Skip to content

Commit 0fa05d4

Browse files
Jami Cogswelljcogs33
Jami Cogswell
authored and
jcogs33
committed
add shared key sizes
1 parent 2976daa commit 0fa05d4

File tree

5 files changed

+42
-6
lines changed

5 files changed

+42
-6
lines changed

config/identical-files.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -580,5 +580,9 @@
580580
"IncompleteMultiCharacterSanitization JS/Ruby": [
581581
"javascript/ql/lib/semmle/javascript/security/IncompleteMultiCharacterSanitizationQuery.qll",
582582
"ruby/ql/lib/codeql/ruby/security/IncompleteMultiCharacterSanitizationQuery.qll"
583+
],
584+
"EncryptionKeySizes Python/Java": [
585+
"python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll",
586+
"java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
583587
]
584588
}

java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22

33
private import semmle.code.java.security.Encryption
44
private import semmle.code.java.dataflow.DataFlow
5+
private import semmle.code.java.security.EncryptionKeySizes
56

67
/** A source for an insufficient key size. */
78
abstract class InsufficientKeySizeSource extends DataFlow::Node {
@@ -42,7 +43,7 @@ private module Asymmetric {
4243
}
4344

4445
/** Returns the minimum recommended key size for RSA, DSA, and DH algorithms. */
45-
private int getMinKeySize() { result = 2048 }
46+
private int getMinKeySize() { result = minSecureKeySizeAsymmetricNonEc() }
4647

4748
/** An instance of an RSA, DSA, or DH algorithm specification. */
4849
private class Spec extends ClassInstanceExpr {
@@ -87,7 +88,7 @@ private module Asymmetric {
8788
}
8889

8990
/** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */
90-
private int getMinKeySize() { result = 256 }
91+
private int getMinKeySize() { result = minSecureKeySizeAsymmetricEc() }
9192

9293
/** Returns the key size from an EC algorithm's curve name string */
9394
bindingset[algorithm]
@@ -168,7 +169,7 @@ private module Symmetric {
168169
}
169170

170171
/** Returns the minimum recommended key size for AES algorithms. */
171-
private int getMinKeySize() { result = 128 }
172+
private int getMinKeySize() { result = minSecureKeySizeSymmetric() }
172173

173174
/** A call to the `init` method declared in `javax.crypto.KeyGenerator`. */
174175
private class KeyGenInit extends MethodAccess {

java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
/**
2+
* INTERNAL: Do not use.
3+
*
4+
* Provides predicates for recommended encryption key sizes.
5+
* Such that we can share this logic across our CodeQL analysis of different languages.
6+
*/
7+
8+
/** Returns the minimum recommended key size for asymmetric algorithms (RSA, DSA, and DH). */
9+
int minSecureKeySizeAsymmetricNonEc() { result = 2048 }
10+
11+
/** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */
12+
int minSecureKeySizeAsymmetricEc() { result = 256 }
13+
14+
/** Returns the minimum recommended key size for symmetric algorithmms (AES). */
15+
int minSecureKeySizeSymmetric() { result = 128 }

python/ql/lib/semmle/python/Concepts.qll

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ private import semmle.python.dataflow.new.DataFlow
99
private import semmle.python.dataflow.new.RemoteFlowSources
1010
private import semmle.python.dataflow.new.TaintTracking
1111
private import semmle.python.Frameworks
12+
private import semmle.python.security.internal.EncryptionKeySizes
1213

1314
/**
1415
* A data-flow node that executes an operating system command,
@@ -1141,21 +1142,21 @@ module Cryptography {
11411142
abstract class RsaRange extends Range {
11421143
final override string getName() { result = "RSA" }
11431144

1144-
final override int minimumSecureKeySize() { result = 2048 }
1145+
final override int minimumSecureKeySize() { result = minSecureKeySizeAsymmetricNonEc() }
11451146
}
11461147

11471148
/** A data-flow node that generates a new DSA key-pair. */
11481149
abstract class DsaRange extends Range {
11491150
final override string getName() { result = "DSA" }
11501151

1151-
final override int minimumSecureKeySize() { result = 2048 }
1152+
final override int minimumSecureKeySize() { result = minSecureKeySizeAsymmetricNonEc() }
11521153
}
11531154

11541155
/** A data-flow node that generates a new ECC key-pair. */
11551156
abstract class EccRange extends Range {
11561157
final override string getName() { result = "ECC" }
11571158

1158-
final override int minimumSecureKeySize() { result = 224 }
1159+
final override int minimumSecureKeySize() { result = minSecureKeySizeAsymmetricEc() }
11591160
}
11601161
}
11611162
}

python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
/**
2+
* INTERNAL: Do not use.
3+
*
4+
* Provides predicates for recommended encryption key sizes.
5+
* Such that we can share this logic across our CodeQL analysis of different languages.
6+
*/
7+
8+
/** Returns the minimum recommended key size for asymmetric algorithms (RSA, DSA, and DH). */
9+
int minSecureKeySizeAsymmetricNonEc() { result = 2048 }
10+
11+
/** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */
12+
int minSecureKeySizeAsymmetricEc() { result = 256 }
13+
14+
/** Returns the minimum recommended key size for symmetric algorithmms (AES). */
15+
int minSecureKeySizeSymmetric() { result = 128 }

0 commit comments

Comments
 (0)