CWE ID 327: AbstractNamedCurve.java:94

[Jeremy Karlson]

>> Veracode (a code scanning tool my employer has recently started using) is reporting CWE ID 27 (Use of a Broken or Risky Cryptographic Algorithm) specifically in opensaml-security-api, 
> but 27 is a different thing, about path traversal.  The one with that name/label is actually 327 - can you confirm that that is a typo etc, and 327 is the one in question?
> 
Yes, sorry, 327. But you figured that out already.

>>    jcaSpec = ECPublicKey.class.cast(
>>       KeySupport.generateKeyPair(JCAConstants.KEY_ALGO_EC, new ECGenParameterSpec(getName()), null)
>>          .getPublic()).getParams();
> But the code reference above doesn't tell us anything useful.  We'd need to know the value of the getName() there - the named curve ID - which is going to be in the concrete class impl. (Every named curve will have a concrete NamedCurve impl, which has AbstractNamedCurve as a super class.)
> 
I took a look at the report again, trying to see if there was any more detail in regards to why it flagged that line. Nothing, unfortunately.

Veracode is very good at statically looking at code to see what is reachable from where. But just because something is reachable, it is quite possibly doing what you suggested - that it is just pointing out that a weak curve exists, and is possible to create - but it doesn’t know that it is used or not. (Or if it is used, if that is a problem.)

I assume this code is used when there is some sort of negotiation between systems? (I don’t know much about SAML here.) Assuming that’s the case, I think there is really nothing much to do here.

Thanks,

— Jeremy



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220915/b79714e0/attachment.htm>