Crypto: Weak asymmetric key gen size fixes and test.

2025-12-16 16:53:25 +01:00 · 2025-10-10 14:49:35 -04:00
parent 758759a304
commit 36673659ad
6 changed files with 58 additions and 24 deletions
--- a/java/ql/lib/experimental/quantum/JCA.qll
+++ b/java/ql/lib/experimental/quantum/JCA.qll
@@ -110,7 +110,8 @@ module JCAModel {
  predicate signature_names(string name) {
    name.toUpperCase().splitAt("WITH", 1).matches(["RSA%", "ECDSA%", "DSA%"])
    or
-    name.toUpperCase().matches(["RSASSA-PSS", "ED25519", "ED448", "EDDSA", "ML-DSA%", "HSS/LMS"])
+    name.toUpperCase()
+        .matches(["RSASSA-PSS", "ED25519", "ED448", "EDDSA", "ML-DSA%", "HSS/LMS", "DSA"])
  }

  bindingset[name]
@@ -257,6 +258,8 @@ module JCAModel {
    name.toUpperCase().matches("ML-DSA%") and type = KeyOpAlg::TSignature(KeyOpAlg::DSA())
    or
    name.toUpperCase() = "HSS/LMS" and type = KeyOpAlg::TSignature(KeyOpAlg::HSS_LMS())
+    or
+    name.toUpperCase() = "DSA" and type = KeyOpAlg::TSignature(KeyOpAlg::DSA())
  }

  bindingset[name]
@@ -1019,7 +1022,8 @@ module JCAModel {
  }

  class KeyGenerationAlgorithmValueConsumer extends CipherAlgorithmValueConsumer,
-    KeyAgreementAlgorithmValueConsumer, EllipticCurveAlgorithmValueConsumer instanceof Expr
+    KeyAgreementAlgorithmValueConsumer, EllipticCurveAlgorithmValueConsumer,
+    SignatureAlgorithmValueConsumer instanceof Expr
  {
    KeyGeneratorGetInstanceCall instantiationCall;

--- a/java/ql/src/experimental/quantum/Examples/WeakAsymmetric.ql
+++ b/java/ql/src/experimental/quantum/Examples/WeakAsymmetric.ql
@@ -1,22 +0,0 @@
-/**
- * @name Weak Asymmetric Key Size
- * @id java/quantum/weak-asymmetric-key-size
- * @description An asymmetric cipher with a short key size is in use
- * @kind problem
- * @problem.severity error
- * @precision high
- * @tags quantum
- *       experimental
- */
-
-import java
-import experimental.quantum.Language
-
-from Crypto::KeyOperationAlgorithmNode op, int keySize, string algName
-where
-  keySize = op.getKeySizeFixed() and
-  keySize < 2048 and
-  algName = op.getAlgorithmName() and
-  // Can't be an elliptic curve
-  op.getAlgorithmType() != Crypto::KeyOpAlg::AlgorithmType::EllipticCurveType()
-select "Use of weak asymmetric key size (" + keySize.toString() + " bits) for algorithm " + algName
--- a/java/ql/src/experimental/quantum/Examples/WeakAsymmetricKeyGenSize.ql
+++ b/java/ql/src/experimental/quantum/Examples/WeakAsymmetricKeyGenSize.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Weak Asymmetric Key Size
+ * @id java/quantum/weak-asymmetric-key-gen-size
+ * @description An asymmetric key of known size is less than 2048 bits for any non-elliptic curve key operation.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+
+from Crypto::KeyArtifactNode key, int keySize, Crypto::AlgorithmNode alg
+where
+  key.getCreatingOperation().getAKeySizeSource().asElement().(Literal).getValue().toInt() = keySize and
+  alg = key.getAKnownAlgorithm() and // NOTE: if algorithm is not known (doesn't bind) we need a separate query
+  not alg instanceof Crypto::EllipticCurveNode and // Elliptic curve sizes are handled separately and are more tied directly to the algorithm
+  keySize < 2048
+select key, "Use of weak asymmetric key size (" + keySize.toString() + " bits) for algorithm $@",
+  alg, alg.getAlgorithmName()
--- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/InsufficientAsymmetricKeySize.java
+++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/InsufficientAsymmetricKeySize.java
@@ -0,0 +1,28 @@
+import java.security.*;
+public class InsufficientAsymmetricKeySize{
+    public static void test() throws Exception{
+        KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
+        keyPairGen1.initialize(1024); // $Alert[java/quantum/weak-asymmetric-key-gen-size]
+        keyPairGen1.generateKeyPair();
+
+        KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA");
+        keyPairGen2.initialize(1024); // $Alert[java/quantum/weak-asymmetric-key-gen-size]
+        keyPairGen2.generateKeyPair();
+
+        KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
+        keyPairGen3.initialize(1024); // $Alert[java/quantum/weak-asymmetric-key-gen-size]
+        keyPairGen3.generateKeyPair();
+
+        KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA");
+        keyPairGen4.initialize(2048); // GOOD
+        keyPairGen4.generateKeyPair();
+
+        KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("DSA");
+        keyPairGen5.initialize(2048); // GOOD
+        keyPairGen5.generateKeyPair();
+
+        KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("DH");
+        keyPairGen6.initialize(2048); // GOOD
+        keyPairGen6.generateKeyPair();
+    }
+}
--- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/WeakOrUnknownAsymmetricKeyGenSize.expected
+++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/WeakOrUnknownAsymmetricKeyGenSize.expected
@@ -0,0 +1 @@
+a
--- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/WeakOrUnknownAsymmetricKeyGenSize.qlref
+++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownAsymmetricKeySize/WeakOrUnknownAsymmetricKeyGenSize.qlref
@@ -0,0 +1 @@
+experimental/quantum/Examples/WeakAsymmetricKeyGenSize.ql
				`@@ -0,0 +1 @@`
				`experimental/quantum/Examples/WeakAsymmetricKeyGenSize.ql`