Reputation: 31
Use of a one-way hash without a salt while fixing Download of code without Integrity check issue Checkmarx
I am trying to load some library ".so" / ".dll" files using below code
System.load("some file");
then after performing Static application security testing (SAST) using checkmarx tool it is complaining Download of Code Without Integrity Check issue.
then I tried to fix the Download of Code Without Integrity Check SAST issue using checksum
I generated a library file checksum using a sha-512 algorithm and kept it in a String constant
public static final String TRUSTED_SHA512 = "12af30d9ffc1cdd85d21e73c8c81b7c379a9b4ab2ea5676cd9d232788e2b44fbab876796104f37d0f6a5f7bc5f97eb3663e432785b94039b5320bbfac3d19516";
now before loading the file, I am computing hash again with the same algorithm and checking it against String constant TRUSTED_SHA512
MessageDigest md = MessageDigest.getInstance("SHA-512");
String sha512ofQrcToolsWrapper = ChecksumHelper.getFileChecksum(md,temp);
if(sha512ofQrcToolsWrapper.equalsIgnoreCase(ServiceConstants.TRUSTED_SHA512_OF_QRCTOOLSWRAPPER)) {
System.load(temp.getAbsolutePath());
}else{
throw new Exception("failed to load windows dll file : Checksum mismatched");
}
Now checkmarx tool is giving one more issue Use of a one-way hash without a salt then i updated message digest with static salt value. The reason behind using fix salt value instead of random value is that we want to compute same hash at runtime to check with the one already there in constant
public static String getFileChecksum(MessageDigest digest, File file) throws IOException, NoSuchAlgorithmException {
//Get file input stream for reading the file content
FileInputStream fis = new FileInputStream(file);
//Create byte array to read data in chunks
byte[] byteArray = new byte[1024];
int bytesCount = 0;
//Read file data and update in message digest
while ((bytesCount = fis.read(byteArray)) != -1) {
digest.update(byteArray, 0, bytesCount);
}
//Static salt value
digest.update(getSalt());
//close the stream; We don't need it now.
fis.close();
//Get the hash's bytes
byte[] bytes = digest.digest();
//This bytes[] has bytes in decimal format;
//Convert it to hexadecimal format
StringBuilder sb = new StringBuilder();
for (int i = 0; i < bytes.length; i++) {
sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
}
//return complete hash
return sb.toString();
}
NOTE "getSalt() method is returning byte array with fixed values"
Still, checkmarx SAST is complaining both the issues
- Download of code without Integrity check
- Use of a one-way hash without a salt
please provide solution to fix these issues. let me know if anything else needed to clarify.
Thanks in advance
Upvotes: 0
Views: 1186
Answers (0)
Related Questions
- MD5 hashcode using spring for http request
- Confirming file content against hash
- Java/SpringBoot: Validating salted Hash returns wrong Hash
- How to add MD5 or SHA hash to spring security?
- Spring Security Salt Configuration with MD5 using basic String object
- Spring security password hash + salt
- Hash (with Spring) and salt: is this safe?
- message digest hash MD5
- Spring Security 3 SHA-1 with Salt
- using md5 and salt with j security check