Re: [PR] Merge Thrift Services, Switch OpenJPA to Hibernate, Create Main Class to Launch Airavata [airavata]

via GitHub Mon, 25 Aug 2025 16:57:13 -0700


github-advanced-security[bot] commented on code in PR #556:
URL: https://github.com/apache/airavata/pull/556#discussion_r2299386406



##########
airavata-api/src/main/java/org/apache/airavata/common/utils/SecurityUtil.java:
##########
@@ -93,4 +60,27 @@
         }
         return KeyStore.getInstance(keystoreFile, 
passwordCallback.getStorePassword());
     }
+
+    public static byte[] encrypt(byte[] data, Key key) throws 
GeneralSecurityException {
+        // Initialize the cipher
+        Cipher cipher = Cipher.getInstance(SecurityUtil.CIPHER_NAME);

Review Comment:
   ## Use of a broken or risky cryptographic algorithm
   
   Cryptographic algorithm [AES/CBC/PKCS5Padding](1) is insecure. CBC mode with 
PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks. Consider 
using GCM instead.
   
   [Show more 
details](https://github.com/apache/airavata/security/code-scanning/29)



##########
airavata-api/src/main/java/org/apache/airavata/common/utils/SecurityUtil.java:
##########
@@ -93,4 +60,27 @@
         }
         return KeyStore.getInstance(keystoreFile, 
passwordCallback.getStorePassword());
     }
+
+    public static byte[] encrypt(byte[] data, Key key) throws 
GeneralSecurityException {
+        // Initialize the cipher
+        Cipher cipher = Cipher.getInstance(SecurityUtil.CIPHER_NAME);
+        cipher.init(Cipher.ENCRYPT_MODE, key);
+        byte[] iv = cipher.getIV();
+
+        // Encrypt the data and return [...iv,...encryptedData]
+        byte[] encryptedData = cipher.doFinal(data);
+        return ByteBuffer.allocate(iv.length + 
encryptedData.length).put(iv).put(encryptedData).array();
+    }
+
+    public static byte[] decrypt(byte[] data, Key key) throws 
GeneralSecurityException {
+      // Extract IV and encrypted data
+      byte[] iv = Arrays.copyOfRange(data, 0, 16);
+      byte[] encryptedData = Arrays.copyOfRange(data, 16, data.length - 16);
+
+      // Decrypt the data
+      Cipher cipher = Cipher.getInstance(SecurityUtil.CIPHER_NAME);

Review Comment:
   ## Use of a broken or risky cryptographic algorithm
   
   Cryptographic algorithm [AES/CBC/PKCS5Padding](1) is insecure. CBC mode with 
PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks. Consider 
using GCM instead.
   
   [Show more 
details](https://github.com/apache/airavata/security/code-scanning/30)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@airavata.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Merge Thrift Services, Switch OpenJPA to Hibernate, Create Main Class to Launch Airavata [airavata]

Reply via email to