We are using Spring cloud starter in project which has spring-security-rsa-1.0.3.RELEASE.jar dependency. Veracode has reported a vulnerability in RSAkeyHelper. The key size specified for this algorithm is not large enough. As per the remediation comments, key size should be 2048 bit. Could you provide some guidance on fixing or mitigating this vulnerability? Also, could you explain under which flow/scenario the below method will be get called?
Jar: spring-security-rsa-1.0.3.RELEASE.jar File: RSAKeyHelper.java
static KeyPair generateKeyPair() { try { final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); keyGen.initialize(1024); return keyGen.generateKeyPair(); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException(e); }
}
Comment From: rwinch
@dsyer Any thoughts on this?
Comment From: dsyer
I think it's mainly there for testing. Nobody has to use that key, and I'm not aware of anyone actually doing so. It's easy to find the code paths to it (and if it's not public, it's easy to put a bound on who is using it).
Comment From: rwinch
Closing as per the comment above and due to the fact that the code is not part of this project.