Info Call to Crypto API

Description

List of all calls to cryptographic methods.

Recommendation

Do not use insecure or weak cryptographic algorithms. For example, the Data Encryption Standard (DES) encryption algorithm is considered highly insecure

Do not use Object.equals() to compare cryptographic keys

Cryptographic keys should never be serialized

Technical details

Method com.google.appinventor.components.runtime.util.AppInvHTTPD.serve() calling method javax.crypto.spec.SecretKeySpec.<init>()


    public com.google.appinventor.components.runtime.util.NanoHTTPD$Response serve(String p37, String p38, java.util.Properties p39, java.util.Properties p40, java.util.Properties p41, java.net.Socket p42)
    {
        com.google.appinventor.components.runtime.util.NanoHTTPD$Response v24;
        android.util.Log.d("AppInvHTTPD", new StringBuilder().append(p38).append(" \'").append(p37).append("\' ").toString());
        if (!this.secure) {
            if (!p38.equals("OPTIONS")) {
                if (!p37.equals("/_newblocks")) {
                    if (!p37.equals("/_values")) {
                        if (!p37.equals("/_getversion")) {
                            v24 = this.serveFile(p37, p39, this.rootDir, 1);
                        } else {
                            try {
                                String v17;
                                String v23 = this.form.getPackageName();
                                android.content.pm.PackageInfo v22 = this.form.getPackageManager().getPackageInfo(v23, 0);
                            } catch (android.content.pm.PackageManager$NameNotFoundException v21) {
                                v21.printStackTrace();
                                v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                                v24(this, "200 OK", "application/json", "{\"verison\" : \"Unknown\"");
                                v24.addHeader("Access-Control-Allow-Origin", "*");
                                v24.addHeader("Access-Control-Allow-Headers", "origin, content-type");
                                v24.addHeader("Access-Control-Allow-Methods", "POST,OPTIONS,GET,HEAD,PUT");
                                v24.addHeader("Allow", "POST,OPTIONS,GET,HEAD,PUT");
                                if (this.secure) {
                                    com.google.appinventor.components.runtime.util.AppInvHTTPD.seq = 1;
                                    String v29_9 = this.androidUIHandler;
                                    String v30_10 = new com.google.appinventor.components.runtime.util.AppInvHTTPD$1;
                                    v30_10(this);
                                    v29_9.post(v30_10);
                                }
                            }
                            if (com.google.appinventor.components.runtime.util.SdkLevel.getLevel() < 5) {
                                v17 = "Not Known";
                            } else {
                                v17 = com.google.appinventor.components.runtime.util.EclairUtil.getInstallerPackageName("edu.mit.appinventor.aicompanion3", this.form);
                            }
                            if (v17 == null) {
                                v17 = "Not Known";
                            }
                            v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                            v24(this, "200 OK", "application/json", new StringBuilder().append("{\"version\" : \"").append(v22.versionName).append("\", \"fingerprint\" : \"").append(android.os.Build.FINGERPRINT).append("\", \"installer\" : \"").append(v17).append("\", \"package\" : \"").append(v23).append("\", \"fqcn\" : true }").toString());
                        }
                    } else {
                        v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                        v24(this, "200 OK", "application/json", com.google.appinventor.components.runtime.util.RetValManager.fetch(1));
                        v24.addHeader("Access-Control-Allow-Origin", "*");
                        v24.addHeader("Access-Control-Allow-Headers", "origin, content-type");
                        v24.addHeader("Access-Control-Allow-Methods", "POST,OPTIONS,GET,HEAD,PUT");
                        v24.addHeader("Allow", "POST,OPTIONS,GET,HEAD,PUT");
                    }
                } else {
                    void v36_1 = this.adoptMainThreadClassLoader();
                    String v15 = p40.getProperty("seq", "0");
                    int v18 = Integer.parseInt(v15);
                    String v6 = p40.getProperty("blockid");
                    String v7_0 = p40.getProperty("code");
                    String v14 = p40.getProperty("mac", "no key provided");
                    String v16 = v7_0;
                    if (com.google.appinventor.components.runtime.util.AppInvHTTPD.hmacKey == null) {
                        android.util.Log.e("AppInvHTTPD", "No HMAC Key");
                        String v29_22 = v36_1.form;
                        String v30_20 = v36_1.form;
                        com.google.appinventor.components.runtime.util.NanoHTTPD$Response v0_31 = new Object[1];
                        Object[] v33_1 = v0_31;
                        v33_1[0] = "No HMAC Key";
                        v29_22.dispatchErrorOccurredEvent(v30_20, "AppInvHTTPD", 1801, v33_1);
                        v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                        v24(v36_1, "200 OK", "application/json", "{\"status\" : \"BAD\", \"message\" : \"Security Error: No HMAC Key\"}");
                    } else {
                        try {
                            javax.crypto.Mac v12 = javax.crypto.Mac.getInstance("HmacSHA1");
                            javax.crypto.spec.SecretKeySpec v19 = new javax.crypto.spec.SecretKeySpec;
                            v19(com.google.appinventor.components.runtime.util.AppInvHTTPD.hmacKey, "RAW");
                            v12.init(v19);
                            byte[] v26 = v12.doFinal(new StringBuilder().append(v7_0).append(v15).append(v6).toString().getBytes());
                            StringBuffer v25 = new StringBuffer;
                            v25((v26.length * 2));
                            java.util.Formatter v11_1 = new java.util.Formatter(v25);
                            String v30_23 = v26.length;
                            String v29_38 = 0;
                        } catch (Exception v9_0) {
                            android.util.Log.e("AppInvHTTPD", "Error working with hmac", v9_0);
                            String v29_85 = v36_1.form;
                            String v30_78 = v36_1.form;
                            com.google.appinventor.components.runtime.util.NanoHTTPD$Response v0_100 = new Object[1];
                            Object[] v33_8 = v0_100;
                            v33_8[0] = "Exception working on HMAC";
                            v29_85.dispatchErrorOccurredEvent(v30_78, "AppInvHTTPD", 1801, v33_8);
                            v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                            v24(v36_1, "200 OK", "text/plain", "NOT");
                        }
                        while (v29_38 < v30_23) {
                            com.google.appinventor.components.runtime.util.NanoHTTPD$Response v0_91 = new Object[1];
                            int v32_10 = v0_91;
                            v32_10[0] = Byte.valueOf(v26[v29_38]);
                            v11_1.format("%02x", v32_10);
                            v29_38++;
                        }
                        String v8 = v25.toString();
                        android.util.Log.d("AppInvHTTPD", new StringBuilder().append("Incoming Mac = ").append(v14).toString());
                        android.util.Log.d("AppInvHTTPD", new StringBuilder().append("Computed Mac = ").append(v8).toString());
                        android.util.Log.d("AppInvHTTPD", new StringBuilder().append("Incoming seq = ").append(v15).toString());
                        android.util.Log.d("AppInvHTTPD", new StringBuilder().append("Computed seq = ").append(com.google.appinventor.components.runtime.util.AppInvHTTPD.seq).toString());
                        android.util.Log.d("AppInvHTTPD", new StringBuilder().append("blockid = ").append(v6).toString());
                        if (v14.equals(v8)) {
                            if ((com.google.appinventor.components.runtime.util.AppInvHTTPD.seq == v18) || (com.google.appinventor.components.runtime.util.AppInvHTTPD.seq == (v18 + 1))) {
                                if (com.google.appinventor.components.runtime.util.AppInvHTTPD.seq == (v18 + 1)) {
                                    android.util.Log.e("AppInvHTTPD", "Seq Fixup Invoked");
                                }
                                com.google.appinventor.components.runtime.util.AppInvHTTPD.seq = (v18 + 1);
                                String v7_1 = new StringBuilder().append("(begin (require <com.google.youngandroid.runtime>) (process-repl-input ").append(v6).append(" (begin ").append(v7_0).append(" )))").toString();
                                android.util.Log.d("AppInvHTTPD", new StringBuilder().append("To Eval: ").append(v7_1).toString());
                                try {
                                    if (!v16.equals("#f")) {
                                        v36_1.scheme.eval(v7_1);
                                        v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                                        v24(v36_1, "200 OK", "application/json", com.google.appinventor.components.runtime.util.RetValManager.fetch(0));
                                    } else {
                                        android.util.Log.e("AppInvHTTPD", "Skipping evaluation of #f");
                                    }
                                } catch (Throwable v10) {
                                    android.util.Log.e("AppInvHTTPD", "newblocks: Scheme Failure", v10);
                                    com.google.appinventor.components.runtime.util.RetValManager.appendReturnValue(v6, "BAD", v10.toString());
                                    v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                                    v24(v36_1, "200 OK", "application/json", com.google.appinventor.components.runtime.util.RetValManager.fetch(0));
                                }
                                v24.addHeader("Access-Control-Allow-Origin", "*");
                                v24.addHeader("Access-Control-Allow-Headers", "origin, content-type");
                                v24.addHeader("Access-Control-Allow-Methods", "POST,OPTIONS,GET,HEAD,PUT");
                                v24.addHeader("Allow", "POST,OPTIONS,GET,HEAD,PUT");
                            } else {
                                android.util.Log.e("AppInvHTTPD", "Seq does not match");
                                String v29_77 = v36_1.form;
                                String v30_70 = v36_1.form;
                                com.google.appinventor.components.runtime.util.NanoHTTPD$Response v0_79 = new Object[1];
                                Object[] v33_3 = v0_79;
                                v33_3[0] = "Invalid Seq";
                                v29_77.dispatchErrorOccurredEvent(v30_70, "AppInvHTTPD", 1801, v33_3);
                                v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                                v24(v36_1, "200 OK", "application/json", "{\"status\" : \"BAD\", \"message\" : \"Security Error: Invalid Seq\"}");
                            }
                        } else {
                            android.util.Log.e("AppInvHTTPD", "Hmac does not match");
                            String v29_81 = v36_1.form;
                            String v30_73 = v36_1.form;
                            com.google.appinventor.components.runtime.util.NanoHTTPD$Response v0_87 = new Object[1];
                            Object[] v33_5 = v0_87;
                            v33_5[0] = "Invalid HMAC";
                            v29_81.dispatchErrorOccurredEvent(v30_73, "AppInvHTTPD", 1801, v33_5);
                            v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                            v24(v36_1, "200 OK", "application/json", "{\"status\" : \"BAD\", \"message\" : \"Security Error: Invalid MAC\"}");
                        }
                    }
                }
            } else {
                Exception v9_1 = p39.propertyNames();
                while (v9_1.hasMoreElements()) {
                    String v27_1 = ((String) v9_1.nextElement());
                    android.util.Log.d("AppInvHTTPD", new StringBuilder().append("  HDR: \'").append(v27_1).append("\' = \'").append(p39.getProperty(v27_1)).append("\'").toString());
                }
                v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                v24(this, "200 OK", "text/plain", "OK");
                v24.addHeader("Access-Control-Allow-Origin", "*");
                v24.addHeader("Access-Control-Allow-Headers", "origin, content-type");
                v24.addHeader("Access-Control-Allow-Methods", "POST,OPTIONS,GET,HEAD,PUT");
                v24.addHeader("Allow", "POST,OPTIONS,GET,HEAD,PUT");
            }
        } else {
            String v13 = p42.getInetAddress().getHostAddress();
            if (v13.equals("127.0.0.1")) {
            } else {
                android.util.Log.d("AppInvHTTPD", new StringBuilder().append("Debug: hostAddress = ").append(v13).append(" while in secure mode, closing connection.").toString());
                v24 = new com.google.appinventor.components.runtime.util.NanoHTTPD$Response;
                v24(this, "200 OK", "application/json", new StringBuilder().append("{\"status\" : \"BAD\", \"message\" : \"Security Error: Invalid Source Location ").append(v13).append("\"}").toString());
                v24.addHeader("Access-Control-Allow-Origin", "*");
                v24.addHeader("Access-Control-Allow-Headers", "origin, content-type");
                v24.addHeader("Access-Control-Allow-Methods", "POST,OPTIONS,GET,HEAD,PUT");
                v24.addHeader("Allow", "POST,OPTIONS,GET,HEAD,PUT");
            }
        }
        return v24;
    }