hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 11:21:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into msgConsis

Browse Source
This commit is contained in:
erik-krogh
2022-08-24 09:21:43 +02:00
parent a50234adb0 18ed9ed2ee
commit 27fcc90a97
306 changed files with 14239 additions and 3497 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
View File

@@ -8,6 +8,7 @@
* @precision high
* @id java/polynomial-redos
* @tags security
* external/cwe/cwe-1333
* external/cwe/cwe-730
* external/cwe/cwe-400
*/

1
java/ql/src/Security/CWE/CWE-730/ReDoS.ql
View File

@@ -9,6 +9,7 @@
* @precision high
* @id java/redos
* @tags security
* external/cwe/cwe-1333
* external/cwe/cwe-730
* external/cwe/cwe-400
*/

7
java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java Normal file
View File

@@ -0,0 +1,7 @@
// BAD: No padding scheme is used
Cipher rsa = Cipher.getInstance("RSA/ECB/NoPadding");
...
//GOOD: OAEP padding is used
Cipher rsa = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
...

27
java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp Normal file
View File

@@ -0,0 +1,27 @@
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>
<p>Cryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption.
Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.
</p>
</overview>
<recommendation>
<p>Use the OAEP scheme when using RSA encryption.</p>
</recommendation>
<example>
<p>In the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.</p>
<sample src="RsaWithoutOaep.java" />
</example>
<references>
<li>
<a href="https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations">Mobile Security Testing Guide</a>.
</li>
<li>
<a href="https://robertheaton.com/2013/07/29/padding-oracle-attack/">The Padding Oracle Attack</a>.
</li>
</references>
</qhelp>

20
java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql Normal file
View File

@@ -0,0 +1,20 @@
/**
* @name Use of RSA algorithm without OAEP
* @description Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption.
* @kind path-problem
* @problem.severity warning
* @security-severity 7.5
* @precision high
* @id java/rsa-without-oaep
* @tags security
* external/cwe/cwe-780
*/
import java
import semmle.code.java.security.RsaWithoutOaepQuery
import DataFlow::PathGraph
from RsaWithoutOaepConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
where conf.hasFlowPath(source, sink)
select source, source, sink,
"This specification is used to initialize an RSA cipher without OAEP padding $@.", sink, "here"

96
java/ql/src/Security/CWE/CWE-798/HardcodedCredentials.qll
View File

@@ -1,96 +0,0 @@
import java
import SensitiveApi
/**
* An array creation expression of type `byte[]` with
* an initializer containing only compile time constant
* expressions (and at least one such expression).
*/
private class HardcodedByteArray extends ArrayCreationExpr {
HardcodedByteArray() {
getType().(Array).getElementType().(PrimitiveType).getName() = "byte" and
forex(Expr elem | elem = getInit().getAChildExpr() | elem instanceof CompileTimeConstantExpr)
}
}
/**
* An array creation expression of type `char[]` with
* an initializer containing only compile time constant
* expressions (and at least one such expression).
*/
private class HardcodedCharArray extends ArrayCreationExpr {
HardcodedCharArray() {
getType().(Array).getElementType().(PrimitiveType).getName() = "char" and
forex(Expr elem | elem = getInit().getAChildExpr() | elem instanceof CompileTimeConstantExpr)
}
}
/**
* An expression that is either a non-empty string literal or a
* hard-coded `byte` or `char` array.
*/
class HardcodedExpr extends Expr {
HardcodedExpr() {
this.(StringLiteral).getValue() != "" or
this instanceof HardcodedByteArray or
this instanceof HardcodedCharArray
}
}
/**
* An argument to a sensitive call, expected to contain credentials.
*/
abstract class CredentialsSink extends Expr {
Call getSurroundingCall() { this = result.getAnArgument() }
}
/**
* An argument to a sensitive call of a known API,
* expected to contain username, password or cryptographic key
* credentials.
*/
class CredentialsApiSink extends CredentialsSink {
CredentialsApiSink() {
exists(Call call, int i |
this = call.getArgument(i) and
(
javaApiCallableUsernameParam(call.getCallee(), i) or
javaApiCallablePasswordParam(call.getCallee(), i) or
javaApiCallableCryptoKeyParam(call.getCallee(), i) or
otherApiCallableCredentialParam(call.getCallee(), i)
)
)
}
}
/**
* A variable whose name indicates that it may hold a password.
*/
class PasswordVariable extends Variable {
PasswordVariable() {
getName().regexpMatch("(?i)(encrypted|old|new)?pass(wd|word|code|phrase)(chars|value)?")
}
}
/**
* A variable whose name indicates that it may hold a user name.
*/
class UsernameVariable extends Variable {
UsernameVariable() { getName().regexpMatch("(?i)(user|username)") }
}
/**
* An argument to a call, where the parameter name corresponding
* to the argument indicates that it may contain credentials.
*/
class CredentialsSourceSink extends CredentialsSink {
CredentialsSourceSink() {
exists(Call call, int i |
this = call.getArgument(i) and
(
call.getCallee().getParameter(i) instanceof UsernameVariable or
call.getCallee().getParameter(i) instanceof PasswordVariable
)
)
}
}

48
java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
View File

@@ -10,55 +10,9 @@
* external/cwe/cwe-798
*/
import java
import semmle.code.java.dataflow.DataFlow
import HardcodedCredentials
import semmle.code.java.security.HardcodedCredentialsApiCallQuery
import DataFlow::PathGraph
class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
HardcodedCredentialApiCallConfiguration() { this = "HardcodedCredentialApiCallConfiguration" }
override predicate isSource(DataFlow::Node n) {
n.asExpr() instanceof HardcodedExpr and
not n.asExpr().getEnclosingCallable() instanceof ToStringMethod
}
override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }
override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
node1.asExpr().getType() instanceof TypeString and
(
exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
node2.asExpr() = ma and
ma.getQualifier() = node1.asExpr()
)
or
// These base64 routines are usually taint propagators, and this is not a general
// TaintTracking::Configuration, so we must specifically include them here
// as a common transform applied to a constant before passing to a remote API.
exists(MethodAccess ma |
ma.getMethod()
.hasQualifiedName([
"java.util", "cn.hutool.core.codec", "org.apache.shiro.codec",
"apache.commons.codec.binary", "org.springframework.util"
], ["Base64$Encoder", "Base64$Decoder", "Base64", "Base64Utils"],
[
"encode", "encodeToString", "decode", "decodeBase64", "encodeBase64",
"encodeBase64Chunked", "encodeBase64String", "encodeBase64URLSafe",
"encodeBase64URLSafeString"
])
|
node1.asExpr() = ma.getArgument(0) and
node2.asExpr() = ma
)
)
}
override predicate isBarrier(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod() instanceof MethodSystemGetenv
}
}
from
DataFlow::PathNode source, DataFlow::PathNode sink, HardcodedCredentialApiCallConfiguration conf
where conf.hasFlowPath(source, sink)

13
java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
View File

@@ -11,17 +11,8 @@
*/
import java
import HardcodedCredentials
class EqualsAccess extends MethodAccess {
EqualsAccess() { getMethod() instanceof EqualsMethod }
}
import semmle.code.java.security.HardcodedCredentialsComparison
from EqualsAccess sink, HardcodedExpr source, PasswordVariable p
where
source = sink.getQualifier() and
p.getAnAccess() = sink.getArgument(0)
or
source = sink.getArgument(0) and
p.getAnAccess() = sink.getQualifier()
where isHardcodedCredentialsComparison(sink, source, p)
select source, "Hard-coded value is $@ with password variable $@.", sink, "compared", p, p.getName()

34
java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
View File

@@ -11,41 +11,9 @@
*/
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.DataFlow2
import HardcodedCredentials
import semmle.code.java.security.HardcodedCredentialsSourceCallQuery
import DataFlow::PathGraph
class HardcodedCredentialSourceCallConfiguration extends DataFlow::Configuration {
HardcodedCredentialSourceCallConfiguration() {
this = "HardcodedCredentialSourceCallConfiguration"
}
override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof HardcodedExpr }
override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof FinalCredentialsSourceSink }
}
class HardcodedCredentialSourceCallConfiguration2 extends DataFlow2::Configuration {
HardcodedCredentialSourceCallConfiguration2() {
this = "HardcodedCredentialSourceCallConfiguration2"
}
override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof CredentialsSourceSink }
override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsSink }
}
class FinalCredentialsSourceSink extends CredentialsSourceSink {
FinalCredentialsSourceSink() {
not exists(HardcodedCredentialSourceCallConfiguration2 conf, CredentialsSink other |
this != other
|
conf.hasFlow(DataFlow::exprNode(this), DataFlow::exprNode(other))
)
}
}
from
DataFlow::PathNode source, DataFlow::PathNode sink,
HardcodedCredentialSourceCallConfiguration conf

7
java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
View File

@@ -11,11 +11,8 @@
*/
import java
import HardcodedCredentials
import semmle.code.java.security.HardcodedPasswordField
from PasswordVariable f, CompileTimeConstantExpr e
where
f instanceof Field and
f.getAnAssignedValue() = e and
not e.(StringLiteral).getValue() = ""
where passwordFieldAssignedHardcodedValue(f, e)
select f, "Sensitive field is assigned a hard-coded $@.", e, "value"

443
java/ql/src/Security/CWE/CWE-798/SensitiveApi.qll
View File

@@ -1,443 +0,0 @@
import java
/**
* Holds if callable `c` from a standard Java API expects a password parameter at index `i`.
*/
predicate javaApiCallablePasswordParam(Callable c, int i) {
exists(c.getParameter(i)) and
javaApiCallablePasswordParam(c.getDeclaringType().getQualifiedName() + ";" +
c.getStringSignature() + ";" + i)
}
private predicate javaApiCallablePasswordParam(string s) {
// Auto-generated using an auxiliary query run on the JDK source code.
s =
[
"com.sun.crypto.provider.JceKeyStore;engineLoad(InputStream, char[]);1",
"com.sun.crypto.provider.JceKeyStore;engineGetKey(String, char[]);1",
"com.sun.net.ssl.KeyManagerFactory;init(KeyStore, char[]);1",
"sun.tools.jconsole.JConsole;addUrl(String, String, String, boolean);2",
"sun.tools.jconsole.JConsole;addHost(String, int, String, String, boolean);3",
"sun.tools.jconsole.JConsole;showConnectDialog(String, String, int, String, String, String);4",
"sun.tools.jconsole.JConsole;failed(Exception, String, String, String);3",
"sun.tools.jconsole.ProxyClient;getCacheKey(String, String, String);2",
"sun.tools.jconsole.ProxyClient;setParameters(JMXServiceURL, String, String);2",
"sun.tools.jconsole.ProxyClient;ProxyClient(String, String, String);2",
"sun.tools.jconsole.ProxyClient;ProxyClient(String, int, String, String);3",
"sun.tools.jconsole.ProxyClient;getProxyClient(String, int, String, String);3",
"sun.tools.jconsole.ProxyClient;getProxyClient(String, String, String);2",
"com.sun.net.ssl.KeyManagerFactorySpi;engineInit(KeyStore, char[]);1",
"sun.tools.jconsole.ProxyClient;getCacheKey(String, int, String, String);3",
"com.sun.net.ssl.KeyManagerFactorySpiWrapper;engineInit(KeyStore, char[]);1",
"com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.PrivateKeyResolver;PrivateKeyResolver(KeyStore, char[]);1",
"com.sun.org.apache.xml.internal.security.keys.keyresolver.implementations.SecretKeyResolver;SecretKeyResolver(KeyStore, char[]);1",
"com.sun.rowset.JdbcRowSetImpl;JdbcRowSetImpl(String, String, String);2",
"com.sun.rowset.JdbcRowSetImpl;setPassword(String);0",
"com.sun.security.auth.module.JndiLoginModule;verifyPassword(String, String);1",
"com.sun.security.auth.module.JndiLoginModule;verifyPassword(String, String);0",
"com.sun.security.ntlm.Client;Client(String, String, String, String, char[]);4",
"com.sun.crypto.provider.JceKeyStore;engineSetKeyEntry(String, Key, char[], Certificate[]);2",
"com.sun.security.ntlm.NTLM;getP2(char[]);0", "com.sun.security.ntlm.NTLM;getP1(char[]);0",
"com.sun.security.sasl.digest.DigestMD5Base;generateResponseValue(String, String, String, String, String, char[], byte[], byte[], int, byte[]);5",
"com.sun.security.sasl.digest.DigestMD5Server;generateResponseAuth(String, char[], byte[], int, byte[]);1",
"com.sun.tools.internal.ws.wscompile.AuthInfo;AuthInfo(URL, String, String);2",
"java.net.PasswordAuthentication;PasswordAuthentication(String, char[]);1",
"java.security.KeyStore;setKeyEntry(String, Key, char[], Certificate[]);2",
"java.security.KeyStore;store(OutputStream, char[]);1",
"java.security.KeyStore;getKey(String, char[]);1",
"java.security.KeyStore;load(InputStream, char[]);1",
"com.sun.crypto.provider.JceKeyStore;engineStore(OutputStream, char[]);1",
"java.security.KeyStore$PasswordProtection;PasswordProtection(char[], String, AlgorithmParameterSpec);0",
"java.security.KeyStore$PasswordProtection;PasswordProtection(char[]);0",
"java.security.KeyStoreSpi;engineStore(OutputStream, char[]);1",
"java.security.KeyStoreSpi;engineLoad(InputStream, char[]);1",
"java.security.KeyStoreSpi;engineSetKeyEntry(String, Key, char[], Certificate[]);2",
"java.security.KeyStoreSpi;engineGetKey(String, char[]);1",
"java.sql.DriverManager;getConnection(String, String, String);2",
"javax.crypto.spec.PBEKeySpec;PBEKeySpec(char[], byte[], int);0",
"javax.crypto.spec.PBEKeySpec;PBEKeySpec(char[], byte[], int, int);0",
"javax.crypto.spec.PBEKeySpec;PBEKeySpec(char[]);0",
"com.sun.crypto.provider.JceKeyStore;getPreKeyedHash(char[]);0",
"javax.net.ssl.KeyManagerFactory;init(KeyStore, char[]);1",
"javax.net.ssl.KeyManagerFactorySpi;engineInit(KeyStore, char[]);1",
"javax.security.auth.callback.PasswordCallback;setPassword(char[]);0",
"javax.security.auth.kerberos.KerberosKey;KerberosKey(KerberosPrincipal, char[], String);1",
"javax.security.auth.kerberos.KeyImpl;KeyImpl(KerberosPrincipal, char[], String);1",
"javax.sql.ConnectionPoolDataSource;getPooledConnection(String, String);1",
"javax.sql.DataSource;getConnection(String, String);1",
"javax.sql.RowSet;setPassword(String);0",
"javax.sql.XADataSource;getXAConnection(String, String);1",
"sun.net.ftp.FtpClient;login(String, char[]);1",
"com.sun.crypto.provider.KeyProtector;KeyProtector(char[]);0",
"sun.net.ftp.FtpClient;login(String, char[], String);1",
"sun.net.ftp.impl.FtpClient;login(String, char[], String);1",
"sun.net.ftp.impl.FtpClient;login(String, char[]);1",
"sun.net.ftp.impl.FtpClient;tryLogin(String, char[]);1",
"sun.net.www.protocol.http.DigestAuthentication;encode(String, char[], MessageDigest);1",
"sun.net.www.protocol.http.DigestAuthentication;computeDigest(boolean, String, char[], String, String, String, String, String, String);2",
"sun.security.krb5.EncryptionKey;acquireSecretKey(char[], String, int, byte[]);0",
"sun.security.krb5.EncryptionKey;stringToKey(char[], String, byte[], int);0",
"sun.security.krb5.EncryptionKey;EncryptionKey(char[], String, String);0",
"sun.security.krb5.EncryptionKey;acquireSecretKeys(char[], String);0",
"com.sun.crypto.provider.PBKDF2KeyImpl;deriveKey(Mac, byte[], byte[], int, int);1",
"sun.security.krb5.EncryptionKey;acquireSecretKey(PrincipalName, char[], int, SaltAndParams);1",
"sun.security.krb5.KrbAsRep;decryptUsingPassword(char[], KrbAsReq, PrincipalName);0",
"sun.security.krb5.internal.crypto.Aes128;stringToKey(char[], String, byte[]);0",
"sun.security.krb5.internal.crypto.Aes256;stringToKey(char[], String, byte[]);0",
"sun.security.krb5.internal.crypto.ArcFourHmac;stringToKey(char[]);0",
"sun.security.krb5.internal.crypto.Des;char_to_key(char[]);0",
"sun.security.krb5.internal.crypto.Des;string_to_key_bytes(char[]);0",
"sun.security.krb5.internal.crypto.dk.AesDkCrypto;stringToKey(char[], String, byte[]);0",
"sun.security.krb5.internal.crypto.dk.ArcFourCrypto;stringToKey(char[]);0",
"sun.security.pkcs11.P11KeyStore;engineLoad(InputStream, char[]);1",
"com.sun.crypto.provider.PBKDF2KeyImpl;getPasswordBytes(char[]);0",
"sun.security.pkcs11.P11KeyStore;engineGetKey(String, char[]);1",
"sun.security.pkcs11.P11KeyStore;engineStore(OutputStream, char[]);1",
"sun.security.pkcs11.P11KeyStore;engineSetKeyEntry(String, Key, char[], Certificate[]);2",
"sun.security.pkcs11.P11KeyStore$PasswordCallbackHandler;PasswordCallbackHandler(char[]);0",
"sun.security.pkcs11.Secmod$KeyStoreLoadParameter;KeyStoreLoadParameter(TrustType, char[]);1",
"sun.security.pkcs12.PKCS12KeyStore;engineGetKey(String, char[]);1",
"sun.security.pkcs12.PKCS12KeyStore;calculateMac(char[], byte[]);0",
"sun.security.pkcs12.PKCS12KeyStore;encryptContent(byte[], char[]);1",
"sun.security.pkcs12.PKCS12KeyStore;loadSafeContents(DerInputStream, char[]);1",
"sun.security.pkcs12.PKCS12KeyStore;engineSetKeyEntry(String, Key, char[], Certificate[]);2",
"com.sun.istack.internal.tools.DefaultAuthenticator$AuthInfo;AuthInfo(URL, String, String);2",
"sun.security.pkcs12.PKCS12KeyStore;engineStore(OutputStream, char[]);1",
"sun.security.pkcs12.PKCS12KeyStore;engineLoad(InputStream, char[]);1",
"sun.security.pkcs12.PKCS12KeyStore;getPBEKey(char[]);0",
"sun.security.pkcs12.PKCS12KeyStore;createEncryptedData(char[]);0",
"sun.security.provider.DomainKeyStore;engineGetKey(String, char[]);1",
"sun.security.provider.DomainKeyStore;engineSetKeyEntry(String, Key, char[], Certificate[]);2",
"sun.security.provider.DomainKeyStore;engineStore(OutputStream, char[]);1",
"sun.security.provider.DomainKeyStore;engineLoad(InputStream, char[]);1",
"sun.security.provider.JavaKeyStore;engineSetKeyEntry(String, Key, char[], Certificate[]);2",
"sun.security.provider.JavaKeyStore;engineLoad(InputStream, char[]);1",
"com.sun.net.httpserver.BasicAuthenticator;checkCredentials(String, String);1",
"sun.security.provider.JavaKeyStore;getPreKeyedHash(char[]);0",
"sun.security.provider.JavaKeyStore;engineGetKey(String, char[]);1",
"sun.security.provider.JavaKeyStore;engineStore(OutputStream, char[]);1",
"sun.security.provider.KeyProtector;KeyProtector(char[]);0",
"sun.security.ssl.KeyManagerFactoryImpl$SunX509;engineInit(KeyStore, char[]);1",
"sun.security.ssl.KeyManagerFactoryImpl$X509;engineInit(KeyStore, char[]);1",
"sun.security.ssl.SunX509KeyManagerImpl;SunX509KeyManagerImpl(KeyStore, char[]);1",
"sun.security.tools.keytool.Main;getNewPasswd(String, char[]);1",
"sun.tools.jconsole.ConnectDialog;setConnectionParameters(String, String, int, String, String, String);4",
"sun.tools.jconsole.JConsole;addHost(String, int, String, String);3"
]
}
/**
* Holds if callable `c` from a standard Java API expects a username parameter at index `i`.
*/
predicate javaApiCallableUsernameParam(Callable c, int i) {
exists(c.getParameter(i)) and
javaApiCallableUsernameParam(c.getDeclaringType().getQualifiedName() + ";" +
c.getStringSignature() + ";" + i)
}
private predicate javaApiCallableUsernameParam(string s) {
// Auto-generated using an auxiliary query run on the JDK source code.
s =
[
"com.sun.istack.internal.tools.DefaultAuthenticator$AuthInfo;AuthInfo(URL, String, String);1",
"com.sun.jndi.ldap.DigestClientId;DigestClientId(int, String, int, String, Control[], OutputStream, String, String, Object, Hashtable<?,?>);7",
"com.sun.security.sasl.digest.DigestMD5Server;generateResponseAuth(String, char[], byte[], int, byte[]);0",
"com.sun.tools.internal.ws.wscompile.AuthInfo;AuthInfo(URL, String, String);1",
"java.net.PasswordAuthentication;PasswordAuthentication(String, char[]);0",
"java.sql.DriverManager;getConnection(String, String, String);1",
"javax.print.attribute.standard.JobOriginatingUserName;JobOriginatingUserName(String, Locale);0",
"javax.print.attribute.standard.RequestingUserName;RequestingUserName(String, Locale);0",
"javax.sql.ConnectionPoolDataSource;getPooledConnection(String, String);0",
"javax.sql.DataSource;getConnection(String, String);0",
"javax.sql.XADataSource;getXAConnection(String, String);0",
"sun.jvmstat.perfdata.monitor.protocol.local.LocalVmManager;LocalVmManager(String);0",
"com.sun.jndi.ldap.LdapClient;getInstance(boolean, String, int, String, int, int, OutputStream, int, String, Control[], String, String, Object, Hashtable<?,?>);11",
"sun.jvmstat.perfdata.monitor.protocol.local.PerfDataFile;getFile(String, int);0",
"sun.jvmstat.perfdata.monitor.protocol.local.PerfDataFile;getTempDirectory(String);0",
"sun.jvmstat.perfdata.monitor.protocol.rmi.RemoteVmManager;RemoteVmManager(RemoteHost, String);1",
"sun.misc.Perf;attach(String, int, int);0", "sun.misc.Perf;attach(String, int, String);0",
"sun.misc.Perf;attachImpl(String, int, int);0",
"sun.net.ftp.FtpClient;login(String, char[], String);0",
"sun.net.ftp.FtpClient;login(String, char[]);0", "sun.net.ftp.FtpDirEntry;setUser(String);0",
"sun.net.ftp.impl.FtpClient;login(String, char[], String);0",
"com.sun.jndi.ldap.LdapPoolManager;getLdapClient(String, int, String, int, int, OutputStream, int, String, Control[], String, String, Object, Hashtable<?,?>);10",
"sun.net.ftp.impl.FtpClient;tryLogin(String, char[]);0",
"sun.net.ftp.impl.FtpClient;login(String, char[]);0",
"sun.net.www.protocol.http.DigestAuthentication;computeDigest(boolean, String, char[], String, String, String, String, String, String);1",
"sun.security.acl.PrincipalImpl;PrincipalImpl(String);0",
"sun.tools.jconsole.ConnectDialog;setConnectionParameters(String, String, int, String, String, String);3",
"sun.tools.jconsole.JConsole;failed(Exception, String, String, String);2",
"sun.tools.jconsole.JConsole;addHost(String, int, String, String, boolean);2",
"sun.tools.jconsole.JConsole;addUrl(String, String, String, boolean);1",
"sun.tools.jconsole.JConsole;addHost(String, int, String, String);2",
"sun.tools.jconsole.JConsole;showConnectDialog(String, String, int, String, String, String);3",
"com.sun.jndi.ldap.SimpleClientId;SimpleClientId(int, String, int, String, Control[], OutputStream, String, String, Object);7",
"sun.tools.jconsole.ProxyClient;ProxyClient(String, String, String);1",
"sun.tools.jconsole.ProxyClient;ProxyClient(String, int, String, String);2",
"sun.tools.jconsole.ProxyClient;setParameters(JMXServiceURL, String, String);1",
"sun.tools.jconsole.ProxyClient;getCacheKey(String, String, String);1",
"sun.tools.jconsole.ProxyClient;getCacheKey(String, int, String, String);2",
"sun.tools.jconsole.ProxyClient;getProxyClient(String, String, String);1",
"sun.tools.jconsole.ProxyClient;getConnectionName(String, String);1",
"sun.tools.jconsole.ProxyClient;getProxyClient(String, int, String, String);2",
"sun.tools.jconsole.ProxyClient;getConnectionName(String, int, String);2",
"com.sun.net.httpserver.BasicAuthenticator;checkCredentials(String, String);0",
"com.sun.net.httpserver.HttpPrincipal;HttpPrincipal(String, String);0",
"com.sun.rowset.JdbcRowSetImpl;JdbcRowSetImpl(String, String, String);1",
"com.sun.security.ntlm.Client;Client(String, String, String, String, char[]);2",
"com.sun.security.ntlm.Server;getPassword(String, String);1"
]
}
/**
* Holds if callable `c` from a standard Java API expects a cryptographic key parameter at index `i`.
*/
predicate javaApiCallableCryptoKeyParam(Callable c, int i) {
exists(c.getParameter(i)) and
javaApiCallableCryptoKeyParam(c.getDeclaringType().getQualifiedName() + ";" +
c.getStringSignature() + ";" + i)
}
private predicate javaApiCallableCryptoKeyParam(string s) {
// Auto-generated using an auxiliary query run on the JDK source code.
s =
[
"com.sun.crypto.provider.AESCipher;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.AESCrypt;init(boolean, String, byte[]);2",
"com.sun.crypto.provider.CipherWithWrappingSpi;constructPublicKey(byte[], String);0",
"sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType;encrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType;decrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType;decrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType;encrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.ArcFourHmac;encryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.ArcFourHmac;decryptRaw(byte[], int, byte[], byte[], int, int, byte[]);0",
"sun.security.krb5.internal.crypto.ArcFourHmac;decrypt(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.ArcFourHmac;decryptSeq(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.ArcFourHmac;encrypt(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.ArcFourHmac;calculateChecksum(byte[], int, byte[], int, int);0",
"com.sun.crypto.provider.CipherWithWrappingSpi;engineUnwrap(byte[], String, int);0",
"sun.security.krb5.internal.crypto.ArcFourHmac;encryptSeq(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.ArcFourHmacEType;decrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.ArcFourHmacEType;encrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.ArcFourHmacEType;decrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.ArcFourHmacEType;encrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.CksumType;calculateKeyedChecksum(byte[], int, byte[], int);2",
"sun.security.krb5.internal.crypto.CksumType;verifyKeyedChecksum(byte[], int, byte[], byte[], int);2",
"sun.security.krb5.internal.crypto.Crc32CksumType;verifyKeyedChecksum(byte[], int, byte[], byte[], int);2",
"sun.security.krb5.internal.crypto.Crc32CksumType;calculateKeyedChecksum(byte[], int, byte[], int);2",
"sun.security.krb5.internal.crypto.Des;cbc_encrypt(byte[], byte[], byte[], byte[], boolean);2",
"com.sun.crypto.provider.CipherWithWrappingSpi;constructSecretKey(byte[], String);0",
"sun.security.krb5.internal.crypto.Des;set_parity(byte[]);0",
"sun.security.krb5.internal.crypto.Des;bad_key(byte[]);0",
"sun.security.krb5.internal.crypto.Des;des_cksum(byte[], byte[], byte[]);2",
"sun.security.krb5.internal.crypto.Des3;decryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.Des3;encrypt(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.Des3;encryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.Des3;decrypt(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.Des3;calculateChecksum(byte[], int, byte[], int, int);0",
"sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType;encrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType;encrypt(byte[], byte[], byte[], int);1",
"com.sun.crypto.provider.CipherWithWrappingSpi;constructPrivateKey(byte[], String);0",
"sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType;decrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType;decrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.DesCbcCrcEType;decrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.DesCbcCrcEType;encrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.DesCbcEType;encrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.DesCbcEType;decrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.DesCbcEType;encrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.DesCbcEType;decrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.DesMacCksumType;calculateKeyedChecksum(byte[], int, byte[], int);2",
"sun.security.krb5.internal.crypto.DesMacCksumType;decryptKeyedChecksum(byte[], byte[]);1",
"com.sun.crypto.provider.ConstructKeys;constructPrivateKey(byte[], String);0",
"sun.security.krb5.internal.crypto.DesMacCksumType;verifyKeyedChecksum(byte[], int, byte[], byte[], int);2",
"sun.security.krb5.internal.crypto.DesMacKCksumType;calculateKeyedChecksum(byte[], int, byte[], int);2",
"sun.security.krb5.internal.crypto.DesMacKCksumType;verifyKeyedChecksum(byte[], int, byte[], byte[], int);2",
"sun.security.krb5.internal.crypto.EType;encrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.EType;decrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.EType;decrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.EType;encrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType;verifyKeyedChecksum(byte[], int, byte[], byte[], int);2",
"sun.security.krb5.internal.crypto.HmacMd5ArcFourCksumType;calculateKeyedChecksum(byte[], int, byte[], int);2",
"sun.security.krb5.internal.crypto.HmacSha1Aes128CksumType;verifyKeyedChecksum(byte[], int, byte[], byte[], int);2",
"com.sun.crypto.provider.ConstructKeys;constructSecretKey(byte[], String);0",
"sun.security.krb5.internal.crypto.HmacSha1Aes128CksumType;calculateKeyedChecksum(byte[], int, byte[], int);2",
"sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType;verifyKeyedChecksum(byte[], int, byte[], byte[], int);2",
"sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType;calculateKeyedChecksum(byte[], int, byte[], int);2",
"sun.security.krb5.internal.crypto.HmacSha1Des3KdCksumType;calculateKeyedChecksum(byte[], int, byte[], int);2",
"sun.security.krb5.internal.crypto.HmacSha1Des3KdCksumType;verifyKeyedChecksum(byte[], int, byte[], byte[], int);2",
"sun.security.krb5.internal.crypto.NullEType;decrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.NullEType;decrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.NullEType;encrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.NullEType;encrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.RsaMd5CksumType;verifyKeyedChecksum(byte[], int, byte[], byte[], int);2",
"com.sun.crypto.provider.ConstructKeys;constructPublicKey(byte[], String);0",
"sun.security.krb5.internal.crypto.RsaMd5CksumType;calculateKeyedChecksum(byte[], int, byte[], int);2",
"sun.security.krb5.internal.crypto.RsaMd5DesCksumType;decryptKeyedChecksum(byte[], byte[]);1",
"sun.security.krb5.internal.crypto.RsaMd5DesCksumType;verifyKeyedChecksum(byte[], int, byte[], byte[], int);2",
"sun.security.krb5.internal.crypto.RsaMd5DesCksumType;calculateKeyedChecksum(byte[], int, byte[], int);2",
"sun.security.krb5.internal.crypto.dk.AesDkCrypto;encryptCTS(byte[], int, byte[], byte[], byte[], int, int, boolean);0",
"sun.security.krb5.internal.crypto.dk.AesDkCrypto;decrypt(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.AesDkCrypto;encryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.AesDkCrypto;calculateChecksum(byte[], int, byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.AesDkCrypto;encrypt(byte[], int, byte[], byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.AesDkCrypto;getHmac(byte[], byte[]);0",
"com.sun.crypto.provider.CounterMode;init(boolean, String, byte[], byte[]);2",
"sun.security.krb5.internal.crypto.dk.AesDkCrypto;getCipher(byte[], byte[], int);0",
"sun.security.krb5.internal.crypto.dk.AesDkCrypto;decryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.AesDkCrypto;decryptCTS(byte[], int, byte[], byte[], int, int, boolean);0",
"sun.security.krb5.internal.crypto.dk.ArcFourCrypto;decryptSeq(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.ArcFourCrypto;decryptRaw(byte[], int, byte[], byte[], int, int, byte[]);0",
"sun.security.krb5.internal.crypto.dk.ArcFourCrypto;decrypt(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.ArcFourCrypto;encryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.ArcFourCrypto;getCipher(byte[], byte[], int);0",
"sun.security.krb5.internal.crypto.dk.ArcFourCrypto;encryptSeq(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.ArcFourCrypto;calculateChecksum(byte[], int, byte[], int, int);0",
"com.sun.crypto.provider.DESCipher;engineUnwrap(byte[], String, int);0",
"sun.security.krb5.internal.crypto.dk.ArcFourCrypto;encrypt(byte[], int, byte[], byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.ArcFourCrypto;getHmac(byte[], byte[]);0",
"sun.security.krb5.internal.crypto.dk.Des3DkCrypto;keyCorrection(byte[]);0",
"sun.security.krb5.internal.crypto.dk.Des3DkCrypto;getCipher(byte[], byte[], int);0",
"sun.security.krb5.internal.crypto.dk.Des3DkCrypto;getHmac(byte[], byte[]);0",
"sun.security.krb5.internal.crypto.dk.Des3DkCrypto;setParityBit(byte[]);0",
"sun.security.krb5.internal.crypto.dk.DkCrypto;encrypt(byte[], int, byte[], byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.DkCrypto;decrypt(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.DkCrypto;encryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.DkCrypto;calculateChecksum(byte[], int, byte[], int, int);0",
"com.sun.crypto.provider.DESCrypt;expandKey(byte[]);0",
"sun.security.krb5.internal.crypto.dk.DkCrypto;decryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.dk.DkCrypto;getHmac(byte[], byte[]);0",
"sun.security.krb5.internal.crypto.dk.DkCrypto;getCipher(byte[], byte[], int);0",
"sun.security.krb5.internal.crypto.dk.DkCrypto;dk(byte[], byte[]);0",
"sun.security.krb5.internal.crypto.dk.DkCrypto;dr(byte[], byte[]);0",
"sun.security.pkcs.PKCS8Key;decode(byte[]);0",
"sun.security.pkcs.PKCS8Key;PKCS8Key(AlgorithmId, byte[]);1",
"sun.security.pkcs.PKCS8Key;buildPKCS8Key(AlgorithmId, byte[]);1",
"sun.security.pkcs.PKCS8Key;encode(DerOutputStream, AlgorithmId, byte[]);2",
"sun.security.pkcs11.ConstructKeys;constructPublicKey(byte[], String);0",
"com.sun.crypto.provider.AESWrapCipher;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.DESCrypt;init(boolean, String, byte[]);2",
"sun.security.pkcs11.ConstructKeys;constructPrivateKey(byte[], String);0",
"sun.security.pkcs11.ConstructKeys;constructSecretKey(byte[], String);0",
"sun.security.pkcs11.P11Cipher;engineUnwrap(byte[], String, int);0",
"sun.security.pkcs11.P11KeyStore;engineSetKeyEntry(String, byte[], Certificate[]);1",
"sun.security.pkcs11.P11RSACipher;engineUnwrap(byte[], String, int);0",
"sun.security.pkcs11.P11SecretKeyFactory;fixDESParity(byte[], int);0",
"sun.security.pkcs12.PKCS12KeyStore;engineSetKeyEntry(String, byte[], Certificate[]);1",
"sun.security.provider.DomainKeyStore;engineSetKeyEntry(String, byte[], Certificate[]);1",
"sun.security.provider.JavaKeyStore;engineSetKeyEntry(String, byte[], Certificate[]);1",
"sun.security.tools.keytool.Main;recoverKey(String, char[], char[]);2",
"com.sun.crypto.provider.DESKey;DESKey(byte[], int);0",
"sun.security.tools.keytool.Main;getKeyPasswd(String, String, char[]);2",
"sun.security.x509.X509Key;decode(byte[]);0",
"com.sun.crypto.provider.DESKey;DESKey(byte[]);0",
"com.sun.crypto.provider.DESKeyGenerator;setParityBit(byte[], int);0",
"com.sun.crypto.provider.DESedeCipher;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.DESedeKey;DESedeKey(byte[], int);0",
"com.sun.crypto.provider.DESedeKey;DESedeKey(byte[]);0",
"com.sun.crypto.provider.DESedeWrapCipher;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.DHPrivateKey;DHPrivateKey(byte[]);0",
"com.sun.crypto.provider.DHPublicKey;DHPublicKey(byte[]);0",
"com.sun.crypto.provider.ARCFOURCipher;init(byte[]);0",
"com.sun.crypto.provider.ElectronicCodeBook;init(boolean, String, byte[], byte[]);2",
"com.sun.crypto.provider.FeedbackCipher;init(boolean, String, byte[], byte[]);2",
"com.sun.crypto.provider.GaloisCounterMode;init(boolean, String, byte[], byte[]);2",
"com.sun.crypto.provider.GaloisCounterMode;init(boolean, String, byte[], byte[], int);2",
"com.sun.crypto.provider.JceKeyStore;engineSetKeyEntry(String, byte[], Certificate[]);1",
"com.sun.crypto.provider.KeyProtector;recover(byte[]);0",
"com.sun.crypto.provider.OutputFeedback;init(boolean, String, byte[], byte[]);2",
"com.sun.crypto.provider.PBECipherCore;unwrap(byte[], String, int);0",
"com.sun.crypto.provider.PBES1Core;unwrap(byte[], String, int);0",
"com.sun.crypto.provider.PBES2Core;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.ARCFOURCipher;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.PBEWithMD5AndDESCipher;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.PBEWithMD5AndTripleDESCipher;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.PCBC;init(boolean, String, byte[], byte[]);2",
"com.sun.crypto.provider.PKCS12PBECipherCore;implUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_128;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC2_40;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_128;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndRC4_40;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.RC2Cipher;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.BlowfishCipher;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.RC2Crypt;init(boolean, String, byte[]);2",
"com.sun.crypto.provider.RSACipher;engineUnwrap(byte[], String, int);0",
"com.sun.crypto.provider.SymmetricCipher;init(boolean, String, byte[]);2",
"com.sun.crypto.provider.TlsMasterSecretGenerator$TlsMasterSecretKey;TlsMasterSecretKey(byte[], int, int);0",
"java.security.KeyStore;setKeyEntry(String, byte[], Certificate[]);1",
"java.security.KeyStoreSpi;engineSetKeyEntry(String, byte[], Certificate[]);1",
"java.security.cert.X509CertSelector;setSubjectPublicKey(byte[]);0",
"java.security.spec.EncodedKeySpec;EncodedKeySpec(byte[]);0",
"java.security.spec.PKCS8EncodedKeySpec;PKCS8EncodedKeySpec(byte[]);0",
"java.security.spec.X509EncodedKeySpec;X509EncodedKeySpec(byte[]);0",
"com.sun.crypto.provider.BlowfishCrypt;init(boolean, String, byte[]);2",
"javax.crypto.Cipher;unwrap(byte[], String, int);0",
"javax.crypto.CipherSpi;engineUnwrap(byte[], String, int);0",
"javax.crypto.EncryptedPrivateKeyInfo;checkPKCS8Encoding(byte[]);0",
"javax.crypto.spec.DESKeySpec;isWeak(byte[], int);0",
"javax.crypto.spec.DESKeySpec;DESKeySpec(byte[], int);0",
"javax.crypto.spec.DESKeySpec;isParityAdjusted(byte[], int);0",
"javax.crypto.spec.DESKeySpec;DESKeySpec(byte[]);0",
"javax.crypto.spec.DESedeKeySpec;isParityAdjusted(byte[], int);0",
"javax.crypto.spec.DESedeKeySpec;DESedeKeySpec(byte[], int);0",
"javax.crypto.spec.DESedeKeySpec;DESedeKeySpec(byte[]);0",
"com.sun.crypto.provider.CipherBlockChaining;init(boolean, String, byte[], byte[]);2",
"javax.crypto.spec.SecretKeySpec;SecretKeySpec(byte[], String);0",
"javax.crypto.spec.SecretKeySpec;SecretKeySpec(byte[], int, int, String);0",
"javax.security.auth.kerberos.KerberosKey;KerberosKey(KerberosPrincipal, byte[], int, int);1",
"javax.security.auth.kerberos.KerberosTicket;KerberosTicket(byte[], KerberosPrincipal, KerberosPrincipal, byte[], int, boolean[], Date, Date, Date, Date, InetAddress[]);3",
"javax.security.auth.kerberos.KerberosTicket;init(byte[], KerberosPrincipal, KerberosPrincipal, byte[], int, boolean[], Date, Date, Date, Date, InetAddress[]);3",
"javax.security.auth.kerberos.KeyImpl;KeyImpl(byte[], int);0",
"sun.security.jgss.krb5.CipherHelper;getInitializedDes(boolean, byte[], byte[]);1",
"sun.security.jgss.krb5.CipherHelper;getDesCbcChecksum(byte[], byte[], byte[], int, int);0",
"sun.security.jgss.krb5.CipherHelper;getDesEncryptionKey(byte[]);0",
"sun.security.jgss.krb5.CipherHelper;desCbcDecrypt(WrapToken, byte[], byte[], int, int, byte[], int);1",
"com.sun.crypto.provider.CipherCore;unwrap(byte[], String, int);0",
"sun.security.jgss.krb5.CipherHelper;desCbcDecrypt(WrapToken, byte[], InputStream, int, byte[], int);1",
"sun.security.jgss.krb5.Krb5InitCredential;Krb5InitCredential(Krb5NameElement, byte[], KerberosPrincipal, KerberosPrincipal, byte[], int, boolean[], Date, Date, Date, Date, InetAddress[]);4",
"sun.security.jgss.krb5.Krb5InitCredential;Krb5InitCredential(Krb5NameElement, Credentials, byte[], KerberosPrincipal, KerberosPrincipal, byte[], int, boolean[], Date, Date, Date, Date, InetAddress[]);5",
"sun.security.krb5.Credentials;Credentials(byte[], String, String, byte[], int, boolean[], Date, Date, Date, Date, InetAddress[]);3",
"sun.security.krb5.EncryptionKey;EncryptionKey(int, byte[]);1",
"sun.security.krb5.EncryptionKey;EncryptionKey(byte[], int, Integer);0",
"sun.security.krb5.internal.crypto.Aes128;decryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.Aes128;calculateChecksum(byte[], int, byte[], int, int);0",
"sun.security.krb5.internal.crypto.Aes128;decrypt(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.Aes128;encryptRaw(byte[], int, byte[], byte[], int, int);0",
"com.sun.crypto.provider.CipherFeedback;init(boolean, String, byte[], byte[]);2",
"sun.security.krb5.internal.crypto.Aes128;encrypt(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType;encrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType;decrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType;encrypt(byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType;decrypt(byte[], byte[], byte[], int);1",
"sun.security.krb5.internal.crypto.Aes256;encrypt(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.Aes256;decryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.Aes256;calculateChecksum(byte[], int, byte[], int, int);0",
"sun.security.krb5.internal.crypto.Aes256;encryptRaw(byte[], int, byte[], byte[], int, int);0",
"sun.security.krb5.internal.crypto.Aes256;decrypt(byte[], int, byte[], byte[], int, int);0"
]
}
/**
* Holds if callable `c` from a known API expects a credential parameter at index `i`.
*/
predicate otherApiCallableCredentialParam(Callable c, int i) {
exists(c.getParameter(i)) and
otherApiCallableCredentialParam(c.getDeclaringType().getQualifiedName() + ";" +
c.getStringSignature() + ";" + i)
}
private predicate otherApiCallableCredentialParam(string s) {
s =
[
"javax.crypto.spec.IvParameterSpec;IvParameterSpec(byte[]);0",
"javax.crypto.spec.IvParameterSpec;IvParameterSpec(byte[], int, int);0",
"org.springframework.security.core.userdetails.User;User(String, String, boolean, boolean, boolean, boolean, Collection<? extends GrantedAuthority>);0",
"org.springframework.security.core.userdetails.User;User(String, String, boolean, boolean, boolean, boolean, Collection<? extends GrantedAuthority>);1",
"com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);0",
"com.amazonaws.auth.BasicAWSCredentials;BasicAWSCredentials(String, String);1",
"com.azure.identity.UsernamePasswordCredentialBuilder;username(String);0",
"com.azure.identity.UsernamePasswordCredentialBuilder;password(String);0",
"com.azure.identity.ClientSecretCredentialBuilder;clientSecret(String);0",
"org.apache.shiro.mgt.AbstractRememberMeManager;setCipherKey(byte[]);0"
]
}