Adding a means to distinguish asymmetric algorithms.

bdrodes · bdrodes · commit 28ccc833464e · 2025-04-28T11:33:37.000-04:00
diff --git a/shared/cryptography/codeql/cryptography/Model.qll b/shared/cryptography/codeql/cryptography/Model.qll
@@ -2122,6 +2122,12 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
      */
     KeyOpAlg::Algorithm getAlgorithmType() { result = instance.asAlg().getAlgorithmType() }
 
+    predicate isAsymmetric() {
+      this.getAlgorithmType() instanceof KeyOpAlg::TAsymmetricCipher
+      or
+      this.getAlgorithmType() instanceof KeyOpAlg::TSignature
+    }
+
     /**
      * Gets the mode of operation of this cipher, e.g., "GCM" or "CBC".
      */
@@ -2442,4 +2448,11 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
       location = this.getLocation()
     }
   }
+
+  predicate isAsymmetricAlgorithm(AlgorithmNode node) {
+    node instanceof EllipticCurveNode
+    or
+    node instanceof KeyOperationAlgorithmNode and node.(KeyOperationAlgorithmNode).isAsymmetric()
+    // TODO: get unknown algorithms from known asymmetric operations
+  }
 }
