CXX.SV.PRIVATE_KEY.EMPTY_PASSWD

Attempt to serialize private key in an unauthorized way

Klocwork reports a CXX.SV.PRIVATE_KEY.EMPTY_PASSWD defect when an empty password is used to store a private key in a public key infrastructure (PKI) based authentication, which can lead to unauthorized access.

Vulnerability and risk

If a private key is stolen, this can compromise the authentication gained through PKI because an attacker can use the private key to digitally sign documents and pretend to be the authorized user.

Mitigation and prevention

We recommend using encryption techniques such as cipher or a non-empty password.

Vulnerable code example

Copy
#include <QOpcUaProvider>
#include <QOpcUaKeyPair>
#include <QFile>
int main()
{
    // Generate RSA Key
    QOpcUaKeyPair key;
    key.generateRsaKey(QOpcUaKeyPair::RsaKeyStrength::Bits1024);

    // Save private key to file
    QByteArray keyData = key.privateKeyToByteArray(QOpcUaKeyPair::Cipher::Aes128Cbc, "");

    QFile keyFile("privateKey.pem");
    keyFile.open(QFile::WriteOnly);
    keyFile.write(keyData);
    keyFile.close();
  }

Klocwork reports a CXX.SV.PRIVATE_KEY.EMPTY_PASSWD defect on line 11, indicating, “Attempt to serialize private key in an unauthorized way. Consider encrypting with non-empty password.” In the QOpcUaKeyPair::privateKeyToByteArray method, an empty password is passed which means private key is stored with empty password and is prone to unauthorized access.

Fixed code example

Copy
#include <QOpcUaProvider>
#include <QOpcUaKeyPair>
#include <QFile>
int main()
{
    // Generate RSA Key
    QOpcUaKeyPair key;
    key.generateRsaKey(QOpcUaKeyPair::RsaKeyStrength::Bits1024);
    QByteArray keyData = key.privateKeyToByteArray(QOpcUaKeyPair::Cipher::Aes128Cbc, "K016w81");

    QFile keyFile("privateKey.pem");
    keyFile.open(QFile::WriteOnly);
    keyFile.write(keyData);
    keyFile.close();
  }

Klocwork no longer reports a CXX.SV.PRIVATE_KEY.EMPTY_PASSWD defect because a password (“K016w81”) has been used on private key for required encryption.

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis and the PK.EMPTY_PWD.SINK knowledge base for more information.