CWE ID 327: AbstractNamedCurve.java:94
Brent Putman
putmanb at georgetown.edu
Fri Sep 16 00:28:49 UTC 2022
On 9/15/22 4:52 PM, Jeremy Karlson wrote:
>
> I took a look at the report again, trying to see if there was any
> more detail in regards to why it flagged that line. Nothing,
> unfortunately.
Bummer. If the report can't provide more detail, then the only other
thing I can think of is: Is there somewhere a list of the crypto
algorithms that Veracode considers weak and that would trigger the CWE
ID 327? If so, then we could probably cross-reference to the list of
EC named curves we support by default and see if there is an intersection.
>
> I assume this code is used when there is some sort of negotiation
> between systems? (I don’t know much about SAML here.) Assuming that’s
> the case, I think there is really nothing much to do here.
>
Well, if my speculation is correct, this seems to be flagging on the
fundamental creation of EC key pairs with a particular named curve. So
it's really about the underlying parameters/characteristics of the EC
keys themselves.
Beyond that, EC keys are then used with the fundamental crypto
operations of signing (ECDSA) and encryption (ECDH) over SAML protocol
messages and/or data within them. I wouldn't characterize those as
"negotiation" between systems, because there isn't a back-and-forth
kind of exchange, it's one-sided really (unlike say TLS). But these
fundamental crypto ops are used to secure the messages and data
exchanged between SAML entities, which for standard Web SSO use cases
is primarily Identity Providers and Service Providers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220915/9a8cff5f/attachment.htm>
More information about the users
mailing list