Secure Public Key marked as Misuse

[akwick]

Steps done

• Applying CryptoAnalysis on the project JobX with commit id 414503ff.

• The analysis reports 38 violations (8 constraintError, 12 RequiredPredicateError, 4 ImpreciseValueExtractionError, 2 TypestateError, and 12 IncompleteOperationError). Details in the attacted report

• For the RequiredPredicateError violation for method encryptByPublicKey, we assume that the report is a false positive

 RequiredPredicateError violating CrySL rule for Cipher
                        Second parameter was not properly generatedKey
                        at statement: virtualinvoke r6.<javax.crypto.Cipher: void init(int,java.security.Key)>(1, r5)

• The reported violation is in the file RSAUtils.java in line 238.

Notes why we assume that the violation is a false positive

• REQUIRES
  generatedKey[key, part(0, ""/"", transformation)];
  https://docs.oracle.com/javase/7/docs/api/java/security/KeyFactory.html
  ""Key factories are used to convert keys (opaque cryptographic keys of type Key) into key specifications (transparent representations of the underlying key material), and vice versa. "" -> converts a key provided as a string (X509 specification) into a new key. This is not covered by CrySl -> assumes insecure"

/cc @anam-dodhy

[Lonzak]

I also have this problem - strangely the error message seems to be cut off in the middle:
"Second parameter was not properly generatedKey" The public key however is read from an existing keystore and was generated by using the java keytool.

public static byte[] encryptKey(byte[] content, Key publicKey) {
        byte[] encryptedContent= null;
        try {
            Cipher outerCipher = Cipher.getInstance(publicKey.getAlgorithm());
            outerCipher.init(Cipher.ENCRYPT_MODE, publicKey);
            encryptedContent= outerCipher.doFinal(content);
        } catch (Exception e) {
          ...
        }
       return encryptedContent;
}

[smeyer198]

The RequiredPredicateError at the call to init is a TruePositive. Note that DigestUtils.getdeBASE64inCodec(...) does not ensure a predicate on keyBytes. Therefore, a predicate error is passed transitively to the init call:

public void encryptByPublicKey(String publicKey) throws Exception {
	byte[] keyBytes = new Base64().decode(publicKey.getBytes());          // No predicate is ensured on 'keyBytes'
	X509EncodedKeySpec x509KeySpec = new X509EncodedKeySpec(keyBytes);    // 'keyBytes' does not ensure 'preparedKeyMaterial' -> RequiredPredicateErrror and 'x509KeySpec' does not ensure 'speccedKey'
	KeyFactory keyFactory = KeyFactory.getInstance(KEY_ALGORITHM);
	Key publicK = keyFactory.generatePublic(x509KeySpec);                 // `generatePublic` requires `speccedKey` -> not ensured by 'x509KeySpec' -> RequiredPredicateError and 'publicK' does not ensure 'generatedKey'

	Cipher cipher = Cipher.getInstance(keyFactory.getAlgorithm());
	cipher.init(Cipher.ENCRYPT_MODE, publicK);                            // `init` requires 'generatedKey' -> not ensured by 'publicK' -> RequiredPredicateError
}