Insecure Usage of JCA

[akwick]

Describe the bug During an empirical study to understand the nature of cryptographic misuses in enterprise-driven projects on GitHub, we randomly inspected a few of the misuses. One of the misuses for which we could confirm as a true positive of the analysis, CogniCryptSAST, is in this project. In the class RpcSever, a key is passed as a string and that is considered insecure. In Java, strings are immutable and stay in memory until collected by Java's garbage collector. Thus, they are longer visible in memory for attackers than necessary and outside of the direct control of the developer. The suggested data types by the JCA are bytes. JCA Documentation

Expected behavior

I expect a secure usage of the crypto libraries.

Actual behavior

We observed an insecure usage of the JCA.

Steps to reproduce

1. Apply CogniCryptSAST to the project
2. Inspect the misuses reported

Minimal yet complete reproducer code (or GitHub URL to code)

• In Line 397 RpcSever the second parameter passed was previously a string (l. 390. 386)

Environment

This API misuse still exists in the current main branch.

[chuailiwu]

welcome to submit a PR to fix it～

[akwick]

The PR would require changing every sensitive usage to a byte array when a string is used. That also would change the API. Thus, I think I am not the right person to tackle this problem as I am not deep enough into the project.