java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests

Community Favorite
profile photo of returntocorpreturntocorp
Author
73,396
Download Count*

Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance("SHA256");

Run Locally

Run in CI

Defintion

rules:
  - id: avoid-implementing-custom-digests
    metadata:
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#CUSTOM_MESSAGE_DIGEST
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.2 Insecure Custom Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms
      category: security
      technology:
        - java
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: 'Cryptographic algorithms are notoriously difficult to get right. By
      implementing a custom message digest, you risk introducing security issues
      into your program. Use one of the many sound message digests already
      available to you: MessageDigest sha256Digest =
      MessageDigest.getInstance("SHA256");'
    severity: WARNING
    languages:
      - java
    pattern: |-
      class $CLASS extends MessageDigest {
        ...
      }

Examples

avoid-implementing-custom-digests.java

// ruleid: avoid-implementing-custom-digests
public class MyProprietaryMessageDigest extends MessageDigest {

    @Override
    protected byte[] engineDigest() {
        return "";
    }
}

// ok: avoid-implementing-custom-digests
public class NotMessageDigest {
    public NotMessageDigest() {
        System.out.println("");
    }
}