Misuse of cryptography-related APIs can create security vulnerabilities. This includes algorithms with known weaknesses, certain padding modes, the lack of integrity checks, insufficiently large key sizes, and insecure combinations of the previous items.
1function insecureCryptographyNoncompliant()
2{
3 var ciphers = [`TLS_DH_anon_WITH_AES_256_GCM_SHA384`,
4 `TLS_AES_128_GCM_SHA256`,
5 `ECDHE-ECDSA-AES128-GCM-SHA256`].join(':')
6 var options = {
7 hostname: 'www.example.com',
8 port: 443,
9 path: '/',
10 method: 'GET',
11 secureProtocol: 'TLSv1_2_method',
12 // Noncompliant: insecure TLS cipher suite is used.
13 ciphers:ciphers
14 }
15
16 var req = https.request(options, (res) => {
17 res.on('data', (d) => {
18 process.stdout.write(d)
19 })
20 })
21}
1function insecureCryptographyCompliant()
2{
3 var ciphers = [`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` ,
4 `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`,
5 `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
6 `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
7 `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`,
8 `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`,
9 `TLS_AES_128_GCM_SHA256`,
10 `TLS_AES_256_GCM_SHA384`,
11 '!aNULL',
12 '!eNULL',
13 '!NULL',
14 '!DES',
15 '!RC4',
16 '!MD5'].join(':')
17 var options = {
18 hostname: 'www.example.com',
19 port: 443,
20 path: '/',
21 method: 'GET',
22 secureProtocol: 'TLSv1_2_method',
23 // Compliant: secure TLS cipher suite is used.
24 ciphers:ciphers
25 }
26
27 var req = https.request(options, (res) => {
28 res.on('data', (d) => {
29 process.stdout.write(d)
30 })
31 })
32}