Java: Refactor RsaWithoutOaep.

Author: aschackmull

java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll

@@ -4,8 +4,12 @@ import java
 import Encryption
 import semmle.code.java.dataflow.DataFlow
 
-/** A configuration for finding RSA ciphers initialized without using OAEP padding. */
-class RsaWithoutOaepConfig extends DataFlow::Configuration {
+/**
+ * DEPRECATED: Use `RsaWithoutOaepFlow` instead.
+ *
+ * A configuration for finding RSA ciphers initialized without using OAEP padding.
+ */
+deprecated class RsaWithoutOaepConfig extends DataFlow::Configuration {
   RsaWithoutOaepConfig() { this = "RsaWithoutOaepConfig" }
 
   override predicate isSource(DataFlow::Node src) {
@@ -21,3 +25,21 @@ class RsaWithoutOaepConfig extends DataFlow::Configuration {
     exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
   }
 }
+
+private module RsaWithoutOaepConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
+    exists(CompileTimeConstantExpr specExpr, string spec |
+      specExpr.getStringValue() = spec and
+      specExpr = src.asExpr() and
+      spec.matches("RSA/%") and
+      not spec.matches("%OAEP%")
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
+  }
+}
+
+/** Flow for finding RSA ciphers initialized without using OAEP padding. */
+module RsaWithoutOaepFlow = DataFlow::Make<RsaWithoutOaepConfig>;

java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql

@@ -12,9 +12,9 @@
 
 import java
 import semmle.code.java.security.RsaWithoutOaepQuery
-import DataFlow::PathGraph
+import RsaWithoutOaepFlow::PathGraph
 
-from RsaWithoutOaepConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
-where conf.hasFlowPath(source, sink)
+from RsaWithoutOaepFlow::PathNode source, RsaWithoutOaepFlow::PathNode sink
+where RsaWithoutOaepFlow::hasFlowPath(source, sink)
 select source, source, sink, "This specification is used to $@ without OAEP padding.", sink,
   "initialize an RSA cipher"

java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.ql

@@ -3,12 +3,10 @@ import TestUtilities.InlineExpectationsTest
 import TestUtilities.InlineFlowTest
 import semmle.code.java.security.RsaWithoutOaepQuery
 
-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
-
 class HasFlowTest extends InlineFlowTest {
-  override DataFlow::Configuration getTaintFlowConfig() { result instanceof RsaWithoutOaepConfig }
+  override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
 
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+  override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
+    RsaWithoutOaepFlow::hasFlow(src, sink)
+  }
 }