Merge branch 'nic/crypto-test' into knewbury01/JCA-sample

Author: knewbury01

cpp/ql/lib/experimental/Quantum/Base.qll

@@ -51,7 +51,9 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
      * This predicate is used by derived classes to construct the graph of cryptographic operations.
      */
     predicate properties(string key, string value, Location location) {
-      key = "origin" and location = this.getOrigin(value).getLocation()
+      key = "origin" and
+      location = this.getOrigin(value).getLocation() and
+      not location = this.getLocation()
     }
 
     /**
@@ -92,6 +94,11 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
      */
     abstract string getAlgorithmName();
 
+     /**
+     * Gets the raw name of this algorithm from source (no parsing or formatting)
+     */
+    abstract string getRawAlgorithmName();
+
     final override string toString() { result = this.getAlgorithmName() }
   }
 
@@ -145,10 +152,6 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
 
     override string getAlgorithmName() { this.hashTypeToNameMapping(this.getHashType(), result) }
 
-    /**
-     * Gets the raw name of this hash algorithm from source.
-     */
-    abstract string getRawAlgorithmName();
   }
 
   /**
@@ -195,30 +198,55 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
     }
   }
 
+  newtype TEllipticCurveFamilyType =
+  // We're saying by this that all of these have an identical interface / properties / edges
+  NIST() or
+  SEC() or
+  NUMS() or
+  PRIME() or
+  BRAINPOOL() or
+  CURVE25519() or
+  CURVE448() or
+  C2() or
+  SM2() or
+  ES() or
+  OtherEllipticCurveFamilyType()
+
+
   /**
    * Elliptic curve algorithm
    */
   abstract class EllipticCurve extends Algorithm {
-    abstract string getVersion(Location location);
+
 
     abstract string getKeySize(Location location);
 
+    abstract TEllipticCurveFamilyType getCurveFamilyType();
+
     override predicate properties(string key, string value, Location location) {
       super.properties(key, value, location)
       or
-      key = "version" and
-      if exists(this.getVersion(location))
-      then value = this.getVersion(location)
-      else (
-        value instanceof UnknownPropertyValue and location instanceof UnknownLocation
-      )
-      or
       key = "key_size" and
       if exists(this.getKeySize(location))
       then value = this.getKeySize(location)
       else (
         value instanceof UnknownPropertyValue and location instanceof UnknownLocation
       )
+      // other properties, like field type are possible, but not modeled until considered necessary
     }
+
+    override string getAlgorithmName() { result = this.getRawAlgorithmName().toUpperCase()}
+
+    /**
+     * Mandating that for Elliptic Curves specifically, users are responsible
+     * for providing as the 'raw' name, the official name of the algorithm. 
+     * Casing doesn't matter, we will enforce further naming restrictions on 
+     * `getAlgorithmName` by default. 
+     * Rationale: elliptic curve names can have a lot of variation in their components
+     * (e.g., "secp256r1" vs "P-256"), trying to produce generalized set of properties
+     * is possible to capture all cases, but such modeling is likely not necessary. 
+     * if all properties need to be captured, we can reassess how names are generated. 
+     */
+    override abstract string getRawAlgorithmName();
   }
 }

cpp/ql/lib/experimental/Quantum/BaseBackup.qll

@@ -84,16 +84,6 @@ module OpenSSLModel {
     }
   }
 
-  class TestKeyDerivationOperationHacky extends KeyDerivationOperation instanceof FunctionCall {
-    HKDF hkdf;
-
-    TestKeyDerivationOperationHacky() {
-      this.getEnclosingFunction() = hkdf.(Expr).getEnclosingFunction()
-    }
-
-    override Crypto::KeyDerivationAlgorithm getAlgorithm() { result = hkdf }
-  }
-
   class PKCS12KDF extends KeyDerivationAlgorithm, Crypto::PKCS12KDF instanceof Expr {
     KDFAlgorithmStringLiteral origin;
 

cpp/ql/lib/experimental/Quantum/OpenSSL.qll

@@ -0,0 +1,48 @@
+/**
+ * @name "Print CBOM Graph"
+ * @description "Outputs a graph representation of the cryptographic bill of materials."
+ * @kind graph
+ * @id cbomgraph
+ */
+
+import experimental.Quantum.Language
+
+string getPropertyString(Crypto::NodeBase node, string key) {
+  result =
+    strictconcat(any(string value, Location location, string parsed |
+          node.properties(key, value, location) and
+          parsed = "(" + value + "," + location.toString() + ")"
+        |
+          parsed
+        ), ","
+    )
+}
+
+string getLabel(Crypto::NodeBase node) { result = node.toString() }
+
+query predicate nodes(Crypto::NodeBase node, string key, string value) {
+  key = "semmle.label" and
+  value = getLabel(node)
+  or
+  // CodeQL's DGML output does not include a location
+  key = "Location" and
+  value = node.getLocation().toString()
+  or
+  // Known unknown edges should be reported as properties rather than edges
+  node = node.getChild(key) and
+  value = "<unknown>"
+  or
+  // Report properties
+  value = getPropertyString(node, key)
+}
+
+query predicate edges(Crypto::NodeBase source, Crypto::NodeBase target, string key, string value) {
+  key = "semmle.label" and
+  target = source.getChild(value) and
+  // Known unknowns are reported as properties rather than edges
+  not source = target
+}
+
+query predicate graphProperties(string key, string value) {
+  key = "semmle.graphKind" and value = "graph"
+}

cpp/ql/src/experimental/Quantum/CBOMGraph.ql

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+CODEQL_PATH="/Users/nicolaswill/Library/Application Support/Code/User/globalStorage/github.vscode-codeql/distribution5/codeql/codeql"
+DATABASE_PATH="/Users/nicolaswill/openssl_codeql/openssl/openssl_db"
+QUERY_FILE="CBOMGraph.ql"
+OUTPUT_DIR="graph_output"
+
+python3 generate_cbom.py -c "$CODEQL_PATH" -d "$DATABASE_PATH" -q "$QUERY_FILE" -o "$OUTPUT_DIR"