Refactor the hasShortSymmetricKey method

2026-04-30 11:15:13 +02:00 · 2021-01-09 13:48:29 +00:00
parent cbaee937d0
commit 058f3af4b2
2 changed files with 14 additions and 5 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -39,7 +39,7 @@ int getECKeySize(string algorithm) {
  result = algorithm.regexpCapture("sec[p|t](\\d+)[a-zA-Z].*", 1).toInt()
  or
  algorithm.matches("X9.62%") and //specification such as "X9.62 prime192v2"
-  result = algorithm.regexpCapture("X9.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
+  result = algorithm.regexpCapture("X9\\.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
 }

 /** Taint configuration tracking flow from a key generator to a `init` method call. */
@@ -74,22 +74,26 @@ class KeyPairGeneratorInitConfiguration extends TaintTracking::Configuration {
  }
 }

-/** Holds if an AES `KeyGenerator` is initialized with an insufficient key size. */
-predicate hasShortAESKey(MethodAccess ma, string msg) {
+/** Holds if a symmetric `KeyGenerator` is initialized with an insufficient key size. */
+bindingset[type]
+predicate hasShortSymmetricKey(MethodAccess ma, string msg, string type) {
  ma.getMethod() instanceof KeyGeneratorInitMethod and
  exists(
    JavaxCryptoKeyGenerator jcg, KeyGeneratorInitConfiguration cc, DataFlow::PathNode source,
    DataFlow::PathNode dest
  |
-    jcg.getAlgoSpec().(StringLiteral).getValue() = "AES" and
+    jcg.getAlgoSpec().(StringLiteral).getValue() = type and
    source.getNode().asExpr() = jcg and
    dest.getNode().asExpr() = ma.getQualifier() and
    cc.hasFlowPath(source, dest)
  ) and
  ma.getArgument(0).(IntegerLiteral).getIntValue() < 128 and
-  msg = "Key size should be at least 128 bits for AES encryption."
+  msg = "Key size should be at least 128 bits for " + type + " encryption."
 }

+/** Holds if an AES `KeyGenerator` is initialized with an insufficient key size. */
+predicate hasShortAESKey(MethodAccess ma, string msg) { hasShortSymmetricKey(ma, msg, "AES") }
+
 /** Holds if an asymmetric `KeyPairGenerator` is initialized with an insufficient key size. */
 bindingset[type]
 predicate hasShortAsymmetricKeyPair(MethodAccess ma, string msg, string type) {
--- a/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
+++ b/java/ql/test/experimental/query-tests/security/CWE-326/InsufficientKeySize.java
@@ -56,5 +56,10 @@ public class InsufficientKeySize {
        // BAD: Key size is less than 224
        ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1");
        keyPairGen10.initialize(ecSpec5);
+
+        KeyPairGenerator keyPairGen11 = KeyPairGenerator.getInstance("EC");
+        // GOOD: Key size is no less than 224
+        ECGenParameterSpec ecSpec6 = new ECGenParameterSpec("X9.62 c2tnb359v1");
+        keyPairGen11.initialize(ecSpec6);
    }
 }