja 6 poistoa
+ 65
- 0
org.eclipse.jgit/src/org/eclipse/jgit/transport/InsecureCipherFactory.java
Näytä tiedosto
| @@ -0,0 +1,65 @@ | |||
| /* | |||
| * Copyright (C) 2016, Google Inc. | |||
| * and other copyright owners as documented in the project's IP log. | |||
| * | |||
| * This program and the accompanying materials are made available | |||
| * under the terms of the Eclipse Distribution License v1.0 which | |||
| * accompanies this distribution, is reproduced below, and is | |||
| * available at http://www.eclipse.org/org/documents/edl-v10.php | |||
| * | |||
| * All rights reserved. | |||
| * | |||
| * Redistribution and use in source and binary forms, with or | |||
| * without modification, are permitted provided that the following | |||
| * conditions are met: | |||
| * | |||
| * - Redistributions of source code must retain the above copyright | |||
| * notice, this list of conditions and the following disclaimer. | |||
| * | |||
| * - Redistributions in binary form must reproduce the above | |||
| * copyright notice, this list of conditions and the following | |||
| * disclaimer in the documentation and/or other materials provided | |||
| * with the distribution. | |||
| * | |||
| * - Neither the name of the Eclipse Foundation, Inc. nor the | |||
| * names of its contributors may be used to endorse or promote | |||
| * products derived from this software without specific prior | |||
| * written permission. | |||
| * | |||
| * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND | |||
| * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, | |||
| * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |||
| * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||
| * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR | |||
| * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
| * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |||
| * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |||
| * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER | |||
| * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |||
| * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |||
| * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF | |||
| * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
| */ | |||
| package org.eclipse.jgit.transport; | |||
| import java.security.NoSuchAlgorithmException; | |||
| import javax.crypto.Cipher; | |||
| import javax.crypto.NoSuchPaddingException; | |||
| /** | |||
| * <b>DO NOT USE</b> Factory to create any cipher. | |||
| * <p> | |||
| * This is a hack for {@link WalkEncryption} to create any cipher configured by | |||
| * the end-user. Using this class allows JGit to violate ErrorProne's security | |||
| * recommendations (<a | |||
| * href="http://errorprone.info/bugpattern/InsecureCryptoUsage" | |||
| * >InsecureCryptoUsage</a>), which is not secure. | |||
| */ | |||
| class InsecureCipherFactory { | |||
| static Cipher create(String algo) | |||
| throws NoSuchAlgorithmException, NoSuchPaddingException { | |||
| return Cipher.getInstance(algo); | |||
| } | |||
| } | |||
+ 6
- 6
org.eclipse.jgit/src/org/eclipse/jgit/transport/WalkEncryption.java
Näytä tiedosto
| @@ -188,7 +188,7 @@ abstract class WalkEncryption { | |||
| cryptoAlg = algo; | |||
| // Verify if cipher is present. | |||
| Cipher cipher = Cipher.getInstance(cryptoAlg); | |||
| Cipher cipher = InsecureCipherFactory.create(cryptoAlg); | |||
| // Standard names are not case-sensitive. | |||
| // http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html | |||
| @@ -240,7 +240,7 @@ abstract class WalkEncryption { | |||
| @Override | |||
| OutputStream encrypt(final OutputStream os) throws IOException { | |||
| try { | |||
| final Cipher cipher = Cipher.getInstance(cryptoAlg); | |||
| final Cipher cipher = InsecureCipherFactory.create(cryptoAlg); | |||
| cipher.init(Cipher.ENCRYPT_MODE, secretKey, paramSpec); | |||
| return new CipherOutputStream(os, cipher); | |||
| } catch (GeneralSecurityException e) { | |||
| @@ -251,7 +251,7 @@ abstract class WalkEncryption { | |||
| @Override | |||
| InputStream decrypt(final InputStream in) throws IOException { | |||
| try { | |||
| final Cipher cipher = Cipher.getInstance(cryptoAlg); | |||
| final Cipher cipher = InsecureCipherFactory.create(cryptoAlg); | |||
| cipher.init(Cipher.DECRYPT_MODE, secretKey, paramSpec); | |||
| return new CipherInputStream(in, cipher); | |||
| } catch (GeneralSecurityException e) { | |||
| @@ -342,7 +342,7 @@ abstract class WalkEncryption { | |||
| String keySalt = props.getProperty(profile + X_KEY_SALT, DEFAULT_KEY_SALT); | |||
| // Verify if cipher is present. | |||
| Cipher cipher = Cipher.getInstance(cipherAlgo); | |||
| Cipher cipher = InsecureCipherFactory.create(cipherAlgo); | |||
| // Verify if key factory is present. | |||
| SecretKeyFactory factory = SecretKeyFactory.getInstance(keyAlgo); | |||
| @@ -400,7 +400,7 @@ abstract class WalkEncryption { | |||
| @Override | |||
| OutputStream encrypt(OutputStream output) throws IOException { | |||
| try { | |||
| Cipher cipher = Cipher.getInstance(cipherAlgo); | |||
| Cipher cipher = InsecureCipherFactory.create(cipherAlgo); | |||
| cipher.init(Cipher.ENCRYPT_MODE, secretKey); | |||
| AlgorithmParameters params = cipher.getParameters(); | |||
| if (params == null) { | |||
| @@ -457,7 +457,7 @@ abstract class WalkEncryption { | |||
| JGitText.get().unsupportedEncryptionVersion, vers)); | |||
| } | |||
| try { | |||
| decryptCipher = Cipher.getInstance(cipherAlgo); | |||
| decryptCipher = InsecureCipherFactory.create(cipherAlgo); | |||
| if (cont.isEmpty()) { | |||
| decryptCipher.init(Cipher.DECRYPT_MODE, secretKey); | |||
| } else { | |||
Loading…