在使用Sonar扫描代码是发现AES工具类提示如下漏洞
很明显。漏洞存在于红色方框
Cipher cipher = Cipher.getInstance(“Blowfish/ECB/PKCS5Padding”);
查看漏洞详细信息,可以看到漏洞的现象情况,及正确示例
存在漏洞的使用方式
Cipher c0 = Cipher.getInstance("AES"); // Noncompliant: by default ECB mode is chosen
Cipher c1 = Cipher.getInstance("AES/ECB/NoPadding"); // Noncompliant: ECB doesn't provide serious message confidentiality
Cipher c6 = Cipher.getInstance("AES/CBC/PKCS5Padding"); // Noncompliant: CBC with PKCS5 is vulnerable to oracle padding attacks
Cipher c9 = Cipher.getInstance("AES/CBC/PKCS7Padding"); // Noncompliant: CBC with PKCS7 is vulnerable to oracle padding attacks
正确的方式
Cipher c5 = Cipher.getInstance(“AES/GCM/NoPadding”); // Compliant
直接切换成这个模式后,提示如下错误
因为这里切换了加密模式,所以需要使用对应的加密模式的加密参数。
将原先的private static IvParameterSpec ivParameterSpec切换成
private static GCMParameterSpec gcMParameterSpec;
正确的AES加密工具类如下
public class Aes256Utils {
/**
* 密钥, 256位32个字节
*/
public static final String DEFAULT_SECRET_KEY = "uBdUx82vPHkDKb284d7NkjFoNcKWBuka";
private static final String AES = "AES";
/**
* 初始向量IV, 初始向量IV的长度规定为128位16个字节, 初始向量的来源为随机生成.
*/
private static GCMParameterSpec gcMParameterSpec;
/**
* 加密解密算法/加密模式/填充方式
*/
private static final String CIPHER_ALGORITHM = "AES/GCM/NoPadding";
static {
SecureRandom random = new SecureRandom();
byte[] bytesIV = new byte[16];
random.nextBytes(bytesIV);
gcMParameterSpec = new GCMParameterSpec(128, bytesIV);
;
java.security.Security.setProperty("crypto.policy", "unlimited");
}
/**
* AES加密
*/
public static String encode(String key, String content) {
try {
SecretKey secretKey = new SecretKeySpec(key.getBytes(), AES);
Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
cipher.init(Cipher.ENCRYPT_MODE, secretKey, gcMParameterSpec);
// 获取加密内容的字节数组(这里要设置为utf-8)不然内容中如果有中文和英文混合中文就会解密为乱码1
byte[] byteEncode = content.getBytes(java.nio.charset.StandardCharsets.UTF_8);
// 根据密码器的初始化方式加密
byte[] byteAes = cipher.doFinal(byteEncode);
// 将加密后的数据转换为字符串
return Pbkdf2Utils.toHex(byteAes);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
/**
* AES解密
*/
public static String decode(String key, String content) {
try {
SecretKey secretKey = new SecretKeySpec(key.getBytes(), AES);
Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
cipher.init(javax.crypto.Cipher.DECRYPT_MODE, secretKey, gcMParameterSpec);
// 将加密并编码后的内容解码成字节数组
byte[] byteContent = Pbkdf2Utils.fromHex(content);
// 解密
byte[] byteDecode = cipher.doFinal(byteContent);
return new String(byteDecode, StandardCharsets.UTF_8);
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
}