Java Hardcoded Keyparameter Use
Description
This detector identifies hardcoded cryptographic keys passed to BouncyCastle's KeyParameter constructor. Hardcoded keys in source code create serious security vulnerabilities as they can be easily discovered by attackers through code review, making encrypted data vulnerable to decryption.
Detection Strategy
• The code imports BouncyCastle's KeyParameter class (org.bouncycastle.crypto.params.KeyParameter or wildcard import org.bouncycastle.crypto.params.*)
• A KeyParameter constructor is called in the code
• The first argument to the KeyParameter constructor contains hardcoded byte values (literal byte arrays, strings, or other compile-time constants)
• The detector flags the location where the hardcoded key material is defined as the vulnerability point
Vulnerable code example
import org.bouncycastle.crypto.params.KeyParameter;
public class HardcodedKey {
public void encrypt() {
// Hardcoded key - security risk if compromised
KeyParameter keyParam = new KeyParameter(new byte[]{1, 2, 3, 4, 5, 6, 7, 8});
}
}✅ Secure code example
import java.util.Base64;
import org.bouncycastle.crypto.params.KeyParameter;
public class HardcodedKey {
public void encrypt() {
// Key loaded from environment - never hardcoded in source
byte[] key = Base64.getDecoder().decode(System.getenv("ENCRYPTION_KEY"));
KeyParameter keyParam = new KeyParameter(key);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.