Review

Detector:

MuDetect_161216_ReviseEncodingOfConditions

Target:

project '

jmrtd

' version

Tags:

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	0
In File:	/mubench/mubench.pipeline/../checkouts/jmrtd/51/original-src/sos/mrtd/sample/BACPanel.java
In Method:	MutualAuthPanel()
Code with Finding:	`class BACPanel.ChallengePanel { public void actionPerformed(ActionEvent ae) { rndICC = apduService.sendGetChallenge(); challengeField.setValue(rndICC); } }` `class BACPanel.MRZPanel { public void actionPerformed(ActionEvent ae) { try { byte[] keySeed = Util.computeKeySeed(docNrTF.getText(), dateOfBirthTF .getText(), dateOfExpiryTF.getText()); kEnc = Util.deriveKey(keySeed, Util.ENC_MODE); kMac = Util.deriveKey(keySeed, Util.MAC_MODE); kEncTF.setValue(kEnc.getEncoded()); kMacTF.setValue(kMac.getEncoded()); } catch (Exception e) { kEnc = null; kMac = null; kEncTF.clearText(); kMacTF.clearText(); } } }` class BACPanel.MutualAuthPanel { public MutualAuthPanel() { super(new BorderLayout()); setBorder(BorderFactory.createTitledBorder(PANEL_BORDER, "Mutual Authenticate")); JPanel top = new JPanel(new FlowLayout()); challengeField = new HexField(8); challengeField.setValue(Hex.hexStringToBytes("781723860C06C226")); keyField = new HexField(16); keyField.setValue(Hex .hexStringToBytes("0B795240CB7049B01C19B33E32804F0B")); JButton authButton = new JButton("Mutual Authenticate"); authButton.addActionListener(this); top.add(new JLabel("RND.IFD: ")); top.add(challengeField); top.add(new JLabel("K.IFD: ")); top.add(keyField); top.add(authButton); JPanel center = new JPanel(new FlowLayout()); plaintextField = new HexField(32); plaintextField.setEditable(false); center.add(new JLabel("[E.ICC]: ")); center.add(plaintextField); JPanel bottom = new JPanel(new GridLayout(3, 2)); ksEncTF = new HexField(24); ksEncTF.setEditable(false); ksMacTF = new HexField(24); ksMacTF.setEditable(false); sscTF = new HexField(8); sscTF.setEditable(false); bottom.add(new JLabel("KS.ENC: ", JLabel.RIGHT)); bottom.add(ksEncTF); bottom.add(new JLabel("KS.MAC: ", JLabel.RIGHT)); bottom.add(ksMacTF); bottom.add(new JLabel("SSC: ", JLabel.RIGHT)); bottom.add(sscTF); add(top, BorderLayout.NORTH); add(center, BorderLayout.CENTER); add(bottom, BorderLayout.SOUTH); } } class BACPanel.MutualAuthPanel { /** * FIXME: * preallocate kIFD, kICC, rndIFD, rndICC and copy here from TFs * to prevent allocate & gc. */ public void actionPerformed(ActionEvent ae) { try { rndIFD = challengeField.getValue(); kIFD = keyField.getValue(); byte[] plaintext = apduService.sendMutualAuth(rndIFD, rndICC, kIFD, kEnc, kMac); plaintextField.setValue(plaintext); if (kICC == null \|\| kICC.length < 16) { kICC = new byte[16]; } System.arraycopy(plaintext, 16, kICC, 0, 16); byte[] keySeed = new byte[16]; for (int i = 0; i < 16; i++) { keySeed[i] = (byte) ((kIFD[i] & 0x000000FF) ^ (kICC[i] & 0x000000FF)); } ksEnc = Util.deriveKey(keySeed, Util.ENC_MODE); ksMac = Util.deriveKey(keySeed, Util.MAC_MODE); ksEncTF.setValue(ksEnc.getEncoded()); ksMacTF.setValue(ksMac.getEncoded()); ssc = Util.computeSendSequenceCounter(rndICC, rndIFD); sscTF.setValue(ssc); SecureMessagingWrapper wrapper = new SecureMessagingWrapper(ksEnc, ksMac, ssc); authService.setWrapper(wrapper); } catch (Exception e) { e.printStackTrace(); } } }

Metadata

Hit	Rank	Confidence	Pattern Support	Pattern Violation	Target Environment Mapping	Violation Types
?	0	0.7690477	10

missing/call
misplaced/call
superfluous/call
missing/condition/null_check
missing/condition/value_or_state
missing/condition/synchronization
missing/condition/context
misplaced/condition/null_check
misplaced/condition/value_or_state
misplaced/condition/synchronization
misplaced/condition/context
superfluous/condition/null_check
superfluous/condition/value_or_state
superfluous/condition/synchronization
superfluous/condition/context
missing/exception_handling
misplaced/exception_handling
superfluous/exception_handling
missing/iteration
misplaced/iteration
superfluous/iteration
missing/exception handling
missing/method call
superflous/method call
superfluous/call/duplicate
superfluous/exception handling
missing/condition/environment
superfluous/condition/threading
missing/condition/threading
superfluous/condition/environment