Custom MessageDigest Implementation
Description
The application implements a custom java.security.MessageDigest, which is error-prone and not recommended. A standard Digest algorithm should be chosen instead.
Examples
Insecure Code
java
class CustomDigest extends java.security.MessageDigest { ... }Secure Code
java
MessageDigest sha384Digest = MessageDigest.getInstance("SHA-384");Remediation
Use a standard Digest algorithm like SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0691 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | custom digest, insecure algorithm |
| OWASP | A6:2017-Security Misconfiguration, A04:2021-Insecure Design |