Crypto: Signature: Approved Hashing Algorithm :: Recipe Details

Recipe Name:

Crypto: Signature: Approved Hashing Algorithm

Description:

This hashing algorithm is not recommended for cryptographic use

Level:

marked_information

Language:

java

Tags:

security
basic protection set

Documentation

Secure coding practices prescribe to use SHA512 with RSA for cryptographic use of hashing.

It is not recommended to use cryptographic algorithms and modes with known problems. For hashing, SHA512withRSA is the recommended algorithm.

Correct code example

Signature.getInstance("SHA512withRSA");

Recipe

id: scw:crypto:signature-not-recommended
version: 10
metadata:
  name: 'Crypto: Signature: Approved Hashing Algorithm'
  shortDescription: This hashing algorithm is not recommended for cryptographic use
  level: marked_information
  language: java
  newCodeOnly: false
  scwCategory: broken_cryptography:use_of_insecuredeprecated_alogirthms
  enabled: true
  descriptionFile: Java/Crypto/descriptions/Insecure_signature_algorithm.html
  tags: security;basic protection set
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          stringified:
            matches: ^((?!((MD.*)|(NONE.*)|(SHA[^5][^1][^2].*)|SHA512withDSA|SHA512withDES|SHA512withECDSA|SHA512withRSA$)).)*
    name: getInstance
    declaration:
      type: java.security.Signature
availableFixes:
- name: Use SHA512withRSA
  actions:
  - rewrite:
      to: '{{{ expressionElement }}}("SHA512withRSA")'