hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: convert InsufficientKeySize test to .qlref

Browse Source
This commit is contained in:
Nora Dimitrijević
2025-06-23 15:59:14 +02:00
parent 993b261b63
commit 288a938814
4 changed files with 172 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

120
java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.expected
View File

@@ -0,0 +1,120 @@
#select
| InsufficientKeySizeTest.java:17:26:17:27 | 64 | InsufficientKeySizeTest.java:17:26:17:27 | 64 | InsufficientKeySizeTest.java:17:26:17:27 | 64 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:17:26:17:27 | 64 | key size |
| InsufficientKeySizeTest.java:27:26:27:30 | size1 | InsufficientKeySizeTest.java:23:31:23:32 | 64 : Number | InsufficientKeySizeTest.java:27:26:27:30 | size1 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:23:31:23:32 | 64 | key size |
| InsufficientKeySizeTest.java:30:26:30:30 | size2 | InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:30:26:30:30 | size2 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:24:25:24:26 | 64 | key size |
| InsufficientKeySizeTest.java:40:26:40:27 | 64 | InsufficientKeySizeTest.java:40:26:40:27 | 64 | InsufficientKeySizeTest.java:40:26:40:27 | 64 | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:40:26:40:27 | 64 | key size |
| InsufficientKeySizeTest.java:51:36:51:39 | 1024 | InsufficientKeySizeTest.java:51:36:51:39 | 1024 | InsufficientKeySizeTest.java:51:36:51:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:51:36:51:39 | 1024 | key size |
| InsufficientKeySizeTest.java:58:73:58:76 | 1024 | InsufficientKeySizeTest.java:58:73:58:76 | 1024 | InsufficientKeySizeTest.java:58:73:58:76 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:58:73:58:76 | 1024 | key size |
| InsufficientKeySizeTest.java:62:63:62:66 | 1024 | InsufficientKeySizeTest.java:62:63:62:66 | 1024 | InsufficientKeySizeTest.java:62:63:62:66 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:62:63:62:66 | 1024 | key size |
| InsufficientKeySizeTest.java:69:36:69:40 | size1 | InsufficientKeySizeTest.java:65:31:65:34 | 1024 : Number | InsufficientKeySizeTest.java:69:36:69:40 | size1 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:65:31:65:34 | 1024 | key size |
| InsufficientKeySizeTest.java:72:36:72:40 | size2 | InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:72:36:72:40 | size2 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:66:25:66:28 | 1024 | key size |
| InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | InsufficientKeySizeTest.java:255:40:255:43 | 1024 : Number | InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:255:40:255:43 | 1024 | key size |
| InsufficientKeySizeTest.java:86:36:86:39 | 1024 | InsufficientKeySizeTest.java:86:36:86:39 | 1024 | InsufficientKeySizeTest.java:86:36:86:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:86:36:86:39 | 1024 | key size |
| InsufficientKeySizeTest.java:97:36:97:39 | 1024 | InsufficientKeySizeTest.java:97:36:97:39 | 1024 | InsufficientKeySizeTest.java:97:36:97:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:97:36:97:39 | 1024 | key size |
| InsufficientKeySizeTest.java:104:67:104:70 | 1024 | InsufficientKeySizeTest.java:104:67:104:70 | 1024 | InsufficientKeySizeTest.java:104:67:104:70 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:104:67:104:70 | 1024 | key size |
| InsufficientKeySizeTest.java:108:60:108:63 | 1024 | InsufficientKeySizeTest.java:108:60:108:63 | 1024 | InsufficientKeySizeTest.java:108:60:108:63 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:108:60:108:63 | 1024 | key size |
| InsufficientKeySizeTest.java:112:27:112:30 | 1024 | InsufficientKeySizeTest.java:112:27:112:30 | 1024 | InsufficientKeySizeTest.java:112:27:112:30 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:112:27:112:30 | 1024 | key size |
| InsufficientKeySizeTest.java:117:28:117:31 | 1024 | InsufficientKeySizeTest.java:117:28:117:31 | 1024 | InsufficientKeySizeTest.java:117:28:117:31 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:117:28:117:31 | 1024 | key size |
| InsufficientKeySizeTest.java:128:36:128:39 | 1024 | InsufficientKeySizeTest.java:128:36:128:39 | 1024 | InsufficientKeySizeTest.java:128:36:128:39 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:128:36:128:39 | 1024 | key size |
| InsufficientKeySizeTest.java:135:64:135:67 | 1024 | InsufficientKeySizeTest.java:135:64:135:67 | 1024 | InsufficientKeySizeTest.java:135:64:135:67 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:135:64:135:67 | 1024 | key size |
| InsufficientKeySizeTest.java:139:59:139:62 | 1024 | InsufficientKeySizeTest.java:139:59:139:62 | 1024 | InsufficientKeySizeTest.java:139:59:139:62 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:139:59:139:62 | 1024 | key size |
| InsufficientKeySizeTest.java:143:27:143:30 | 1024 | InsufficientKeySizeTest.java:143:27:143:30 | 1024 | InsufficientKeySizeTest.java:143:27:143:30 | 1024 | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:143:27:143:30 | 1024 | key size |
| InsufficientKeySizeTest.java:150:36:150:38 | 128 | InsufficientKeySizeTest.java:150:36:150:38 | 128 | InsufficientKeySizeTest.java:150:36:150:38 | 128 | This $@ is less than the recommended key size of 256 bits. | InsufficientKeySizeTest.java:150:36:150:38 | 128 | key size |
| InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | key size |
| InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | key size |
| InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | key size |
| InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | key size |
| InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | key size |
| InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | key size |
| InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | key size |
| InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | key size |
| InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" : String | InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" | key size |
| InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" : String | InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | This $@ is less than the recommended key size of EC bits. | InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" | key size |
| InsufficientKeySizeTest.java:219:21:219:27 | keySize | InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:219:21:219:27 | keySize | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:24:25:24:26 | 64 | key size |
| InsufficientKeySizeTest.java:225:21:225:27 | keySize | InsufficientKeySizeTest.java:35:30:35:31 | 64 : Number | InsufficientKeySizeTest.java:225:21:225:27 | keySize | This $@ is less than the recommended key size of 128 bits. | InsufficientKeySizeTest.java:35:30:35:31 | 64 | key size |
| InsufficientKeySizeTest.java:230:31:230:37 | keySize | InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:230:31:230:37 | keySize | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:66:25:66:28 | 1024 | key size |
| InsufficientKeySizeTest.java:236:31:236:37 | keySize | InsufficientKeySizeTest.java:77:36:77:39 | 1024 : Number | InsufficientKeySizeTest.java:236:31:236:37 | keySize | This $@ is less than the recommended key size of 2048 bits. | InsufficientKeySizeTest.java:77:36:77:39 | 1024 | key size |
| InsufficientKeySizeTest.java:246:31:246:37 | keySize | InsufficientKeySizeTest.java:199:24:199:26 | 128 : Number | InsufficientKeySizeTest.java:246:31:246:37 | keySize | This $@ is less than the recommended key size of 256 bits. | InsufficientKeySizeTest.java:199:24:199:26 | 128 | key size |
| InsufficientKeySizeTest.java:252:31:252:37 | keySize | InsufficientKeySizeTest.java:202:40:202:42 | 128 : Number | InsufficientKeySizeTest.java:252:31:252:37 | keySize | This $@ is less than the recommended key size of 256 bits. | InsufficientKeySizeTest.java:202:40:202:42 | 128 | key size |
edges
| InsufficientKeySizeTest.java:23:31:23:32 | 64 : Number | InsufficientKeySizeTest.java:27:26:27:30 | size1 | provenance | |
| InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:30:26:30:30 | size2 | provenance | |
| InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | InsufficientKeySizeTest.java:34:35:34:39 | size2 : Number | provenance | |
| InsufficientKeySizeTest.java:34:35:34:39 | size2 : Number | InsufficientKeySizeTest.java:217:46:217:56 | keySize : Number | provenance | |
| InsufficientKeySizeTest.java:35:30:35:31 | 64 : Number | InsufficientKeySizeTest.java:223:41:223:51 | keySize : Number | provenance | |
| InsufficientKeySizeTest.java:65:31:65:34 | 1024 : Number | InsufficientKeySizeTest.java:69:36:69:40 | size1 | provenance | |
| InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:72:36:72:40 | size2 | provenance | |
| InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | InsufficientKeySizeTest.java:76:41:76:45 | size2 : Number | provenance | |
| InsufficientKeySizeTest.java:76:41:76:45 | size2 : Number | InsufficientKeySizeTest.java:228:52:228:62 | keySize : Number | provenance | |
| InsufficientKeySizeTest.java:77:36:77:39 | 1024 : Number | InsufficientKeySizeTest.java:234:47:234:57 | keySize : Number | provenance | |
| InsufficientKeySizeTest.java:199:24:199:26 | 128 : Number | InsufficientKeySizeTest.java:201:41:201:44 | size : Number | provenance | |
| InsufficientKeySizeTest.java:201:41:201:44 | size : Number | InsufficientKeySizeTest.java:244:52:244:62 | keySize : Number | provenance | |
| InsufficientKeySizeTest.java:202:40:202:42 | 128 : Number | InsufficientKeySizeTest.java:250:51:250:61 | keySize : Number | provenance | |
| InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" : String | InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | provenance | |
| InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" : String | InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | provenance | |
| InsufficientKeySizeTest.java:217:46:217:56 | keySize : Number | InsufficientKeySizeTest.java:219:21:219:27 | keySize | provenance | |
| InsufficientKeySizeTest.java:223:41:223:51 | keySize : Number | InsufficientKeySizeTest.java:225:21:225:27 | keySize | provenance | |
| InsufficientKeySizeTest.java:228:52:228:62 | keySize : Number | InsufficientKeySizeTest.java:230:31:230:37 | keySize | provenance | |
| InsufficientKeySizeTest.java:234:47:234:57 | keySize : Number | InsufficientKeySizeTest.java:236:31:236:37 | keySize | provenance | |
| InsufficientKeySizeTest.java:244:52:244:62 | keySize : Number | InsufficientKeySizeTest.java:246:31:246:37 | keySize | provenance | |
| InsufficientKeySizeTest.java:250:51:250:61 | keySize : Number | InsufficientKeySizeTest.java:252:31:252:37 | keySize | provenance | |
| InsufficientKeySizeTest.java:255:40:255:43 | 1024 : Number | InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | provenance | |
nodes
| InsufficientKeySizeTest.java:17:26:17:27 | 64 | semmle.label | 64 |
| InsufficientKeySizeTest.java:23:31:23:32 | 64 : Number | semmle.label | 64 : Number |
| InsufficientKeySizeTest.java:24:25:24:26 | 64 : Number | semmle.label | 64 : Number |
| InsufficientKeySizeTest.java:27:26:27:30 | size1 | semmle.label | size1 |
| InsufficientKeySizeTest.java:30:26:30:30 | size2 | semmle.label | size2 |
| InsufficientKeySizeTest.java:34:35:34:39 | size2 : Number | semmle.label | size2 : Number |
| InsufficientKeySizeTest.java:35:30:35:31 | 64 : Number | semmle.label | 64 : Number |
| InsufficientKeySizeTest.java:40:26:40:27 | 64 | semmle.label | 64 |
| InsufficientKeySizeTest.java:51:36:51:39 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:58:73:58:76 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:62:63:62:66 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:65:31:65:34 | 1024 : Number | semmle.label | 1024 : Number |
| InsufficientKeySizeTest.java:66:25:66:28 | 1024 : Number | semmle.label | 1024 : Number |
| InsufficientKeySizeTest.java:69:36:69:40 | size1 | semmle.label | size1 |
| InsufficientKeySizeTest.java:72:36:72:40 | size2 | semmle.label | size2 |
| InsufficientKeySizeTest.java:76:41:76:45 | size2 : Number | semmle.label | size2 : Number |
| InsufficientKeySizeTest.java:77:36:77:39 | 1024 : Number | semmle.label | 1024 : Number |
| InsufficientKeySizeTest.java:81:36:81:50 | getRSAKeySize(...) | semmle.label | getRSAKeySize(...) |
| InsufficientKeySizeTest.java:86:36:86:39 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:97:36:97:39 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:104:67:104:70 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:108:60:108:63 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:112:27:112:30 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:117:28:117:31 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:128:36:128:39 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:135:64:135:67 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:139:59:139:62 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:143:27:143:30 | 1024 | semmle.label | 1024 |
| InsufficientKeySizeTest.java:150:36:150:38 | 128 | semmle.label | 128 |
| InsufficientKeySizeTest.java:154:65:154:75 | "secp112r1" | semmle.label | "secp112r1" |
| InsufficientKeySizeTest.java:158:59:158:69 | "secp112r1" | semmle.label | "secp112r1" |
| InsufficientKeySizeTest.java:165:65:165:82 | "X9.62 prime192v2" | semmle.label | "X9.62 prime192v2" |
| InsufficientKeySizeTest.java:169:65:169:82 | "X9.62 c2tnb191v3" | semmle.label | "X9.62 c2tnb191v3" |
| InsufficientKeySizeTest.java:173:65:173:75 | "sect163k1" | semmle.label | "sect163k1" |
| InsufficientKeySizeTest.java:181:65:181:76 | "prime192v2" | semmle.label | "prime192v2" |
| InsufficientKeySizeTest.java:189:65:189:76 | "c2tnb191v1" | semmle.label | "c2tnb191v1" |
| InsufficientKeySizeTest.java:197:64:197:74 | "secp112r1" | semmle.label | "secp112r1" |
| InsufficientKeySizeTest.java:199:24:199:26 | 128 : Number | semmle.label | 128 : Number |
| InsufficientKeySizeTest.java:201:41:201:44 | size : Number | semmle.label | size : Number |
| InsufficientKeySizeTest.java:202:40:202:42 | 128 : Number | semmle.label | 128 : Number |
| InsufficientKeySizeTest.java:205:39:205:49 | "secp112r1" : String | semmle.label | "secp112r1" : String |
| InsufficientKeySizeTest.java:207:66:207:75 | curveName1 | semmle.label | curveName1 |
| InsufficientKeySizeTest.java:210:33:210:43 | "secp112r1" : String | semmle.label | "secp112r1" : String |
| InsufficientKeySizeTest.java:212:66:212:75 | curveName2 | semmle.label | curveName2 |
| InsufficientKeySizeTest.java:217:46:217:56 | keySize : Number | semmle.label | keySize : Number |
| InsufficientKeySizeTest.java:219:21:219:27 | keySize | semmle.label | keySize |
| InsufficientKeySizeTest.java:223:41:223:51 | keySize : Number | semmle.label | keySize : Number |
| InsufficientKeySizeTest.java:225:21:225:27 | keySize | semmle.label | keySize |
| InsufficientKeySizeTest.java:228:52:228:62 | keySize : Number | semmle.label | keySize : Number |
| InsufficientKeySizeTest.java:230:31:230:37 | keySize | semmle.label | keySize |
| InsufficientKeySizeTest.java:234:47:234:57 | keySize : Number | semmle.label | keySize : Number |
| InsufficientKeySizeTest.java:236:31:236:37 | keySize | semmle.label | keySize |
| InsufficientKeySizeTest.java:244:52:244:62 | keySize : Number | semmle.label | keySize : Number |
| InsufficientKeySizeTest.java:246:31:246:37 | keySize | semmle.label | keySize |
| InsufficientKeySizeTest.java:250:51:250:61 | keySize : Number | semmle.label | keySize : Number |
| InsufficientKeySizeTest.java:252:31:252:37 | keySize | semmle.label | keySize |
| InsufficientKeySizeTest.java:255:40:255:43 | 1024 : Number | semmle.label | 1024 : Number |
subpaths

96
java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java
View File

@@ -14,30 +14,30 @@ public class InsufficientKeySizeTest {
{
/* Test with keysize as int */
KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
keyGen1.init(64); // $ hasInsufficientKeySize
keyGen1.init(64); // $ Alert
KeyGenerator keyGen2 = KeyGenerator.getInstance("AES");
keyGen2.init(128); // Safe: Key size is no less than 128
/* Test with local variable as keysize */
final int size1 = 64; // compile-time constant
int size2 = 64; // not a compile-time constant
final int size1 = 64; // $ Source// compile-time constant
int size2 = 64; // $ Source// not a compile-time constant
KeyGenerator keyGen3 = KeyGenerator.getInstance("AES");
keyGen3.init(size1); // $ hasInsufficientKeySize
keyGen3.init(size1); // $ Alert
KeyGenerator keyGen4 = KeyGenerator.getInstance("AES");
keyGen4.init(size2); // $ hasInsufficientKeySize
keyGen4.init(size2); // $ Alert
/* Test variables passed to another method */
KeyGenerator keyGen5 = KeyGenerator.getInstance("AES"); // MISSING: test KeyGenerator variable as argument
testSymmetricVariable(size2, keyGen5); // test with variable as key size
testSymmetricInt(64); // test with int literal as key size
testSymmetricInt(64); // $ Source // test with int literal as key size
/* Test with variable as algo name argument in `getInstance` method. */
final String algoName1 = "AES"; // compile-time constant
KeyGenerator keyGen6 = KeyGenerator.getInstance(algoName1);
keyGen6.init(64); // $ hasInsufficientKeySize
keyGen6.init(64); // $ Alert
String algoName2 = "AES"; // not a compile-time constant
KeyGenerator keyGen7 = KeyGenerator.getInstance(algoName2);
@@ -48,42 +48,42 @@ public class InsufficientKeySizeTest {
{
/* Test with keysize as int */
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
keyPairGen1.initialize(1024); // $ hasInsufficientKeySize
keyPairGen1.initialize(1024); // $ Alert
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("RSA");
keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048
/* Test spec */
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("RSA");
RSAKeyGenParameterSpec rsaSpec = new RSAKeyGenParameterSpec(1024, null); // $ hasInsufficientKeySize
RSAKeyGenParameterSpec rsaSpec = new RSAKeyGenParameterSpec(1024, null); // $ Alert
keyPairGen3.initialize(rsaSpec);
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA");
keyPairGen4.initialize(new RSAKeyGenParameterSpec(1024, null)); // $ hasInsufficientKeySize
keyPairGen4.initialize(new RSAKeyGenParameterSpec(1024, null)); // $ Alert
/* Test with local variable as keysize */
final int size1 = 1024; // compile-time constant
int size2 = 1024; // not a compile-time constant
final int size1 = 1024; // $ Source // compile-time constant
int size2 = 1024; // $ Source // not a compile-time constant
KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("RSA");
keyPairGen5.initialize(size1); // $ hasInsufficientKeySize
keyPairGen5.initialize(size1); // $ Alert
KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("RSA");
keyPairGen6.initialize(size2); // $ hasInsufficientKeySize
keyPairGen6.initialize(size2); // $ Alert
/* Test variables passed to another method */
KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("RSA"); // MISSING: test KeyGenerator variable as argument
testAsymmetricNonEcVariable(size2, keyPairGen7); // test with variable as key size
testAsymmetricNonEcInt(1024); // test with int literal as key size
testAsymmetricNonEcInt(1024); // $ Source // test with int literal as key size
/* Test getting key size as return value of another method */
KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("RSA");
keyPairGen8.initialize(getRSAKeySize()); // $ hasInsufficientKeySize
keyPairGen8.initialize(getRSAKeySize()); // $ Alert
/* Test with variable as algo name argument in `getInstance` method. */
final String algoName1 = "RSA"; // compile-time constant
KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance(algoName1);
keyPairGen9.initialize(1024); // $ hasInsufficientKeySize
keyPairGen9.initialize(1024); // $ Alert
String algoName2 = "RSA"; // not a compile-time constant
KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance(algoName2);
@@ -94,27 +94,27 @@ public class InsufficientKeySizeTest {
{
/* Test with keysize as int */
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("DSA");
keyPairGen1.initialize(1024); // $ hasInsufficientKeySize
keyPairGen1.initialize(1024); // $ Alert
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA");
keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048
/* Test spec */
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DSA");
DSAGenParameterSpec dsaSpec = new DSAGenParameterSpec(1024, 0); // $ hasInsufficientKeySize
DSAGenParameterSpec dsaSpec = new DSAGenParameterSpec(1024, 0); // $ Alert
keyPairGen3.initialize(dsaSpec);
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DSA");
keyPairGen4.initialize(new DSAGenParameterSpec(1024, 0)); // $ hasInsufficientKeySize
keyPairGen4.initialize(new DSAGenParameterSpec(1024, 0)); // $ Alert
/* Test `AlgorithmParameterGenerator` */
AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DSA");
paramGen.init(1024); // $ hasInsufficientKeySize
paramGen.init(1024); // $ Alert
/* Test with variable as algo name argument in `getInstance` method. */
final String algoName1 = "DSA"; // compile-time constant
AlgorithmParameterGenerator paramGen1 = AlgorithmParameterGenerator.getInstance(algoName1);
paramGen1.init(1024); // $ hasInsufficientKeySize
paramGen1.init(1024); // $ Alert
String algoName2 = "DSA"; // not a compile-time constant
AlgorithmParameterGenerator paramGen2 = AlgorithmParameterGenerator.getInstance(algoName2);
@@ -125,52 +125,52 @@ public class InsufficientKeySizeTest {
{
/* Test with keysize as int */
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("dh");
keyPairGen1.initialize(1024); // $ hasInsufficientKeySize
keyPairGen1.initialize(1024); // $ Alert
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DH");
keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048
/* Test spec */
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
DHGenParameterSpec dhSpec = new DHGenParameterSpec(1024, 0); // $ hasInsufficientKeySize
DHGenParameterSpec dhSpec = new DHGenParameterSpec(1024, 0); // $ Alert
keyPairGen3.initialize(dhSpec);
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DH");
keyPairGen4.initialize(new DHGenParameterSpec(1024, 0)); // $ hasInsufficientKeySize
keyPairGen4.initialize(new DHGenParameterSpec(1024, 0)); // $ Alert
/* Test `AlgorithmParameterGenerator` */
AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DH");
paramGen.init(1024); // $ hasInsufficientKeySize
paramGen.init(1024); // $ Alert
}
// EC (Asymmetric): minimum recommended key size is 256
{
/* Test with keysize as int */
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("EC");
keyPairGen1.initialize(128); // $ hasInsufficientKeySize
keyPairGen1.initialize(128); // $ Alert
/* Test with keysize as curve name in spec */
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize
ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1"); // $ Alert
keyPairGen2.initialize(ecSpec1);
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("EC");
keyPairGen3.initialize(new ECGenParameterSpec("secp112r1")); // $ hasInsufficientKeySize
keyPairGen3.initialize(new ECGenParameterSpec("secp112r1")); // $ Alert
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec2 = new ECGenParameterSpec("secp256r1"); // Safe: Key size is no less than 256
keyPairGen4.initialize(ecSpec2);
KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2"); // $ hasInsufficientKeySize
ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2"); // $ Alert
keyPairGen5.initialize(ecSpec3);
KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3"); // $ hasInsufficientKeySize
ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3"); // $ Alert
keyPairGen6.initialize(ecSpec4);
KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1"); // $ hasInsufficientKeySize
ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1"); // $ Alert
keyPairGen7.initialize(ecSpec5);
KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("EC");
@@ -178,7 +178,7 @@ public class InsufficientKeySizeTest {
keyPairGen8.initialize(ecSpec6);
KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec7 = new ECGenParameterSpec("prime192v2"); // $ hasInsufficientKeySize
ECGenParameterSpec ecSpec7 = new ECGenParameterSpec("prime192v2"); // $ Alert
keyPairGen9.initialize(ecSpec7);
KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance("EC");
@@ -186,7 +186,7 @@ public class InsufficientKeySizeTest {
keyPairGen10.initialize(ecSpec8);
KeyPairGenerator keyPairGen14 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec9 = new ECGenParameterSpec("c2tnb191v1"); // $ hasInsufficientKeySize
ECGenParameterSpec ecSpec9 = new ECGenParameterSpec("c2tnb191v1"); // $ Alert
keyPairGen14.initialize(ecSpec9);
KeyPairGenerator keyPairGen15 = KeyPairGenerator.getInstance("EC");
@@ -194,46 +194,46 @@ public class InsufficientKeySizeTest {
keyPairGen15.initialize(ecSpec10); // Safe: Key size is no less than 256
/* Test variables passed to another method */
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ Alert
testAsymmetricEcSpecVariable(ecSpec); // test spec as an argument
int size = 128;
int size = 128; // $ Source
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC"); // MISSING: test KeyGenerator variable as argument
testAsymmetricEcIntVariable(size, keyPairGen); // test with variable as key size
testAsymmetricEcIntLiteral(128); // test with int literal as key size
testAsymmetricEcIntLiteral(128); // $ Source // test with int literal as key size
/* Test with variable as curve name argument in `ECGenParameterSpec` constructor. */
final String curveName1 = "secp112r1"; // compile-time constant
final String curveName1 = "secp112r1"; // $ Source // compile-time constant
KeyPairGenerator keyPairGen16 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec11 = new ECGenParameterSpec(curveName1); // $ hasInsufficientKeySize
ECGenParameterSpec ecSpec11 = new ECGenParameterSpec(curveName1); // $ Alert
keyPairGen16.initialize(ecSpec11);
String curveName2 = "secp112r1"; // not a compile-time constant
String curveName2 = "secp112r1"; // $ Source // not a compile-time constant
KeyPairGenerator keyPairGen17 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec12 = new ECGenParameterSpec(curveName2); // $ hasInsufficientKeySize
ECGenParameterSpec ecSpec12 = new ECGenParameterSpec(curveName2); // $ Alert
keyPairGen17.initialize(ecSpec12);
}
}
public static void testSymmetricVariable(int keySize, KeyGenerator kg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(keySize); // $ hasInsufficientKeySize
keyGen.init(keySize); // $ Alert
kg.init(64); // $ MISSING: hasInsufficientKeySize
}
public static void testSymmetricInt(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(keySize); // $ hasInsufficientKeySize
keyGen.init(keySize); // $ Alert
}
public static void testAsymmetricNonEcVariable(int keySize, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
keyPairGen.initialize(keySize); // $ Alert
kpg.initialize(1024); // $ MISSING: hasInsufficientKeySize
}
public static void testAsymmetricNonEcInt(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
keyPairGen.initialize(keySize); // $ Alert
}
public static void testAsymmetricEcSpecVariable(ECGenParameterSpec spec) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
@@ -243,14 +243,14 @@ public class InsufficientKeySizeTest {
public static void testAsymmetricEcIntVariable(int keySize, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
keyPairGen.initialize(keySize); // $ Alert
kpg.initialize(128); // $ MISSING: hasInsufficientKeySize
}
public static void testAsymmetricEcIntLiteral(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
keyPairGen.initialize(keySize); // $ Alert
}
public int getRSAKeySize(){ return 1024; }
public int getRSAKeySize(){ return 1024; } // $ Source
}

18
java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql
View File

@@ -1,18 +0,0 @@
import java
import utils.test.InlineExpectationsTest
import semmle.code.java.security.InsufficientKeySizeQuery
module InsufficientKeySizeTest implements TestSig {
string getARelevantTag() { result = "hasInsufficientKeySize" }
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasInsufficientKeySize" and
exists(KeySizeFlow::PathNode sink | KeySizeFlow::flowPath(_, sink) |
sink.getNode().getLocation() = location and
element = sink.getNode().toString() and
value = ""
)
}
}
import MakeTest<InsufficientKeySizeTest>

4
java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: Security/CWE/CWE-326/InsufficientKeySize.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql