Re: [PR] Merge Thrift Services, Switch OpenJPA to Hibernate, Create Main Class to Launch Airavata [airavata]

Mon, 25 Aug 2025 16:57:13 -0700 


github-advanced-security[bot] commented on code in PR #556:
URL: https://github.com/apache/airavata/pull/556#discussion_r2299386406


##########
airavata-api/src/main/java/org/apache/airavata/common/utils/SecurityUtil.java:
##########
@@ -93,4 +60,27 @@
         }
         return KeyStore.getInstance(keystoreFile, 
passwordCallback.getStorePassword());
     }
+
+    public static byte[] encrypt(byte[] data, Key key) throws 
GeneralSecurityException {
+        // Initialize the cipher
+        Cipher cipher = Cipher.getInstance(SecurityUtil.CIPHER_NAME);

Review Comment:
   ## Use of a broken or risky cryptographic algorithm
   
   Cryptographic algorithm [AES/CBC/PKCS5Padding](1) is insecure. CBC mode with 
PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks. Consider 
using GCM instead.
   
   [Show more 
details](https://github.com/apache/airavata/security/code-scanning/29)



##########
airavata-api/src/main/java/org/apache/airavata/common/utils/SecurityUtil.java:
##########
@@ -93,4 +60,27 @@
         }
         return KeyStore.getInstance(keystoreFile, 
passwordCallback.getStorePassword());
     }
+
+    public static byte[] encrypt(byte[] data, Key key) throws 
GeneralSecurityException {
+        // Initialize the cipher
+        Cipher cipher = Cipher.getInstance(SecurityUtil.CIPHER_NAME);
+        cipher.init(Cipher.ENCRYPT_MODE, key);
+        byte[] iv = cipher.getIV();
+
+        // Encrypt the data and return [...iv,...encryptedData]
+        byte[] encryptedData = cipher.doFinal(data);
+        return ByteBuffer.allocate(iv.length + 
encryptedData.length).put(iv).put(encryptedData).array();
+    }
+
+    public static byte[] decrypt(byte[] data, Key key) throws 
GeneralSecurityException {
+      // Extract IV and encrypted data
+      byte[] iv = Arrays.copyOfRange(data, 0, 16);
+      byte[] encryptedData = Arrays.copyOfRange(data, 16, data.length - 16);
+
+      // Decrypt the data
+      Cipher cipher = Cipher.getInstance(SecurityUtil.CIPHER_NAME);

Review Comment:
   ## Use of a broken or risky cryptographic algorithm
   
   Cryptographic algorithm [AES/CBC/PKCS5Padding](1) is insecure. CBC mode with 
PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks. Consider 
using GCM instead.
   
   [Show more 
details](https://github.com/apache/airavata/security/code-scanning/30)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to