Merge pull request github#10785 from jcogs33/insuff-key-size-globalflow-keysize

Java: Promote insufficient key size query from experimental

Author: jcogs33

java/ql/lib/semmle/code/java/security/Encryption.qll

@@ -88,6 +88,22 @@ class KeyPairGenerator extends RefType {
   KeyPairGenerator() { this.hasQualifiedName("java.security", "KeyPairGenerator") }
 }
 
+/** The `init` method declared in `javax.crypto.KeyGenerator`. */
+class KeyGeneratorInitMethod extends Method {
+  KeyGeneratorInitMethod() {
+    this.getDeclaringType() instanceof KeyGenerator and
+    this.hasName("init")
+  }
+}
+
+/** The `initialize` method declared in `java.security.KeyPairGenerator`. */
+class KeyPairGeneratorInitMethod extends Method {
+  KeyPairGeneratorInitMethod() {
+    this.getDeclaringType() instanceof KeyPairGenerator and
+    this.hasName("initialize")
+  }
+}
+
 /** The `verify` method of the class `javax.net.ssl.HostnameVerifier`. */
 class HostnameVerifierVerify extends Method {
   HostnameVerifierVerify() {
@@ -367,8 +383,8 @@ class JavaSecuritySignature extends JavaSecurityAlgoSpec {
   override Expr getAlgoSpec() { result = this.(ConstructorCall).getArgument(0) }
 }
 
-/** A method call to the Java class `java.security.KeyPairGenerator`. */
-class JavaSecurityKeyPairGenerator extends JavaxCryptoAlgoSpec {
+/** A call to the `getInstance` method declared in `java.security.KeyPairGenerator`. */
+class JavaSecurityKeyPairGenerator extends JavaSecurityAlgoSpec {
   JavaSecurityKeyPairGenerator() {
     exists(Method m | m.getAReference() = this |
       m.getDeclaringType() instanceof KeyPairGenerator and
@@ -378,3 +394,53 @@ class JavaSecurityKeyPairGenerator extends JavaxCryptoAlgoSpec {
 
   override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
 }
+
+/** The Java class `java.security.AlgorithmParameterGenerator`. */
+class AlgorithmParameterGenerator extends RefType {
+  AlgorithmParameterGenerator() {
+    this.hasQualifiedName("java.security", "AlgorithmParameterGenerator")
+  }
+}
+
+/** The `init` method declared in `java.security.AlgorithmParameterGenerator`. */
+class AlgoParamGeneratorInitMethod extends Method {
+  AlgoParamGeneratorInitMethod() {
+    this.getDeclaringType() instanceof AlgorithmParameterGenerator and
+    this.hasName("init")
+  }
+}
+
+/** A call to the `getInstance` method declared in `java.security.AlgorithmParameterGenerator`. */
+class JavaSecurityAlgoParamGenerator extends JavaSecurityAlgoSpec {
+  JavaSecurityAlgoParamGenerator() {
+    exists(Method m | m.getAReference() = this |
+      m.getDeclaringType() instanceof AlgorithmParameterGenerator and
+      m.getName() = "getInstance"
+    )
+  }
+
+  override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
+}
+
+/** An implementation of the `java.security.spec.AlgorithmParameterSpec` interface. */
+abstract class AlgorithmParameterSpec extends RefType { }
+
+/** The Java class `java.security.spec.ECGenParameterSpec`. */
+class EcGenParameterSpec extends AlgorithmParameterSpec {
+  EcGenParameterSpec() { this.hasQualifiedName("java.security.spec", "ECGenParameterSpec") }
+}
+
+/** The Java class `java.security.spec.RSAKeyGenParameterSpec`. */
+class RsaKeyGenParameterSpec extends AlgorithmParameterSpec {
+  RsaKeyGenParameterSpec() { this.hasQualifiedName("java.security.spec", "RSAKeyGenParameterSpec") }
+}
+
+/** The Java class `java.security.spec.DSAGenParameterSpec`. */
+class DsaGenParameterSpec extends AlgorithmParameterSpec {
+  DsaGenParameterSpec() { this.hasQualifiedName("java.security.spec", "DSAGenParameterSpec") }
+}
+
+/** The Java class `javax.crypto.spec.DHGenParameterSpec`. */
+class DhGenParameterSpec extends AlgorithmParameterSpec {
+  DhGenParameterSpec() { this.hasQualifiedName("javax.crypto.spec", "DHGenParameterSpec") }
+}

java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll

@@ -0,0 +1,193 @@
+/** Provides classes and predicates related to insufficient key sizes in Java. */
+
+private import semmle.code.java.security.Encryption
+private import semmle.code.java.dataflow.DataFlow
+
+/** A source for an insufficient key size. */
+abstract class InsufficientKeySizeSource extends DataFlow::Node {
+  /** Holds if this source has the specified `state`. */
+  predicate hasState(DataFlow::FlowState state) { state instanceof DataFlow::FlowStateEmpty }
+}
+
+/** A sink for an insufficient key size. */
+abstract class InsufficientKeySizeSink extends DataFlow::Node {
+  /** Holds if this sink has the specified `state`. */
+  predicate hasState(DataFlow::FlowState state) { state instanceof DataFlow::FlowStateEmpty }
+}
+
+/** Provides models for asymmetric cryptography. */
+private module Asymmetric {
+  /** Provides models for non-elliptic-curve asymmetric cryptography. */
+  private module NonEllipticCurve {
+    /** A source for an insufficient key size used in RSA, DSA, and DH algorithms. */
+    private class Source extends InsufficientKeySizeSource {
+      Source() { this.asExpr().(IntegerLiteral).getIntValue() < getMinKeySize() }
+
+      override predicate hasState(DataFlow::FlowState state) { state = getMinKeySize().toString() }
+    }
+
+    /** A sink for an insufficient key size used in RSA, DSA, and DH algorithms. */
+    private class Sink extends InsufficientKeySizeSink {
+      Sink() {
+        exists(KeyPairGenInit kpgInit, KeyPairGen kpg |
+          kpg.getAlgoName().matches(["RSA", "DSA", "DH"]) and
+          DataFlow::localExprFlow(kpg, kpgInit.getQualifier()) and
+          this.asExpr() = kpgInit.getKeySizeArg()
+        )
+        or
+        exists(Spec spec | this.asExpr() = spec.getKeySizeArg())
+      }
+
+      override predicate hasState(DataFlow::FlowState state) { state = getMinKeySize().toString() }
+    }
+
+    /** Returns the minimum recommended key size for RSA, DSA, and DH algorithms. */
+    private int getMinKeySize() { result = 2048 }
+
+    /** An instance of an RSA, DSA, or DH algorithm specification. */
+    private class Spec extends ClassInstanceExpr {
+      Spec() {
+        this.getConstructedType() instanceof RsaKeyGenParameterSpec or
+        this.getConstructedType() instanceof DsaGenParameterSpec or
+        this.getConstructedType() instanceof DhGenParameterSpec
+      }
+
+      /** Gets the `keysize` argument of this instance. */
+      Argument getKeySizeArg() { result = this.getArgument(0) }
+    }
+  }
+
+  /** Provides models for elliptic-curve asymmetric cryptography. */
+  private module EllipticCurve {
+    /** A source for an insufficient key size used in elliptic curve (EC) algorithms. */
+    private class Source extends InsufficientKeySizeSource {
+      Source() {
+        this.asExpr().(IntegerLiteral).getIntValue() < getMinKeySize()
+        or
+        // the below is needed for cases when the key size is embedded in the curve name
+        getKeySize(this.asExpr().(StringLiteral).getValue()) < getMinKeySize()
+      }
+
+      override predicate hasState(DataFlow::FlowState state) { state = getMinKeySize().toString() }
+    }
+
+    /** A sink for an insufficient key size used in elliptic curve (EC) algorithms. */
+    private class Sink extends InsufficientKeySizeSink {
+      Sink() {
+        exists(KeyPairGenInit kpgInit, KeyPairGen kpg |
+          kpg.getAlgoName().matches("EC%") and
+          DataFlow::localExprFlow(kpg, kpgInit.getQualifier()) and
+          this.asExpr() = kpgInit.getKeySizeArg()
+        )
+        or
+        exists(Spec s | this.asExpr() = s.getKeySizeArg())
+      }
+
+      override predicate hasState(DataFlow::FlowState state) { state = getMinKeySize().toString() }
+    }
+
+    /** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */
+    private int getMinKeySize() { result = 256 }
+
+    /** Returns the key size from an EC algorithm's curve name string */
+    bindingset[algorithm]
+    private int getKeySize(string algorithm) {
+      algorithm.matches("sec%") and // specification such as "secp256r1"
+      result = algorithm.regexpCapture("sec[p|t](\\d+)[a-zA-Z].*", 1).toInt()
+      or
+      algorithm.matches("X9.62%") and // specification such as "X9.62 prime192v2"
+      result = algorithm.regexpCapture("X9\\.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
+      or
+      algorithm.matches(["prime%", "c2tnb%"]) and // specification such as "prime192v2"
+      result = algorithm.regexpCapture(".*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
+    }
+
+    /** An instance of an elliptic curve (EC) algorithm specification. */
+    private class Spec extends ClassInstanceExpr {
+      Spec() { this.getConstructedType() instanceof EcGenParameterSpec }
+
+      /** Gets the `keysize` argument of this instance. */
+      Argument getKeySizeArg() { result = this.getArgument(0) }
+    }
+  }
+
+  /**
+   * A call to the `initialize` method declared in `java.security.KeyPairGenerator`
+   * or to the `init` method declared in `java.security.AlgorithmParameterGenerator`.
+   */
+  private class KeyPairGenInit extends MethodAccess {
+    KeyPairGenInit() {
+      this.getMethod() instanceof KeyPairGeneratorInitMethod or
+      this.getMethod() instanceof AlgoParamGeneratorInitMethod
+    }
+
+    /** Gets the `keysize` argument of this call. */
+    Argument getKeySizeArg() { result = this.getArgument(0) }
+  }
+
+  /**
+   * An instance of a `java.security.KeyPairGenerator`
+   * or of a `java.security.AlgorithmParameterGenerator`.
+   */
+  private class KeyPairGen extends GeneratorAlgoSpec {
+    KeyPairGen() {
+      this instanceof JavaSecurityKeyPairGenerator or
+      this instanceof JavaSecurityAlgoParamGenerator
+    }
+
+    override Expr getAlgoSpec() {
+      result =
+        [
+          this.(JavaSecurityKeyPairGenerator).getAlgoSpec(),
+          this.(JavaSecurityAlgoParamGenerator).getAlgoSpec()
+        ]
+    }
+  }
+}
+
+/** Provides models for symmetric cryptography. */
+private module Symmetric {
+  /** A source for an insufficient key size used in AES algorithms. */
+  private class Source extends InsufficientKeySizeSource {
+    Source() { this.asExpr().(IntegerLiteral).getIntValue() < getMinKeySize() }
+
+    override predicate hasState(DataFlow::FlowState state) { state = getMinKeySize().toString() }
+  }
+
+  /** A sink for an insufficient key size used in AES algorithms. */
+  private class Sink extends InsufficientKeySizeSink {
+    Sink() {
+      exists(KeyGenInit kgInit, KeyGen kg |
+        kg.getAlgoName() = "AES" and
+        DataFlow::localExprFlow(kg, kgInit.getQualifier()) and
+        this.asExpr() = kgInit.getKeySizeArg()
+      )
+    }
+
+    override predicate hasState(DataFlow::FlowState state) { state = getMinKeySize().toString() }
+  }
+
+  /** Returns the minimum recommended key size for AES algorithms. */
+  private int getMinKeySize() { result = 128 }
+
+  /** A call to the `init` method declared in `javax.crypto.KeyGenerator`. */
+  private class KeyGenInit extends MethodAccess {
+    KeyGenInit() { this.getMethod() instanceof KeyGeneratorInitMethod }
+
+    /** Gets the `keysize` argument of this call. */
+    Argument getKeySizeArg() { result = this.getArgument(0) }
+  }
+
+  /** An instance of a `javax.crypto.KeyGenerator`. */
+  private class KeyGen extends GeneratorAlgoSpec instanceof JavaxCryptoKeyGenerator {
+    override Expr getAlgoSpec() { result = JavaxCryptoKeyGenerator.super.getAlgoSpec() }
+  }
+}
+
+/** An instance of a generator that specifies an encryption algorithm. */
+abstract private class GeneratorAlgoSpec extends CryptoAlgoSpec {
+  /** Returns an uppercase string representing the algorithm name specified by this generator object. */
+  string getAlgoName() {
+    result = this.getAlgoSpec().(CompileTimeConstantExpr).getStringValue().toUpperCase()
+  }
+}

java/ql/lib/semmle/code/java/security/InsufficientKeySizeQuery.qll

@@ -0,0 +1,17 @@
+/** Provides data flow configurations to be used in queries related to insufficient key sizes. */
+
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.InsufficientKeySize
+
+/** A data flow configuration for tracking key sizes used in cryptographic algorithms. */
+class KeySizeConfiguration extends DataFlow::Configuration {
+  KeySizeConfiguration() { this = "KeySizeConfiguration" }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
+    source.(InsufficientKeySizeSource).hasState(state)
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
+    sink.(InsufficientKeySizeSink).hasState(state)
+  }
+}

java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.qhelp

@@ -0,0 +1,55 @@
+<!DOCTYPE qhelp PUBLIC
+    "-//Semmle//qhelp//EN"
+    "qhelp.dtd">
+<qhelp>
+
+    <overview>
+        <p>Modern encryption relies on the computational infeasibility of breaking a cipher and decoding its
+        message without the key. As computational power increases, the ability to break ciphers grows, and key
+        sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are
+        vulnerable to brute force attacks, which can reveal sensitive data.</p>
+    </overview>
+
+    <recommendation>
+        <p>Use a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption,
+        256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.</p>
+    </recommendation>
+
+    <example>
+
+          <p>
+               The following code uses cryptographic algorithms with insufficient key sizes.
+          </p>
+
+          <sample src="InsufficientKeySizeBad.java" />
+
+           <p>
+               To fix the code, change the key sizes to be the recommended size or
+               larger for each algorithm.
+          </p>
+
+     </example>
+
+    <references>
+        <li>
+            Wikipedia:
+            <a href="http://en.wikipedia.org/wiki/Key_size">Key size</a>.
+        </li>
+        <li>
+            Wikipedia: <a href="https://en.wikipedia.org/wiki/Strong_cryptography">Strong cryptography</a>.
+        </li>
+        <li>
+            OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms">
+            Cryptographic Storage Cheat Sheet</a>.
+        </li>
+        <li>
+            OWASP: <a href="https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption">
+            Testing for Weak Encryption</a>.
+        </li>
+        <li>
+            NIST:
+            <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf">
+            Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.
+        </li>
+    </references>
+</qhelp>

java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Use of a cryptographic algorithm with insufficient key size
+ * @description Using cryptographic algorithms with too small a key size can
+ *              allow an attacker to compromise security.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id java/insufficient-key-size
+ * @tags security
+ *       external/cwe/cwe-326
+ */
+
+import java
+import semmle.code.java.security.InsufficientKeySizeQuery
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, KeySizeConfiguration cfg
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "This $@ is less than the recommended key size of " + source.getState() + " bits.",
+  source.getNode(), "key size"

java/ql/src/Security/CWE/CWE-326/InsufficientKeySizeBad.java

@@ -0,0 +1,15 @@
+    KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
+    keyPairGen1.initialize(1024); // BAD: Key size is less than 2048
+
+    KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA");
+    keyPairGen2.initialize(1024); // BAD: Key size is less than 2048
+
+    KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
+    keyPairGen3.initialize(1024); // BAD: Key size is less than 2048
+
+    KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("EC");
+    ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // BAD: Key size is less than 256
+    keyPairGen4.initialize(ecSpec);
+
+    KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+    keyGen.init(64); // BAD: Key size is less than 128

java/ql/src/change-notes/2022-10-19-insufficient-key-size.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* The query `java/insufficient-key-size` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @luchua-bc](https://github.com/github/codeql/pull/4926).