Skip to content

Instantly share code, notes, and snippets.

@misterAnderson90

misterAnderson90/MPV-Remote04.md Secret

Last active May 30, 2022 23:03
Show Gist options
  • Save misterAnderson90/5cb322c8d55cfd5882b7f4dce2d25f75 to your computer and use it in GitHub Desktop.
Save misterAnderson90/5cb322c8d55cfd5882b7f4dce2d25f75 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
MPV-Remote04.md

CogniCrypt (report 4) for mpv-remote

  • Class: miccah.mpvremote.HMAC

  • Method: digest

  • Line: 32

  • Issue details: TypestateError

    • TypestateError violating CrySL rule for javax.crypto.Mac.

    • Unexpected call to method <javax.crypto.Mac: byte[] doFinal(byte[])> on object of type javax.crypto.Mac. Expect a call to one of the following methods javax.crypto.Mac: void update(byte[]),javax.crypto.Mac: void doFinal(byte[],int),javax.crypto.Mac: byte[] doFinal(),javax.crypto.Mac: void update(byte),javax.crypto.Mac: void update(byte[],int,int).

Code

   public String digest() {
        String digest = null;
        try {
            SecretKeySpec key = new SecretKeySpec(
                    keyString.getBytes("UTF-8"), algorithm);
            Mac mac = Mac.getInstance(algorithm);
            mac.init(key);

            byte[] bytes = mac.doFinal(message.getBytes("UTF-8"));

            StringBuffer hash = new StringBuffer();
            for (int i = 0; i < bytes.length; i++) {
                String hex = Integer.toHexString(0xFF & bytes[i]);
                if (hex.length() == 1) {
                    hash.append('0');
                }
                hash.append(hex);
            }
            digest = hash.toString();
        } catch (Exception e) {}
        return digest;
    }

Questions

  1. How likely might this warning reveal a security threat to this app?

  2. Are you likely to accept a patch that fixes this particular issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment