From 7a82d4e098dda9b0703f08a925f6f14f3ec9a8ec Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Wed, 26 Jun 2024 10:34:07 +0200 Subject: [PATCH 01/10] fix DMI_RANDOM_USED_ONLY_ONCE --- .../java/com/yubico/yubikit/core/fido/FidoProtocol.java | 4 ++-- .../java/com/yubico/yubikit/core/util/RandomUtils.java | 3 ++- .../test/java/com/yubico/yubikit/piv/KeyTypeTest.java | 9 ++++++--- .../com/yubico/yubikit/testing/piv/PivTestUtils.java | 4 +++- 4 files changed, 13 insertions(+), 7 deletions(-) diff --git a/core/src/main/java/com/yubico/yubikit/core/fido/FidoProtocol.java b/core/src/main/java/com/yubico/yubikit/core/fido/FidoProtocol.java index d83036dd..d1536721 100755 --- a/core/src/main/java/com/yubico/yubikit/core/fido/FidoProtocol.java +++ b/core/src/main/java/com/yubico/yubikit/core/fido/FidoProtocol.java @@ -18,6 +18,7 @@ import com.yubico.yubikit.core.internal.Logger; import com.yubico.yubikit.core.Version; import com.yubico.yubikit.core.application.CommandState; +import com.yubico.yubikit.core.util.RandomUtils; import com.yubico.yubikit.core.util.StringUtils; import org.slf4j.LoggerFactory; @@ -59,8 +60,7 @@ public FidoProtocol(FidoConnection connection) throws IOException { this.connection = connection; // init - byte[] nonce = new byte[8]; - new SecureRandom().nextBytes(nonce); + byte[] nonce = RandomUtils.getRandomBytes(8); channelId = 0xffffffff; ByteBuffer buffer = ByteBuffer.wrap(sendAndReceive(CTAPHID_INIT, nonce, null)); diff --git a/core/src/main/java/com/yubico/yubikit/core/util/RandomUtils.java b/core/src/main/java/com/yubico/yubikit/core/util/RandomUtils.java index 1782679e..8ad92d55 100755 --- a/core/src/main/java/com/yubico/yubikit/core/util/RandomUtils.java +++ b/core/src/main/java/com/yubico/yubikit/core/util/RandomUtils.java @@ -22,6 +22,7 @@ * Utility class to generate random data. */ public class RandomUtils { + private static final SecureRandom secureRandom = new SecureRandom(); /** * Returns a byte array containing random values. */ @@ -32,7 +33,7 @@ public static byte[] getRandomBytes(int length) { SecureRandom.getInstanceStrong().nextBytes(bytes); } catch (NoSuchMethodError | NoSuchAlgorithmException e) { // Fallback for older Android versions - new SecureRandom().nextBytes(bytes); + secureRandom.nextBytes(bytes); } return bytes; } diff --git a/piv/src/test/java/com/yubico/yubikit/piv/KeyTypeTest.java b/piv/src/test/java/com/yubico/yubikit/piv/KeyTypeTest.java index b887ea18..3e0604fc 100755 --- a/piv/src/test/java/com/yubico/yubikit/piv/KeyTypeTest.java +++ b/piv/src/test/java/com/yubico/yubikit/piv/KeyTypeTest.java @@ -28,6 +28,8 @@ import java.security.spec.ECGenParameterSpec; public class KeyTypeTest { + private static final SecureRandom secureRandom = new SecureRandom(); + private static KeyPair secp256r1; private static KeyPair secp384r1; private static KeyPair secp521r1; @@ -38,12 +40,13 @@ public class KeyTypeTest { @BeforeClass public static void setupKeys() throws NoSuchAlgorithmException, InvalidAlgorithmParameterException { + KeyPairGenerator kpg = KeyPairGenerator.getInstance(KeyType.Algorithm.EC.name()); - kpg.initialize(new ECGenParameterSpec("secp256r1"), new SecureRandom()); + kpg.initialize(new ECGenParameterSpec("secp256r1"), secureRandom); secp256r1 = kpg.generateKeyPair(); - kpg.initialize(new ECGenParameterSpec("secp384r1"), new SecureRandom()); + kpg.initialize(new ECGenParameterSpec("secp384r1"), secureRandom); secp384r1 = kpg.generateKeyPair(); - kpg.initialize(new ECGenParameterSpec("secp521r1"), new SecureRandom()); + kpg.initialize(new ECGenParameterSpec("secp521r1"), secureRandom); secp521r1 = kpg.generateKeyPair(); kpg = KeyPairGenerator.getInstance(KeyType.Algorithm.RSA.name()); diff --git a/testing/src/main/java/com/yubico/yubikit/testing/piv/PivTestUtils.java b/testing/src/main/java/com/yubico/yubikit/testing/piv/PivTestUtils.java index 9661eb26..988b1231 100755 --- a/testing/src/main/java/com/yubico/yubikit/testing/piv/PivTestUtils.java +++ b/testing/src/main/java/com/yubico/yubikit/testing/piv/PivTestUtils.java @@ -60,6 +60,8 @@ @SuppressWarnings("SpellCheckingInspection") public class PivTestUtils { + private static final SecureRandom secureRandom = new SecureRandom(); + private static final Logger logger = LoggerFactory.getLogger(PivTestUtils.class); private enum StaticKey { @@ -284,7 +286,7 @@ public static KeyPair generateKey(KeyType keyType) { private static KeyPair generateEcKey(String curve) { try { KeyPairGenerator kpg = KeyPairGenerator.getInstance(KeyType.Algorithm.EC.name()); - kpg.initialize(new ECGenParameterSpec(curve), new SecureRandom()); + kpg.initialize(new ECGenParameterSpec(curve), secureRandom); return kpg.generateKeyPair(); } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException e) { throw new IllegalStateException(e); From 0e5cb23c688cf13ea95453c2b52b8b2e235727dd Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Wed, 26 Jun 2024 10:41:35 +0200 Subject: [PATCH 02/10] refactor test key generators for cv25519 --- .../yubico/yubikit/testing/piv/PivTestUtils.java | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/testing/src/main/java/com/yubico/yubikit/testing/piv/PivTestUtils.java b/testing/src/main/java/com/yubico/yubikit/testing/piv/PivTestUtils.java index 988b1231..d6468cd8 100755 --- a/testing/src/main/java/com/yubico/yubikit/testing/piv/PivTestUtils.java +++ b/testing/src/main/java/com/yubico/yubikit/testing/piv/PivTestUtils.java @@ -53,6 +53,7 @@ import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; import java.util.Date; +import java.util.Objects; import javax.crypto.Cipher; import javax.crypto.KeyAgreement; @@ -273,7 +274,9 @@ public static KeyPair generateKey(KeyType keyType) { case ECCP384: return generateEcKey("secp384r1"); case ED25519: - return generateEd25519Key(); + return generateCv25519Key("ED25519"); + case X25519: + return generateCv25519Key("X25519"); case RSA1024: case RSA2048: case RSA3072: @@ -293,9 +296,12 @@ private static KeyPair generateEcKey(String curve) { } } - private static KeyPair generateEd25519Key() { + private static KeyPair generateCv25519Key(String keyType) { + if (!Objects.equals(keyType, "ED25519") && !Objects.equals(keyType, "X25519")) { + throw new IllegalArgumentException("Invalid key keyType"); + } try { - KeyPairGenerator kpg = KeyPairGenerator.getInstance("ED25519"); + KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyType); return kpg.generateKeyPair(); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException(e); @@ -436,14 +442,14 @@ public static void cv25519Tests() throws Exception { public static void ecSignAndVerify(PrivateKey privateKey, PublicKey publicKey) throws Exception { for (String algorithm : EC_SIGNATURE_ALGORITHMS) { - logger.debug("Test {}", algorithm); + logger.debug("Sign and verify test for {}", algorithm); verify(publicKey, Signature.getInstance(algorithm), sign(privateKey, Signature.getInstance(algorithm))); } } public static void ed25519SignAndVerify(PrivateKey privateKey, PublicKey publicKey) throws Exception { String algorithm = "ED25519"; - logger.debug("Test {}", algorithm); + logger.debug("Sign and verify test for Ed25519"); verify(publicKey, Signature.getInstance(algorithm), sign(privateKey, Signature.getInstance(algorithm))); } From a20d21b35053886732d73ad7a02ca82a3c367483 Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Wed, 26 Jun 2024 11:39:34 +0200 Subject: [PATCH 03/10] Fixes MS_PKGPROTECT --- openpgp/src/main/java/com/yubico/yubikit/openpgp/Kdf.java | 8 ++++++-- openpgp/src/main/java/com/yubico/yubikit/openpgp/Pw.java | 2 -- .../yubikit/testing/openpgp/OpenPgpDeviceTests.java | 4 ++-- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/openpgp/src/main/java/com/yubico/yubikit/openpgp/Kdf.java b/openpgp/src/main/java/com/yubico/yubikit/openpgp/Kdf.java index a91284eb..5b0504b2 100644 --- a/openpgp/src/main/java/com/yubico/yubikit/openpgp/Kdf.java +++ b/openpgp/src/main/java/com/yubico/yubikit/openpgp/Kdf.java @@ -75,6 +75,10 @@ public byte[] getBytes() { } public static class IterSaltedS2k extends Kdf { + + private static final char[] DEFAULT_USER_PIN = "123456".toCharArray(); + private static final char[] DEFAULT_ADMIN_PIN = "12345678".toCharArray(); + public enum HashAlgorithm { SHA256((byte) 0x08), SHA512((byte) 0x0a); @@ -222,8 +226,8 @@ public byte[] getBytes() { public static IterSaltedS2k create(HashAlgorithm hashAlgorithm, int iterationCount) { byte[] saltUser = RandomUtils.getRandomBytes(8); byte[] saltAdmin = RandomUtils.getRandomBytes(8); - byte[] defaultUserPinEncoded = pinBytes(Pw.DEFAULT_USER_PIN); - byte[] defaultAdminPinEncoded = pinBytes(Pw.DEFAULT_ADMIN_PIN); + byte[] defaultUserPinEncoded = pinBytes(DEFAULT_USER_PIN); + byte[] defaultAdminPinEncoded = pinBytes(DEFAULT_ADMIN_PIN); return new IterSaltedS2k( hashAlgorithm, iterationCount, diff --git a/openpgp/src/main/java/com/yubico/yubikit/openpgp/Pw.java b/openpgp/src/main/java/com/yubico/yubikit/openpgp/Pw.java index c8019dd8..45883e94 100644 --- a/openpgp/src/main/java/com/yubico/yubikit/openpgp/Pw.java +++ b/openpgp/src/main/java/com/yubico/yubikit/openpgp/Pw.java @@ -18,8 +18,6 @@ public enum Pw { USER((byte) 0x81), RESET((byte) 0x82), ADMIN((byte) 0x83); - public static final char[] DEFAULT_USER_PIN = "123456".toCharArray(); - public static final char[] DEFAULT_ADMIN_PIN = "12345678".toCharArray(); private final byte value; diff --git a/testing/src/main/java/com/yubico/yubikit/testing/openpgp/OpenPgpDeviceTests.java b/testing/src/main/java/com/yubico/yubikit/testing/openpgp/OpenPgpDeviceTests.java index 677e3564..c96f3e75 100644 --- a/testing/src/main/java/com/yubico/yubikit/testing/openpgp/OpenPgpDeviceTests.java +++ b/testing/src/main/java/com/yubico/yubikit/testing/openpgp/OpenPgpDeviceTests.java @@ -67,8 +67,8 @@ import javax.crypto.KeyAgreement; public class OpenPgpDeviceTests { - private static final char[] DEFAULT_PIN = Pw.DEFAULT_USER_PIN; - private static final char[] DEFAULT_ADMIN = Pw.DEFAULT_ADMIN_PIN; + private static final char[] DEFAULT_PIN = "123456".toCharArray(); + private static final char[] DEFAULT_ADMIN = "12345678".toCharArray(); private static final char[] CHANGED_PIN = "12341234".toCharArray(); private static final char[] RESET_CODE = "43214321".toCharArray(); private static final Logger logger = LoggerFactory.getLogger(OpenPgpDeviceTests.class); From b429518a62e58e7da2d2094a4197baf543e90a56 Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Tue, 2 Jul 2024 13:27:31 +0200 Subject: [PATCH 04/10] fix NM_SAME_SIMPLE_NAME_AS_INTERFACE --- .../internal/{Base64Codec.java => Base64CodecImpl.java} | 4 ++-- .../com.yubico.yubikit.core.internal.codec.Base64Codec | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) rename android/src/main/java/com/yubico/yubikit/android/internal/{Base64Codec.java => Base64CodecImpl.java} (91%) diff --git a/android/src/main/java/com/yubico/yubikit/android/internal/Base64Codec.java b/android/src/main/java/com/yubico/yubikit/android/internal/Base64CodecImpl.java similarity index 91% rename from android/src/main/java/com/yubico/yubikit/android/internal/Base64Codec.java rename to android/src/main/java/com/yubico/yubikit/android/internal/Base64CodecImpl.java index 4c6af3aa..92bb4a5c 100644 --- a/android/src/main/java/com/yubico/yubikit/android/internal/Base64Codec.java +++ b/android/src/main/java/com/yubico/yubikit/android/internal/Base64CodecImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2023 Yubico. + * Copyright (C) 2024 Yubico. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,7 +18,7 @@ import android.util.Base64; -public class Base64Codec implements com.yubico.yubikit.core.internal.codec.Base64Codec { +public class Base64CodecImpl implements com.yubico.yubikit.core.internal.codec.Base64Codec { @Override public String toUrlSafeString(byte[] data) { diff --git a/android/src/main/resources/META-INF/services/com.yubico.yubikit.core.internal.codec.Base64Codec b/android/src/main/resources/META-INF/services/com.yubico.yubikit.core.internal.codec.Base64Codec index ee0fd68f..d50f6a08 100644 --- a/android/src/main/resources/META-INF/services/com.yubico.yubikit.core.internal.codec.Base64Codec +++ b/android/src/main/resources/META-INF/services/com.yubico.yubikit.core.internal.codec.Base64Codec @@ -1 +1 @@ -com.yubico.yubikit.android.internal.Base64Codec \ No newline at end of file +com.yubico.yubikit.android.internal.Base64CodecImpl \ No newline at end of file From 33fcbd49ff0528a34e11ec6ef99f256025667d22 Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Tue, 2 Jul 2024 13:37:14 +0200 Subject: [PATCH 05/10] fix RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN --- .../yubikit/fido/webauthn/AuthenticatorSelectionCriteria.java | 4 ++-- .../com/yubico/yubikit/testing/fido/Ctap2ConfigTests.java | 4 ++-- .../yubikit/testing/fido/EnterpriseAttestationTests.java | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fido/src/main/java/com/yubico/yubikit/fido/webauthn/AuthenticatorSelectionCriteria.java b/fido/src/main/java/com/yubico/yubikit/fido/webauthn/AuthenticatorSelectionCriteria.java index a44de85d..911a40da 100644 --- a/fido/src/main/java/com/yubico/yubikit/fido/webauthn/AuthenticatorSelectionCriteria.java +++ b/fido/src/main/java/com/yubico/yubikit/fido/webauthn/AuthenticatorSelectionCriteria.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2020-2023 Yubico. + * Copyright (C) 2020-2024 Yubico. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -79,7 +79,7 @@ public static AuthenticatorSelectionCriteria fromMap( String residentKeyRequirement = (String) map.get(RESIDENT_KEY); if (residentKeyRequirement == null) { // Backwards compatibility with WebAuthn level 1 - if(map.get(REQUIRE_RESIDENT_KEY) == Boolean.TRUE) { + if(Boolean.TRUE.equals(map.get(REQUIRE_RESIDENT_KEY))) { residentKeyRequirement = ResidentKeyRequirement.REQUIRED; } else { residentKeyRequirement = ResidentKeyRequirement.DISCOURAGED; diff --git a/testing/src/main/java/com/yubico/yubikit/testing/fido/Ctap2ConfigTests.java b/testing/src/main/java/com/yubico/yubikit/testing/fido/Ctap2ConfigTests.java index 2bbbb766..88f9f77c 100644 --- a/testing/src/main/java/com/yubico/yubikit/testing/fido/Ctap2ConfigTests.java +++ b/testing/src/main/java/com/yubico/yubikit/testing/fido/Ctap2ConfigTests.java @@ -43,7 +43,7 @@ static Config getConfig(Ctap2Session session, PinUvAuthProtocol pinUvAuthProtoco public static void testReadWriteEnterpriseAttestation(Ctap2Session session, Object... args) throws Throwable { Config config = getConfig(session, Ctap2ClientPinTests.getPinUvAuthProtocol(args)); config.enableEnterpriseAttestation(); - assertSame(TRUE, session.getInfo().getOptions().get("ep")); + assertEquals(TRUE, session.getInfo().getOptions().get("ep")); } public static void testToggleAlwaysUv(Ctap2Session session, Object... args) throws Throwable { @@ -68,6 +68,6 @@ public static void testSetMinPinLength(Ctap2Session session, Object... args) thr } static boolean getAlwaysUv(Ctap2Session session) throws IOException, CommandException { - return session.getInfo().getOptions().get("alwaysUv") == TRUE; + return TRUE.equals(session.getInfo().getOptions().get("alwaysUv")); } } \ No newline at end of file diff --git a/testing/src/main/java/com/yubico/yubikit/testing/fido/EnterpriseAttestationTests.java b/testing/src/main/java/com/yubico/yubikit/testing/fido/EnterpriseAttestationTests.java index 94a92e4f..004da4d2 100644 --- a/testing/src/main/java/com/yubico/yubikit/testing/fido/EnterpriseAttestationTests.java +++ b/testing/src/main/java/com/yubico/yubikit/testing/fido/EnterpriseAttestationTests.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2020-2023 Yubico. + * Copyright (C) 2020-2024 Yubico. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -52,7 +52,7 @@ public class EnterpriseAttestationTests { static void enableEp(Ctap2Session session, PinUvAuthProtocol pinUvAuthProtocol) throws CommandException, IOException { // enable ep if not enabled - if (session.getCachedInfo().getOptions().get("ep") == FALSE) { + if (FALSE.equals(session.getCachedInfo().getOptions().get("ep"))) { ClientPin clientPin = new ClientPin(session, pinUvAuthProtocol); byte[] pinToken = clientPin.getPinToken(TestData.PIN, ClientPin.PIN_PERMISSION_ACFG, null); From e4f7baaac85327e8cd03145b801d41d3a60b71fa Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Tue, 2 Jul 2024 15:25:59 +0200 Subject: [PATCH 06/10] fix CIPHER_INTEGRITY, STATIC_IV --- .../yubico/yubikit/fido/ctap/PinUvAuthProtocolV1.java | 10 ++++++++++ .../yubico/yubikit/fido/ctap/PinUvAuthProtocolV2.java | 6 ++++++ 2 files changed, 16 insertions(+) diff --git a/fido/src/main/java/com/yubico/yubikit/fido/ctap/PinUvAuthProtocolV1.java b/fido/src/main/java/com/yubico/yubikit/fido/ctap/PinUvAuthProtocolV1.java index 9f0922c5..6d0da7c9 100644 --- a/fido/src/main/java/com/yubico/yubikit/fido/ctap/PinUvAuthProtocolV1.java +++ b/fido/src/main/java/com/yubico/yubikit/fido/ctap/PinUvAuthProtocolV1.java @@ -43,6 +43,8 @@ import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * Implements PIN/UV Auth Protocol 1 * @@ -113,6 +115,10 @@ public byte[] kdf(byte[] z) { } } + @SuppressFBWarnings(value = {"CIPHER_INTEGRITY", "STATIC_IV"}, + justification = "No padding is performed as the size of demPlaintext is required " + + "to be a multiple of the AES block length. The specification for " + + "PIN/UV Auth Protocol One expects all null IV") @Override public byte[] encrypt(byte[] key, byte[] demPlaintext) { try { @@ -126,6 +132,10 @@ public byte[] encrypt(byte[] key, byte[] demPlaintext) { } } + + @SuppressFBWarnings(value = "CIPHER_INTEGRITY", + justification = "No padding is performed as the size of demPlaintext is required " + + "to be a multiple of the AES block length.") @Override public byte[] decrypt(byte[] key, byte[] demCiphertext) { try { diff --git a/fido/src/main/java/com/yubico/yubikit/fido/ctap/PinUvAuthProtocolV2.java b/fido/src/main/java/com/yubico/yubikit/fido/ctap/PinUvAuthProtocolV2.java index d35b3ac9..192b16e0 100644 --- a/fido/src/main/java/com/yubico/yubikit/fido/ctap/PinUvAuthProtocolV2.java +++ b/fido/src/main/java/com/yubico/yubikit/fido/ctap/PinUvAuthProtocolV2.java @@ -33,6 +33,8 @@ import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; +import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; + /** * Implements PIN/UV Auth Protocol 2 * @@ -141,6 +143,10 @@ public byte[] authenticate(byte[] key, byte[] message) { return mac.doFinal(message); } + @SuppressFBWarnings(value = {"CIPHER_INTEGRITY", "STATIC_IV"}, + justification = "No padding is performed as the size of demPlaintext is required " + + "to be a multiple of the AES block length. The IV is randomly generated " + + "for every encrypt operation") private Cipher getCipher(int mode, byte[] secret, byte[] iv) { try { Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding"); From 2a6c4f24348b97ab58befb9ce6edb4eaee150d05 Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Tue, 2 Jul 2024 15:32:39 +0200 Subject: [PATCH 07/10] fix UNSAFE_HASH_EQUALS --- piv/src/main/java/com/yubico/yubikit/piv/Padding.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/piv/src/main/java/com/yubico/yubikit/piv/Padding.java b/piv/src/main/java/com/yubico/yubikit/piv/Padding.java index fdc54574..694e4654 100755 --- a/piv/src/main/java/com/yubico/yubikit/piv/Padding.java +++ b/piv/src/main/java/com/yubico/yubikit/piv/Padding.java @@ -15,6 +15,8 @@ */ package com.yubico.yubikit.piv; +import java.nio.charset.Charset; +import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; import java.security.KeyPair; import java.security.KeyPairGenerator; @@ -75,7 +77,9 @@ static byte[] pad(KeyType keyType, byte[] message, Signature algorithm) throws N } String hashAlgorithm = matcher.group(1); byte[] hash; - if ("NONE".equals(hashAlgorithm)) { + if (MessageDigest.isEqual( + "NONE".getBytes(StandardCharsets.UTF_8), + hashAlgorithm.getBytes(StandardCharsets.UTF_8))) { hash = message; } else { if (SHA_PATTERN.matcher(hashAlgorithm).matches()) From 925892f206235619dc39cc067fe87909b69d56c9 Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Wed, 3 Jul 2024 09:07:41 +0200 Subject: [PATCH 08/10] revert 2a6c4f2 --- piv/src/main/java/com/yubico/yubikit/piv/Padding.java | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/piv/src/main/java/com/yubico/yubikit/piv/Padding.java b/piv/src/main/java/com/yubico/yubikit/piv/Padding.java index 694e4654..fdc54574 100755 --- a/piv/src/main/java/com/yubico/yubikit/piv/Padding.java +++ b/piv/src/main/java/com/yubico/yubikit/piv/Padding.java @@ -15,8 +15,6 @@ */ package com.yubico.yubikit.piv; -import java.nio.charset.Charset; -import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; import java.security.KeyPair; import java.security.KeyPairGenerator; @@ -77,9 +75,7 @@ static byte[] pad(KeyType keyType, byte[] message, Signature algorithm) throws N } String hashAlgorithm = matcher.group(1); byte[] hash; - if (MessageDigest.isEqual( - "NONE".getBytes(StandardCharsets.UTF_8), - hashAlgorithm.getBytes(StandardCharsets.UTF_8))) { + if ("NONE".equals(hashAlgorithm)) { hash = message; } else { if (SHA_PATTERN.matcher(hashAlgorithm).matches()) From ddb4fef1f3918eabd29146a5b9ccf5555f6c53c9 Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Wed, 3 Jul 2024 09:13:17 +0200 Subject: [PATCH 09/10] Revert "Fixes MS_PKGPROTECT" This reverts commit a20d21b35053886732d73ad7a02ca82a3c367483. --- openpgp/src/main/java/com/yubico/yubikit/openpgp/Kdf.java | 8 ++------ openpgp/src/main/java/com/yubico/yubikit/openpgp/Pw.java | 2 ++ .../yubikit/testing/openpgp/OpenPgpDeviceTests.java | 4 ++-- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/openpgp/src/main/java/com/yubico/yubikit/openpgp/Kdf.java b/openpgp/src/main/java/com/yubico/yubikit/openpgp/Kdf.java index 5b0504b2..a91284eb 100644 --- a/openpgp/src/main/java/com/yubico/yubikit/openpgp/Kdf.java +++ b/openpgp/src/main/java/com/yubico/yubikit/openpgp/Kdf.java @@ -75,10 +75,6 @@ public byte[] getBytes() { } public static class IterSaltedS2k extends Kdf { - - private static final char[] DEFAULT_USER_PIN = "123456".toCharArray(); - private static final char[] DEFAULT_ADMIN_PIN = "12345678".toCharArray(); - public enum HashAlgorithm { SHA256((byte) 0x08), SHA512((byte) 0x0a); @@ -226,8 +222,8 @@ public byte[] getBytes() { public static IterSaltedS2k create(HashAlgorithm hashAlgorithm, int iterationCount) { byte[] saltUser = RandomUtils.getRandomBytes(8); byte[] saltAdmin = RandomUtils.getRandomBytes(8); - byte[] defaultUserPinEncoded = pinBytes(DEFAULT_USER_PIN); - byte[] defaultAdminPinEncoded = pinBytes(DEFAULT_ADMIN_PIN); + byte[] defaultUserPinEncoded = pinBytes(Pw.DEFAULT_USER_PIN); + byte[] defaultAdminPinEncoded = pinBytes(Pw.DEFAULT_ADMIN_PIN); return new IterSaltedS2k( hashAlgorithm, iterationCount, diff --git a/openpgp/src/main/java/com/yubico/yubikit/openpgp/Pw.java b/openpgp/src/main/java/com/yubico/yubikit/openpgp/Pw.java index 45883e94..c8019dd8 100644 --- a/openpgp/src/main/java/com/yubico/yubikit/openpgp/Pw.java +++ b/openpgp/src/main/java/com/yubico/yubikit/openpgp/Pw.java @@ -18,6 +18,8 @@ public enum Pw { USER((byte) 0x81), RESET((byte) 0x82), ADMIN((byte) 0x83); + public static final char[] DEFAULT_USER_PIN = "123456".toCharArray(); + public static final char[] DEFAULT_ADMIN_PIN = "12345678".toCharArray(); private final byte value; diff --git a/testing/src/main/java/com/yubico/yubikit/testing/openpgp/OpenPgpDeviceTests.java b/testing/src/main/java/com/yubico/yubikit/testing/openpgp/OpenPgpDeviceTests.java index c96f3e75..677e3564 100644 --- a/testing/src/main/java/com/yubico/yubikit/testing/openpgp/OpenPgpDeviceTests.java +++ b/testing/src/main/java/com/yubico/yubikit/testing/openpgp/OpenPgpDeviceTests.java @@ -67,8 +67,8 @@ import javax.crypto.KeyAgreement; public class OpenPgpDeviceTests { - private static final char[] DEFAULT_PIN = "123456".toCharArray(); - private static final char[] DEFAULT_ADMIN = "12345678".toCharArray(); + private static final char[] DEFAULT_PIN = Pw.DEFAULT_USER_PIN; + private static final char[] DEFAULT_ADMIN = Pw.DEFAULT_ADMIN_PIN; private static final char[] CHANGED_PIN = "12341234".toCharArray(); private static final char[] RESET_CODE = "43214321".toCharArray(); private static final Logger logger = LoggerFactory.getLogger(OpenPgpDeviceTests.class); From 0ff9178ab9e095854e4d526c8838d2f92c4dfb17 Mon Sep 17 00:00:00 2001 From: Adam Velebil Date: Wed, 3 Jul 2024 09:30:58 +0200 Subject: [PATCH 10/10] exclude specific spotbugs Bug codes --- .../groovy/project-convention-spotbugs.gradle | 1 + spotbugs/excludeFilter.xml | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 spotbugs/excludeFilter.xml diff --git a/buildSrc/src/main/groovy/project-convention-spotbugs.gradle b/buildSrc/src/main/groovy/project-convention-spotbugs.gradle index 13f30154..5180ed6e 100644 --- a/buildSrc/src/main/groovy/project-convention-spotbugs.gradle +++ b/buildSrc/src/main/groovy/project-convention-spotbugs.gradle @@ -22,6 +22,7 @@ spotbugs { effort = Effort.MORE reportLevel = Confidence.valueOf('DEFAULT') + excludeFilter = file("../spotbugs/excludeFilter.xml") } tasks.matching { diff --git a/spotbugs/excludeFilter.xml b/spotbugs/excludeFilter.xml new file mode 100644 index 00000000..ba0e1b54 --- /dev/null +++ b/spotbugs/excludeFilter.xml @@ -0,0 +1,20 @@ + + + + + + \ No newline at end of file