Crypto: Add Java Cryptographic Analysis Queries

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -40,7 +40,7 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
+  override Crypto::EllipticCurveType getEllipticCurveType() {
     if
       Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
         _)

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -72,7 +72,7 @@ class KnownOpenSslHashConstantAlgorithmInstance extends OpenSslAlgorithmInstance
 
   override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
 
-  override Crypto::THashType getHashFamily() {
+  override Crypto::THashType getHashType() {
     knownOpenSslConstantToHashFamilyType(this, result)
     or
     not knownOpenSslConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()

java/ql/lib/experimental/quantum/JCA.qll

@@ -426,7 +426,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = super.getPadding() }
 
-    override Crypto::THashType getHashFamily() { result = hash_name_to_type_known(hashName, _) }
+    override Crypto::THashType getHashType() { result = hash_name_to_type_known(hashName, _) }
 
     override int getFixedDigestLength() { exists(hash_name_to_type_known(hashName, result)) }
   }
@@ -859,7 +859,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = super.getValue() }
 
-    override Crypto::THashType getHashFamily() {
+    override Crypto::THashType getHashType() {
       result = hash_name_to_type_known(this.getRawHashAlgorithmName(), _)
     }
 
@@ -1095,21 +1095,6 @@ module JCAModel {
     }
   }
 
-  /**
-   * An instance of `java.security.SecureRandom.nextBytes(byte[])` call.
-   * This is already generally modeled for Java in CodeQL, but
-   * we model it again as part of the crypto API model to have a cohesive model.
-   */
-  class JavaSecuritySecureRandom extends Crypto::RandomNumberGenerationInstance instanceof Call {
-    JavaSecuritySecureRandom() {
-      this.getCallee().hasQualifiedName("java.security", "SecureRandom", "nextBytes")
-    }
-
-    override Crypto::DataFlowNode getOutputNode() { result.asExpr() = this.(Call).getArgument(0) }
-
-    override string getGeneratorName() { result = this.(Call).getCallee().getName() }
-  }
-
   class KeyGeneratorGenerateCall extends Crypto::KeyGenerationOperationInstance instanceof MethodCall
   {
     Crypto::KeyArtifactType type;
@@ -1302,7 +1287,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = this.(StringLiteral).getValue() }
 
-    override Crypto::THashType getHashFamily() { result = hash_name_to_type_known(hashName, _) }
+    override Crypto::THashType getHashType() { result = hash_name_to_type_known(hashName, _) }
 
     override int getFixedDigestLength() { exists(hash_name_to_type_known(hashName, result)) }
   }
@@ -1770,7 +1755,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = this.(StringLiteral).getValue() }
 
-    override Crypto::THashType getHashFamily() { result = hashType }
+    override Crypto::THashType getHashType() { result = hashType }
 
     override int getFixedDigestLength() { result = digestLength }
   }
@@ -1905,7 +1890,7 @@ module JCAModel {
 
     override string getRawEllipticCurveName() { result = super.getValue() }
 
-    override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
+    override Crypto::EllipticCurveType getEllipticCurveType() {
       if
         Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), _, _)
       then

java/ql/lib/experimental/quantum/Language.qll

@@ -93,8 +93,9 @@
   override string getAdditionalDescription() { result = this.toString() }
 }
 
-private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
-  ConstantDataSource() {
+private class ConstantDataSourceLiteral extends Crypto::GenericConstantSourceInstance instanceof Literal
+{
+  ConstantDataSourceLiteral() {
     // TODO: this is an API specific workaround for JCA, as 'EC' is a constant that may be used
     // where typical algorithms are specified, but EC specifically means set up a
     // default curve container, that will later be specified explicitly (or if not a default)
@@ -112,6 +113,20 @@
   override string getAdditionalDescription() { result = this.toString() }
 }
 
+private class ConstantDataSourceArrayInitializer extends Crypto::GenericConstantSourceInstance instanceof ArrayInit
+{
+  ConstantDataSourceArrayInitializer() { exists(Literal l | this.getAnInit() = l) }
+
+  override DataFlow::Node getOutputNode() { result.asExpr() = this }
+
+  override predicate flowsTo(Crypto::FlowAwareElement other) {
+    // TODO: separate config to avoid blowing up data-flow analysis
+    GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
+  }
+
+  override string getAdditionalDescription() { result = this.toString() }
+}
+
 /**
  * An instance of random number generation, modeled as the expression
  * tied to an output node (i.e., the result of the source of randomness)

java/ql/src/experimental/quantum/Analysis/InsecureIVorNonceSource.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Insecure nonce/iv (static value or weak random source)
+ * @id java/quantum/insecure-iv-or-nonce
+ * @description A nonce/iv is generated from a source that is not secure. This can lead to
+ *              vulnerabilities such as replay attacks or key recovery.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::NonceArtifactNode nonce, Crypto::NodeBase src
+where
+  nonce.getSourceNode() = src and
+  not src.asElement() instanceof SecureRandomnessInstance
+select nonce, "Nonce or IV uses insecure or constant source $@", src, src.toString()

java/ql/src/experimental/quantum/Analysis/NonAESGCMCipher.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Cipher not AES-GCM mode
+ * @id java/quantum/non-aes-gcm
+ * @description An AES cipher is in use without GCM
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+class NonAESGCMAlgorithmNode extends Crypto::KeyOperationAlgorithmNode {
+  NonAESGCMAlgorithmNode() {
+    this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and
+    this.getModeOfOperation().getModeType() != Crypto::KeyOpAlg::GCM()
+  }
+}
+
+from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode
+where op.getAKnownAlgorithm() instanceof NonAESGCMAlgorithmNode and
+    codeNode = op.getAnOutputArtifact()
+select op, "Non-AES-GCM instance."

java/ql/src/experimental/quantum/Analysis/ReusedNonce.ql

@@ -4,7 +4,7 @@
  * @id java/quantum/reused-nonce
  * @kind problem
  * @problem.severity error
- * @precision medium
+ * @precision high
  * @tags quantum
  *       experimental
  */

java/ql/src/experimental/quantum/Analysis/UnknownIVorNonceInitialization.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Unknown nonce/iv initialization
+ * @id java/quantum/unknown-iv-or-nonce-initialization
+ * @description A nonce/iv is generated from a source that is not secure. Failure to initialize
+ *              an IV or nonce properly can lead to vulnerabilities such as replay attacks or key recovery.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::NonceArtifactNode nonce
+where exists(nonce.getSourceNode())
+select nonce, "Unknown (unobserved) IV/Nonce initialization."

java/ql/src/experimental/quantum/Analysis/UnknownKDFIterationCount.ql

@@ -4,7 +4,6 @@
  * @id java/quantum/unknown-kdf-iteration-count
  * @kind problem
  * @precision medium
- * @severity warning
  * @tags quantum
  *       experimental
  */

java/ql/src/experimental/quantum/Analysis/WeakAsymmetric.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Weak Asymmetric Key Size
+ * @id java/quantum/weak-asymmetric-key-size
+ * @description An asymmetric cipher with a short key size is in use
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+
+from Crypto::KeyOperationAlgorithmNode op, DataFlow::Node configSrc, int keySize, string algName
+where
+  keySize = op.getKeySizeFixed() and
+  keySize < 2048 and
+  algName = op.getAlgorithmName() and
+  // Can't be an elliptic curve
+  not Crypto::isEllipticCurveAlgorithmName(algName)
+select op,
+  "Use of weak asymmetric key size (" + keySize.toString() + " bits) for algorithm " +
+    algName.toString() + " at config source $@", configSrc, configSrc.toString()

java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql

@@ -0,0 +1,31 @@
+/**
+ * @name Weak AES Block mode
+ * @id java/quantum/weak-block-modes
+ * @description An AES cipher is in use with an insecure block mode
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+
+class WeakAESBlockModeAlgNode extends Crypto::KeyOperationAlgorithmNode {
+  WeakAESBlockModeAlgNode() {
+    this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and
+    (
+      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::ECB() or
+      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CFB() or
+      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::OFB() or
+      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CTR()
+    )
+  }
+}
+
+from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode
+where
+  op.getAKnownAlgorithm() instanceof WeakAESBlockModeAlgNode and
+  codeNode = op.getAnOutputArtifact()
+select op, "Weak AES block mode instance."

java/ql/src/experimental/quantum/Analysis/WeakHashing.ql

@@ -0,0 +1,34 @@
+/**
+ * @name Weak hashes
+ * @description Finds uses of cryptographic hashing algorithms that are unapproved or otherwise weak.
+ * @id java/quantum/weak-hashes
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags external/cwe/cwe-327
+ *       quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+
+from Crypto::HashAlgorithmNode alg, Crypto::HashType htype, string msg
+where
+  htype = alg.getHashType() and
+  (
+    htype != Crypto::SHA2() and
+    msg = "Use of unapproved hash algorithm or API " + htype.toString() + "."
+    or
+    htype = Crypto::SHA2() and
+    not exists(alg.getDigestLength()) and
+    msg =
+      "Use of approved hash algorithm or API type " + htype.toString() + " but unknown digest size."
+    or
+    htype = Crypto::SHA2() and
+    alg.getDigestLength() < 256 and
+    msg =
+      "Use of approved hash algorithm or API type " + htype.toString() + " but weak digest size (" +
+        alg.getDigestLength() + ")."
+  )
+select alg, msg

java/ql/src/experimental/quantum/Analysis/KnownWeakKDFIterationCount.ql → java/ql/src/experimental/quantum/Analysis/WeakKDFIterationCount.ql

@@ -17,4 +17,4 @@ where
   op.getIterationCount().asElement() = l and
   l.getValue().toInt() < 100000
 select op, "Key derivation operation configures iteration count below 100k: $@", l,
-  l.getValue().toString()
+  l.getValue().toString()

java/ql/src/experimental/quantum/Analysis/WeakKDFKeySize.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Weak known key derivation function output length
+ * @description Detects key derivation operations with a known weak output length
+ * @id java/quantum/weak-kdf-key-size
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+
+from Crypto::KeyDerivationOperationNode op, Literal l
+where
+  op.getOutputKeySize().asElement() = l and
+  l.getValue().toInt() < 256
+select op, "Key derivation operation configures output key length below 256: $@", l,
+  l.getValue().toString()

java/ql/src/experimental/quantum/Analysis/WeakRSA.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Cipher is Weak RSA Implementation
+ * @id java/quantum/weak-rsa
+ * @description RSA with a key length <2048 found
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+class WeakRsaAlgorithmNode extends Crypto::KeyOperationAlgorithmNode {
+  WeakRsaAlgorithmNode() {
+    this.getAlgorithmType() = Crypto::KeyOpAlg::TAsymmetricCipher(Crypto::KeyOpAlg::RSA()) and
+    this.getKeySizeFixed() < 2048
+  }
+}
+
+from Crypto::KeyOperationNode op, string message
+where
+  op.getAKnownAlgorithm() instanceof WeakRsaAlgorithmNode and
+  message = "Weak RSA instance found with key length <2048"
+select op, message

java/ql/src/experimental/quantum/Analysis/WeakSymmetricCiphers.ql

@@ -0,0 +1,30 @@
+/**
+ * @name Weak symmetric ciphers
+ * @description Finds uses of cryptographic symmetric cipher algorithms that are unapproved or otherwise weak.
+ * @id java/quantum/weak-ciphers
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags external/cwe/cwe-327
+ *       quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+import Crypto::KeyOpAlg as KeyOpAlg
+
+from Crypto::KeyOperationAlgorithmNode alg, KeyOpAlg::AlgorithmType algType, string msg
+where
+  algType = alg.getAlgorithmType() and
+  (
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DOUBLE_DES()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC2()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC4()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::IDEA()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
+  ) and
+  msg = "Use of unapproved symmetric cipher algorithm or API: " + algType.toString() + "."
+select alg, msg