[Security] getBytes() Without Explicit Charset in Signature Operations #223
Description
Bug Name
getBytes() Without Explicit Charset in Signature Operations
Attack Scenario
All HMAC and private key signature operations use String.getBytes() without specifying a charset. On non-UTF-8 systems (Windows Cp1252, Asian locales with Shift-JIS), different byte sequences are produced for the same string.
Impact
Signatures computed on one platform may not match those computed on another, causing intermittent Invalid signature errors depending on deployment environment.
Components
Files: clients/common/.../sign/HmacSignatureGenerator.java lines 19, 26. clients/common/.../websocket/HmacSignatureGenerator.java lines 19, 22. PrivateKey.java line 87.
Reproduction
- Deploy on a Windows system with Cp1252 default charset.
- Sign a request containing non-ASCII characters.
- Signature differs from the same request signed on a UTF-8 Linux system.
Fix
Use getBytes(StandardCharsets.UTF_8) consistently in all signature operations.
Details
Finding ID: MEDIUM-01
Severity: Medium
Researcher: Independent Security Researcher -- Mefai Security Team