Merge pull request #15548 from joefarebrother/android-local-auth-keys

Java: Add query for insecurely generated keys for local authentication.

java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll

@@ -1,6 +1,7 @@
 /** Definitions for the insecure local authentication query. */
 
 import java
+private import semmle.code.java.dataflow.DataFlow
 
 /** A base class that is used as a callback for biometric authentication. */
 private class AuthenticationCallbackClass extends Class {
@@ -40,3 +41,24 @@ class AuthenticationSuccessCallback extends Method {
     not result = this.getASuperResultUse()
   }
 }
+
+/** A call that sets a parameter for key generation that is insecure for use with biometric authentication. */
+class InsecureBiometricKeyParamCall extends MethodCall {
+  InsecureBiometricKeyParamCall() {
+    exists(string name, CompileTimeConstantExpr val |
+      this.getMethod()
+          .hasQualifiedName("android.security.keystore", "KeyGenParameterSpec$Builder", name) and
+      DataFlow::localExprFlow(val, this.getArgument(0)) and
+      (
+        name = ["setUserAuthenticationRequired", "setInvalidatedByBiometricEnrollment"] and
+        val.getBooleanValue() = false
+        or
+        name = "setUserAuthenticationValidityDurationSeconds" and
+        val.getIntValue() != -1
+      )
+    )
+  }
+}
+
+/** Holds if the application contains an instance of a key being used for local biometric authentication. */
+predicate usesLocalAuth() { exists(AuthenticationSuccessCallback cb | exists(cb.getAResultUse())) }