package testcode.password;
import java.io.FileInputStream;
import java.math.BigInteger;
import java.net.PasswordAuthentication;
import java.security.KeyRep;
import java.security.KeyStore;
import java.security.spec.DSAPrivateKeySpec;
import java.security.spec.DSAPublicKeySpec;
import java.security.spec.ECPrivateKeySpec;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAMultiPrimePrivateCrtKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.security.spec.RSAPrivateKeySpec;
import java.security.spec.RSAPublicKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import javax.crypto.spec.DESKeySpec;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.DHPrivateKeySpec;
import javax.crypto.spec.DHPublicKeySpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.KeyManagerFactory;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosTicket;
import sun.security.provider.DSAPublicKeyImpl;
public class ConstantPasswords {
private static String PWD1 = "secret4";
private static char[] PWD2 = {'s', 'e', 'c', 'r', 'e', 't', '5'};
private char[] PWD3 = {'s', 'e', 'c', 'r', 'e', 't', '5'};
private static BigInteger big = new BigInteger("1000000");
private static final byte[] PUBLIC_KEY = new byte[]{1, 2, 3, 4, 5, 6, 7};
public void bad1() throws Exception {
char[] passphrase = "secret1".toCharArray();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("keystore"), passphrase);
}
public static void bad2() throws Exception {
final String passphrase = "secret2";
System.out.println("secret2");
KeyStore ks = KeyStore.getInstance("JKS");
FileInputStream fs = new FileInputStream("keystore");
ks.load(fs, passphrase.toCharArray());
}
public void bad3() throws Exception {
char[] passphrase = {'s', 'e', 'c', 'r', 'e', 't', '3'};
KeyStore.getInstance("JKS").load(new FileInputStream("keystore"), passphrase);
}
public void bad4() throws Exception {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("keystore"), PWD1.toCharArray());
}
public static void bad5a() throws Exception {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("keystore"), PWD2);
}
public void bad5b() throws Exception {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("keystore"), PWD3);
}
public void bad6() throws Exception {
String pwdStr = "secret6";
char[] pwd1 = pwdStr.toCharArray();
KeyStore ks = KeyStore.getInstance("JKS");
char[] pwd2 = pwd1;
ks.load(new FileInputStream("keystore"), pwd2);
}
public void bad7() throws Exception {
byte[] bytes = new byte[2];
char[] pwd = "secret7".toCharArray();
new PBEKeySpec(pwd);
new PBEKeySpec(pwd, bytes, 1);
new PBEKeySpec(pwd, bytes, 1, 1);
PasswordAuthentication auth = new PasswordAuthentication("user", pwd);
PasswordCallback callback = new PasswordCallback("str", true);
callback.setPassword(pwd);
KeyStore.PasswordProtection protection = new KeyStore.PasswordProtection(pwd);
KerberosKey key = new KerberosKey(null, pwd, "alg");
KeyManagerFactory.getInstance("").init(null, pwd);
}
public void bad8a() throws Exception {
new DESKeySpec(null); // should not be reported
byte[] key = {1, 2, 3, 4, 5, 6, 7, 8};
DESKeySpec spec = new DESKeySpec(key);
KeySpec spec2 = new DESedeKeySpec(key);
KerberosKey kerberosKey = new KerberosKey(null, key, 0, 0);
System.out.println(spec.getKey()[0] + kerberosKey.getKeyType());
new SecretKeySpec(key, "alg");
new SecretKeySpec(key, 0, 0, "alg");
new X509EncodedKeySpec(key);
new PKCS8EncodedKeySpec(key);
new KeyRep(null, "alg", "format", key);
new KerberosTicket(null, null, null, key, 0, null, null, null, null, null, null);
new DSAPublicKeyImpl(key);
}
public void bad8b() {
byte[] key = "secret8".getBytes();
System.out.println("something");
new SecretKeySpec(key, "alg");
}
public void bad9() throws SQLException {
String pass = "secret9";
Connection connection = DriverManager.getConnection("url", "user", PWD1);
System.out.println(connection.getCatalog());
connection = DriverManager.getConnection("url", "user", pass);
System.out.println(connection.getCatalog());
}
public void bad10() throws Exception {
BigInteger bigInteger = new BigInteger("12345", 5);
new DSAPrivateKeySpec(bigInteger, null, null, null);
new DSAPublicKeySpec(bigInteger, null, bigInteger, null); // report once
new DHPrivateKeySpec(bigInteger, null, null);
new DHPublicKeySpec(bigInteger, null, null);
new ECPrivateKeySpec(bigInteger, null);
new RSAPrivateKeySpec(bigInteger, null);
new RSAMultiPrimePrivateCrtKeySpec(bigInteger, null, null, null, null, null, null, null, null);
new RSAPrivateCrtKeySpec(bigInteger, null, null, null, null, null, null, null);
new RSAPublicKeySpec(bigInteger, null);
new DSAPublicKeyImpl(bigInteger, null, null, null);
}
public void bad11() {
new DSAPrivateKeySpec(null, null, null, null); // should not be reported
System.out.println();
new DSAPrivateKeySpec(big, null, null, null);
}
public void bad12() throws Exception {
byte[] key = "secret8".getBytes("UTF-8");
BigInteger bigInteger = new BigInteger(key);
new DSAPrivateKeySpec(bigInteger, null, null, null);
}
public void bad13() throws Exception {
String pwd = null;
if (PWD2[3] < 'u') { // non-trivial condition
pwd = "hardcoded";
}
if (pwd != null) {
KeyStore.getInstance("JKS").load( // should be reported
new FileInputStream("keystore"), pwd.toCharArray());
}
}
public Connection bad14() throws Exception {
String pwd;
if (PWD2[2] % 2 == 1) { // non-trivial condition
pwd = "hardcoded1";
} else { // different constant but still hard coded
pwd = "hardcoded2";
}
return DriverManager.getConnection("url", "user", pwd);
}
private byte[] pwd4; // not considered hard coded
private char[] pwd5 = null;
private char[] pwd6 = new char[7];
public void good1() throws Exception {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("keystore"), getPassword());
}
public void good2() throws Exception {
String pwd = "uiiii".substring(3) + "oo";
char[] pwdArray = pwd.toCharArray();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("keystore"), pwdArray);
}
public void good3() throws Exception {
String key = "hard coded";
key = new String(getPassword()); // no longer hard coded
String message = "can be hard coded";
byte[] byteStringToEncrypt = message.getBytes("UTF-8");
new SecretKeySpec(key.getBytes(), "AES"); // should not report
byte[] bytes = {0, 0, 7};
new PBEKeySpec(getPassword(), bytes, 1); // different parameter hard coded
byte newArray[] = new byte[1024]; // not considered hard coded
new X509EncodedKeySpec(newArray);
}
private static char[] getPassword() {
char[] password = new char[3];
// some operations to simulate non-constant password
password[0] = 'x';
password[1] = 10;
password[2] = ("o" + "z").charAt(1);
return password;
}
}