Moved Cpp into sub directory 'cryptography' instead of crypto. Added python models, inventory, and example alerts.

python/ql/lib/experimental/cryptography/Concepts.qll

@@ -0,0 +1,7 @@
+import experimental.cryptography.CryptoArtifact
+import experimental.cryptography.CryptoAlgorithmNames
+import semmle.python.ApiGraphs
+
+import experimental.cryptography.modules.stdlib.HashlibModule as HashLibModule
+import experimental.cryptography.modules.stdlib.HmacModule as HMacModule
+import experimental.cryptography.modules.CryptographyModule as CryptographyModule

python/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll

@@ -0,0 +1,215 @@
+/**
+ * Names of known cryptographic algorithms.
+ * The names are standardized into upper-case, no spaces, dashes or underscores.
+ */
+
+/**
+ * Returns a string to represent generally unknown algorithms.
+ * Predicate is to be used to get a consistent string representation
+ * for unknown algorithms.
+ */
+string unknownAlgorithm() { result = "UNKNOWN" }
+
+string getHashType() { result = "HASH" }
+string getSymmetricEncryptionType() { result = "SYMMETRIC_ENCRYPTION" }
+string getAsymmetricEncryptionType() { result = "ASYMMETRIC_ENCRYPTION" }
+string getKeyDerivationType() { result = "KEY_DERIVATION" }
+string getCipherBlockModeType() { result = "BLOCK_MODE" }
+string getSymmetricPaddingType() { result = "SYMMETRIC_PADDING" }
+string getAsymmetricPaddingType() { result = "ASYMMETRIC_PADDING" }
+string getEllipticCurveType() { result = "ELLIPTIC_CURVE" }
+string getSignatureType() { result = "SIGNATURE" }
+string getKeyExchangeType() { result = "KEY_EXCHANGE" }
+
+predicate isKnownType(string algType){
+  algType in [
+    getHashType(), getSymmetricEncryptionType(), getAsymmetricEncryptionType(), getKeyDerivationType(),
+    getCipherBlockModeType(), getSymmetricPaddingType(), getAsymmetricPaddingType(), getEllipticCurveType(),
+    getSignatureType(), getKeyExchangeType()
+  ]
+}
+
+
+predicate isKnownAlgorithm(string name) { isKnownAlgorithm(name, _) }
+
+predicate isKnownAlgorithm(string name, string algType) {
+  isHashingAlgorithm(name) and algType = "HASH"
+  or
+  isEncryptionAlgorithm(name, algType) and algType in ["SYMMETRIC_ENCRYPTION", "ASYMMETRIC_ENCRYPTION"]
+  or
+  isKeyDerivationAlgorithm(name) and algType = "KEY_DERIVATION"
+  or
+  isCipherBlockModeAlgorithm(name) and algType = "BLOCK_MODE"
+  or
+  isPaddingAlgorithm(name, algType) and algType in ["SYMMETRIC_PADDING", "ASYMMETRIC_PADDING"]
+  or
+  isEllipticCurveAlgorithm(name) and algType = "ELLIPTIC_CURVE"
+  or
+  isSignatureAlgorithm(name) and algType = "SIGNATURE"
+  or
+  isKeyExchangeAlgorithm(name) and algType = "KEY_EXCHANGE"
+}
+
+/**
+ * Holds if `name` is a known hashing algorithm in the model/library.
+ */
+predicate isHashingAlgorithm(string name) {
+  name =
+    [
+      "BLAKE2", "BLAKE2B", "BLAKE2S", 
+      "SHA2", "SHA224", "SHA256", "SHA384", "SHA512", "SHA512224", "SHA512256",
+      "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512", "SHAKE128", "SHAKE256", "SM3",
+      "WHIRLPOOL", "POLY1305", "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD", "RIPEMD128",
+      "RIPEMD256", "RIPEMD160", "RIPEMD320", "SHA0", "SHA1", "SHA", "MGF1","MGF1SHA1", "MDC2", "SIPHASH"
+    ]
+}
+
+predicate isEncryptionAlgorithm(string name, string algType) {
+  isAsymmetricEncryptionAlgorithm(name) and algType = "ASYMMETRIC_ENCRYPTION"
+  or
+  isSymmetricEncryptionAlgorithm(name) and algType = "SYMMETRIC_ENCRYPTION"
+}
+
+predicate isEncryptionAlgorithm(string name) { isEncryptionAlgorithm(name, _) }
+
+/**
+ * Holds if `name` corresponds to a known symmetric encryption algorithm.
+ */
+predicate isSymmetricEncryptionAlgorithm(string name) {
+  // NOTE: AES is meant to caputure all possible key lengths
+  name =
+    [
+      "AES", "AES128", "AES192", "AES256", "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5",
+      "CAMELLIA", "CAMELLIA128", "CAMELLIA192", "CAMELLIA256", "CHACHA", "CHACHA20",
+      "CHACHA20POLY1305", "GOST", "GOSTR34102001", "GOSTR341094", "GOSTR341194", "GOST2814789",
+      "GOSTR341194", "GOST2814789", "GOST28147", "GOSTR341094", "GOST89", "GOST94", "GOST34102012", 
+      "GOST34112012", "IDEA", "RABBIT",
+      "SEED", "SM4", "DES", "DESX", "3DES", "TDES", "2DES", "DES3", "TRIPLEDES", "TDEA", "TRIPLEDEA",
+      "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR", "ARC5", "RC5", "MAGMA", "KUZNYECHIK"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a known key derivation algorithm.
+ */
+predicate isKeyDerivationAlgorithm(string name) {
+  name =
+    [
+      "ARGON2", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC", "KBKDFCMAC", "BCRYPT", "HKDF",
+      "HKDFEXPAND", "KBKDF", "KBKDFHMAC", "PBKDF1", "PBKDF2", "PBKDF2HMAC", "PKCS5", "SCRYPT",
+      "X963KDF", "EVPKDF"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a known cipher block mode
+ */
+predicate isCipherBlockModeAlgorithm(string name) {
+  name = ["CBC", "GCM", "CCM", "CFB", "OFB", "CFB8", "CTR", "OPENPGP", "XTS", "EAX", "SIV", "ECB"]
+}
+
+/**
+ * Holds if `name` corresponds to a known padding algorithm
+ */
+predicate isPaddingAlgorithm(string name, string algType) {
+  isSymmetricPaddingAlgorithm(name) and algType = "SYMMETRIC_PADDING"
+  or
+  isAsymmetricPaddingAlgorithm(name) and algType = "ASYMMETRIC_PADDING"
+}
+
+/**
+ * holds if `name` corresponds to a known symmetric padding algorithm
+ */
+predicate isSymmetricPaddingAlgorithm(string name) { name = ["PKCS7", "ANSIX923"] }
+
+/**
+ * Holds if `name` corresponds to a known asymmetric padding algorithm
+ */
+predicate isAsymmetricPaddingAlgorithm(string name) { name = ["OAEP", "PKCS1V15", "PSS", "KEM"] }
+
+predicate isBrainpoolCurve(string curveName, int keySize) {
+  // ALL BRAINPOOL CURVES
+  keySize in [160, 192, 224, 256, 320, 384, 512] and
+  (
+    curveName = "BRAINPOOLP" + keySize.toString() + "R1"
+    or
+    curveName = "BRAINPOOLP" + keySize.toString() + "T1"
+  )
+}
+
+predicate isSecCurve(string curveName, int keySize) {
+  // ALL SEC CURVES
+  keySize in [112, 113, 128, 131, 160, 163, 192, 193, 224, 233, 239, 256, 283, 384, 409, 521, 571] and
+  exists(string suff | suff in ["R1", "R2", "K1"] |
+    curveName = "SECT" + keySize.toString() + suff or
+    curveName = "SECP" + keySize.toString() + suff
+  )
+}
+
+predicate isC2Curve(string curveName, int keySize) {
+  // ALL C2 CURVES
+  keySize in [163, 176, 191, 208, 239, 272, 304, 359, 368, 431] and
+  exists(string pre, string suff |
+    pre in ["PNB", "ONB", "TNB"] and suff in ["V1", "V2", "V3", "V4", "V5", "W1", "R1"]
+  |
+    curveName = "C2" + pre + keySize.toString() + suff
+  )
+}
+
+predicate isPrimeCurve(string curveName, int keySize) {
+  // ALL PRIME CURVES
+  keySize in [192, 239, 256] and
+  exists(string suff | suff in ["V1", "V2", "V3"] | curveName = "PRIME" + keySize.toString() + suff)
+}
+
+predicate isEllipticCurveAlgorithm(string curveName) { isEllipticCurveAlgorithm(curveName, _) }
+
+/**
+ * Holds if `name` corresponds to a known elliptic curve.
+ */
+predicate isEllipticCurveAlgorithm(string curveName, int keySize) {
+  isSecCurve(curveName, keySize)
+  or
+  isBrainpoolCurve(curveName, keySize)
+  or
+  isC2Curve(curveName, keySize)
+  or
+  isPrimeCurve(curveName, keySize)
+  or
+  curveName = "ES256" and keySize = 256
+  or
+  curveName = "CURVE25519" and keySize = 255
+  or
+  curveName = "X25519" and keySize = 255
+  or
+  curveName = "ED25519" and keySize = 255
+  or
+  curveName = "CURVE448" and keySize = 448 // TODO: need to check the key size
+  or
+  curveName = "ED448" and keySize = 448
+  or
+  curveName = "X448" and keySize = 448
+  or
+  curveName = "NUMSP256T1" and keySize = 256
+  or
+  curveName = "NUMSP384T1" and keySize = 384
+  or
+  curveName = "NUMSP512T1" and keySize = 512
+}
+
+/**
+ * Holds if `name` corresponds to a known signature algorithm.
+ */
+predicate isSignatureAlgorithm(string name) { 
+  name = ["DSA", "ECDSA", "EDDSA", "ES256", "ES256K", "ES384", "ES512", "ED25519", "ED448", "ECDSA256", "ECDSA384", "ECDSA512"] 
+}
+
+/**
+ * Holds if `name` is a key exchange algorithm.
+ */
+predicate isKeyExchangeAlgorithm(string name) { name = ["ECDH", "DIFFIEHELLMAN", "X25519", "X448"] }
+
+/**
+ * Holds if `name` corresponds to a known asymmetric encryption.
+ */
+predicate isAsymmetricEncryptionAlgorithm(string name) { name = ["RSA"] }

python/ql/lib/experimental/cryptography/CryptoArtifact.qll

@@ -0,0 +1,301 @@
+import python
+private import semmle.python.ApiGraphs
+private import experimental.cryptography.CryptoAlgorithmNames
+private import experimental.cryptography.utils.Utils as Utils
+
+
+/*
+* A cryptographic artifact is a DataFlow::Node associated with some
+* operation, algorithm, or any other aspect of cryptography.
+*/
+abstract class CryptographicArtifact extends DataFlow::Node {}
+
+/**
+ * Associates a symmetric encryption algorithm with a block mode.
+ * The DataFlow::Node representing this association should be the
+ * point where the algorithm and block mode are combined. 
+ * This may be at the call to encryption or in the construction 
+ * of an object prior to encryption. 
+ */
+abstract class SymmetricCipher extends CryptographicArtifact{
+  abstract SymmetricEncryptionAlgorithm getEncryptionAlgorithm();
+  abstract BlockMode getBlockMode();
+  final predicate hasBlockMode(){
+    exists(this.getBlockMode())
+  }
+}
+
+/**
+ * A cryptographic operation is a method call that invokes a cryptographic
+ * algorithm (encrypt/decrypt) or a function in support of a cryptographic algorithm
+ * (key generation).
+ * 
+ * Since operations are related to or in support of algorithms, operations must
+ * provide a reference to their associated algorithm. Often operataions themselves
+ * encapsulate algorithms, so operations can also extend CryptographicAlgorithm
+ * and refer to themselves as the target algorithm. 
+ */
+abstract class CryptographicOperation extends CryptographicArtifact, API::CallNode{
+
+  bindingset[paramName, ind]
+  final DataFlow::Node getParameterSource(int ind, string paramName){
+    result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(ind, paramName))
+  }
+
+  final string getAlgorithmName(){
+    if exists(this.getAlgorithm().getName())
+    then result = this.getAlgorithm().getName()
+    else result = unknownAlgorithm()
+  }
+
+  final predicate hasAlgorithm(){
+    exists(this.getAlgorithm())
+  }
+
+  final predicate isUnknownAlgorithm(){
+    this.getAlgorithmName() = unknownAlgorithm()
+    or
+    not this.hasAlgorithm()
+  }
+
+  // TODO: this might have to be parameterized by a configuration source for
+  //       situations where an operation is passed an algorithm
+  abstract CryptographicAlgorithm getAlgorithm();
+
+}
+
+/** A key generation operation for asymmetric keys */
+abstract class KeyGen extends CryptographicOperation{
+
+ 
+  int getAKeySizeInBits(){
+    result = getKeySizeInBits(_)
+  }
+
+  final predicate hasKeySize(DataFlow::Node configSrc){
+    exists(this.getKeySizeInBits(configSrc))
+  }
+
+  final predicate hasKeySize(){
+    exists(this.getAKeySizeInBits())
+  }
+
+  abstract DataFlow::Node getKeyConfigSrc();
+  abstract int getKeySizeInBits(DataFlow::Node configSrc);
+
+}
+
+abstract class AsymmetricKeyGen extends KeyGen{}
+abstract class SymmetricKeyGen extends KeyGen{}
+
+
+/**
+ * A cryptographic algorithm is a `CryptographicArtifact` 
+ * representing a cryptographic algorithm (see `CryptoAlgorithmNames.qll`).
+ * Cryptographic algorithms can be functions referencing common crypto algorithms (e.g., hashlib.md5)
+ * or strings that are used in cryptographic operation configurations (e.g., hashlib.new("md5")).
+ * Cryptogrpahic algorithms may also be operations that wrap or abstract one or
+ * more algorithms (e.g., cyrptography.fernet.Fernet and AES, CBC and PKCS7).
+ * 
+ * In principle, this class should model the location where an algorithm enters the program, not
+ * necessarily where it is used. 
+ */
+abstract class CryptographicAlgorithm extends CryptographicArtifact
+{
+  abstract string getName();
+
+  // TODO: handle case where name isn't known, not just unknown? 
+
+  /**
+   * Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`.
+   * Subclassess should override for more api-specific normalization.
+   * By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space. 
+   */
+  bindingset[s]
+  string normalizeName(string s)
+  {
+    exists(string normStr | 
+      normStr = s.toUpperCase().regexpReplaceAll("[-_ ]", "")
+    | 
+      (result = normStr and isKnownAlgorithm(result))
+      or
+      (result = unknownAlgorithm() and not isKnownAlgorithm(normStr))
+    )
+  }
+}
+
+// class UnknownAlgorithm extends DataFlow::Node instanceof CryptographicAlgorithm{
+//   UnknownAlgorithm(){
+//     super.getName() = unknownAlgorithm()
+//   }
+// }
+
+abstract class HashAlgorithm extends CryptographicAlgorithm{
+  final string getHashName(){
+    if exists(string n | n = this.getName() and isHashingAlgorithm(n))
+    then (isHashingAlgorithm(result) and result = this.getName())
+    else result = unknownAlgorithm()
+  }
+}
+
+
+abstract class KeyDerivationAlgorithm extends CryptographicAlgorithm{
+  final string getKDFName(){
+    if exists(string n | n = this.getName() and isKeyDerivationAlgorithm(n))
+    then (isKeyDerivationAlgorithm(result) and result = this.getName())
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class KeyDerivationOperation extends CryptographicOperation{
+  DataFlow::Node getIterationSizeSrc(){
+    none()
+  }
+
+  DataFlow::Node getSaltConfigSrc(){
+    none()
+  }
+
+  DataFlow::Node getHashConfigSrc(){
+    none()
+  }
+
+  // TODO: get encryption algorithm for CBC-based KDF?
+
+  DataFlow::Node getDerivedKeySizeSrc(){
+    none()
+  }
+
+  DataFlow::Node getModeSrc(){
+    none()
+  }
+
+  // TODO: add more to cover all the parameters of most KDF operations? Perhaps subclass for each type?
+
+  abstract predicate requiresIteration();
+  abstract predicate requiresSalt();
+  abstract predicate requiresHash();
+  //abstract predicate requiresKeySize(); // Going to assume all requires a size
+  abstract predicate requiresMode();
+
+}
+
+/**
+ * A parent class to represent any algorithm for which
+ * asymmetric cryptography is involved.
+ * Intended to be distinct from AsymmetricEncryptionAlgorithm
+ * which is intended only for asymmetric algorithms that specifically encrypt. 
+ */
+abstract class AsymmetricAlgorithm extends CryptographicAlgorithm{}
+
+
+abstract class EncryptionAlgorithm extends CryptographicAlgorithm
+{ 
+  final predicate isAsymmetric() { this instanceof AsymmetricEncryptionAlgorithm }
+  final predicate isSymmetric() { not this.isAsymmetric() }
+
+  // NOTE: DO_NOT add getEncryptionName here, we rely on the fact the parent
+  //       class does not have this common predicate.
+}
+
+
+/**
+ * Algorithms directly or indirectly related to asymmetric encryption,
+ * e.g., RSA, DSA, but also RSA padding algorithms
+ */
+abstract class AsymmetricEncryptionAlgorithm extends AsymmetricAlgorithm, EncryptionAlgorithm{
+  final string getEncryptionName(){
+    if exists(string n | n = this.getName() and isAsymmetricEncryptionAlgorithm(n))
+    then (isAsymmetricEncryptionAlgorithm(result) and result = this.getName())
+    else result = unknownAlgorithm()
+  }
+}
+
+/**
+ * Algorithms directly or indirectly related to symmetric encryption,
+ * e.g., AES, DES, but also block modes and padding
+ */
+abstract class SymmetricEncryptionAlgorithm extends EncryptionAlgorithm
+{ 
+  final string getEncryptionName(){
+    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
+    then (isSymmetricEncryptionAlgorithm(result) and result = this.getName())
+    else result = unknownAlgorithm()
+  }
+  // TODO: add a stream cipher predicate?
+}
+
+// Used only to categorize all padding into a single object,
+// DO_NOT add predicates here. Only for categorization purposes. 
+abstract class PaddingAlgorithm extends CryptographicAlgorithm{}
+
+abstract class SymmetricPadding extends PaddingAlgorithm {
+  final string getPaddingName(){
+    if exists(string n | n = this.getName() and isSymmetricPaddingAlgorithm(n))
+    then (isSymmetricPaddingAlgorithm(result) and result = this.getName())
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class AsymmetricPadding extends PaddingAlgorithm {
+  final string getPaddingName(){
+    if exists(string n | n = this.getName() and isAsymmetricPaddingAlgorithm(n))
+    then (isAsymmetricPaddingAlgorithm(result) and result = this.getName())
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class EllipticCurveAlgorithm extends AsymmetricAlgorithm{
+  final string getCurveName(){
+    if exists(string n | n = this.getName() and isEllipticCurveAlgorithm(n))
+    then (isEllipticCurveAlgorithm(result) and result = this.getName())
+    else result = unknownAlgorithm()
+  }
+
+  final int getCurveBitSize(){
+    isEllipticCurveAlgorithm(this.getCurveName(), result)
+  }
+}
+
+abstract class BlockMode extends CryptographicAlgorithm{
+  final string getBlockModeName(){
+    if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n))
+    then (isCipherBlockModeAlgorithm(result) and result = this.getName())
+    else result = unknownAlgorithm()
+  }
+
+  /**
+   * Gets the source of the IV configuration. 
+   */
+  abstract DataFlow::Node getIVorNonce();
+
+  final predicate hasIVorNonce() { exists(this.getIVorNonce()) }
+}
+
+abstract class KeyWrapOperation extends CryptographicOperation{
+}
+
+abstract class AuthenticatedEncryptionAlgorithm extends SymmetricEncryptionAlgorithm{
+  final string getAuthticatedEncryptionName(){
+    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
+    then (isSymmetricEncryptionAlgorithm(result) and result = this.getName()) 
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class KeyExchangeAlgorithm extends AsymmetricAlgorithm{
+  final string getKeyExchangeName(){
+    if exists(string n | n = this.getName() and isKeyExchangeAlgorithm(n))
+    then (isKeyExchangeAlgorithm(result) and result = this.getName())
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class SigningAlgorithm extends AsymmetricAlgorithm{
+  final string getSigningName(){
+    if exists(string n | n = this.getName() and isSignatureAlgorithm(n))
+    then (isSignatureAlgorithm(result) and result = this.getName())
+    else result = unknownAlgorithm()
+  }
+}
+

python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll

@@ -0,0 +1,258 @@
+import python
+import semmle.python.ApiGraphs
+import experimental.cryptography.CryptoArtifact
+private import experimental.cryptography.utils.Utils as Utils
+private import experimental.cryptography.CryptoAlgorithmNames 
+
+/**
+ * `hashlib` is a ptyhon standard library module for hashing algorithms.
+ *    https://docs.python.org/3/library/hashlib.html
+ * This is an abstract class to reference all hashlib artifacts.
+ */
+// -----------------------------------------------
+// Hash Artifacts
+// -----------------------------------------------
+ module Hashes{
+
+
+  /**
+   * Represents a hash algorithm used by `hashlib.new`, where the hash algorithm is a string in the first argument.
+   */
+  class HashlibNewHashAlgorithm extends HashAlgorithm
+  {
+    HashlibNewHashAlgorithm(){
+      this = Utils::getUltimateSrcFromApiNode(API::moduleImport("hashlib").getMember("new").getACall().getParameter(0, "name"))
+    }
+    
+    override string getName(){
+      result = super.normalizeName(this.asExpr().(StrConst).getText())
+      or
+      // if not a known/static string, assume from an outside source and the algorithm is UNKNOWN
+      (not this.asExpr() instanceof StrConst and result = unknownAlgorithm())
+    }
+  }
+
+  /**
+   * Identifies hashlib.pbdkf2_hmac calls, identifying the hash algorithm used
+   * in the hmac (matching kdf is handled separately by `HashlibPbkdf2HMACArtifact`).
+   * 
+   *   https://docs.python.org/3/library/hashlib.html#hashlib.pbkdf2_hmac
+   */
+  class HashlibPbkdf2HMACHashAlgorithm extends HashAlgorithm
+  {
+    HashlibPbkdf2HMACHashAlgorithm(){
+      this = Utils::getUltimateSrcFromApiNode(API::moduleImport("hashlib").getMember("pbkdf2_hmac").getACall().getParameter(0, "hash_name"))
+    }
+
+    override string getName(){
+      result = super.normalizeName(this.asExpr().(StrConst).getText())
+      or
+      // if not a known/static string, assume from an outside source and the algorithm is UNKNOWN
+      (not this.asExpr() instanceof StrConst and result = unknownAlgorithm())
+    }
+
+  }
+
+  /**
+   *  Gets a call to `hashlib.file_digest` where the hash algorithm is the first argument in `digest`
+   * `nameSrc` is the source of the first argument.
+   * 
+   *    https://docs.python.org/3/library/hashlib.html#hashlib.file_digest
+   *  
+   *  NOTE: the digest argument can be, in addition to a string,
+   *  a callable that returns a hash object or a hash constructor.
+   *  These cases are not considered here since they would be detected separately. 
+   *  Specifically, other non-string cases are themselves considered sources for alerts, e.g., 
+   *  references to hashlib.sha512 is found by `HashlibMemberAlgorithm`.
+   *  The only exception is if the source is not a string constant or HashlibMemberAlgorithm.
+   *  In these cases, the algorithm is considered 'UNKNOWN'.
+   * 
+
+   */
+  class HashlibFileDigestAlgorithm extends HashAlgorithm
+  {
+    HashlibFileDigestAlgorithm(){
+      this = Utils::getUltimateSrcFromApiNode(API::moduleImport("hashlib").getMember("file_digest").getACall().getParameter(1, "digest"))
+      and
+      // Ignore sources that are hash constructors, allow `HashlibMemberAlgorithm` to detect these
+      this != hashlibMemberHashAlgorithm(_)
+      // Ignore sources that are HMAC objects, to be handled by HmacModule
+      and
+      this != API::moduleImport("hmac").getMember("new").getACall()
+      and  
+      this != API::moduleImport("hmac").getMember("HMAC").getACall()
+      
+    }
+
+    override string getName(){
+      // Name is a string constant or consider the name unknown
+      // NOTE: we are excluding hmac.new and hmac.HMAC constructor calls so we are expecting
+      //      a string or an outside configuration only 
+      result = super.normalizeName(this.asExpr().(StrConst).getText())
+      or
+      (
+        not this.asExpr() instanceof StrConst
+        and
+        result = unknownAlgorithm()
+      )
+    }
+  }
+
+  /**
+  * Gets a member access of hashlib that is an algorithm invocation.
+  * `hashName` is the name of the hash algorithm.
+  * 
+  * Note: oringally a variant of this predicate was in codeql/github/main 
+  *       to a predicate to avoid a bad join order.
+  */
+  pragma[nomagic] // Copying use of nomagic from similar predicate in codeql/main
+   DataFlow::Node hashlibMemberHashAlgorithm(string hashName) {
+    result = API::moduleImport("hashlib").getMember(hashName).asSource() and
+    // Don't matches known non-hash members
+    not hashName in   ["new", "pbkdf2_hmac", "algorithms_available", 
+        "algorithms_guaranteed", "file_digest"] 
+    // Don't match things like __file__
+    and not hashName.regexpMatch("_.*")
+  }
+
+  /**
+   *  Identifies hashing algorithm members (i.e., functions) of the `hashlib` module,
+   *  e.g., `hashlib.sha512`.
+   */ 
+  class HashlibMemberAlgorithm extends HashAlgorithm
+  {
+    HashlibMemberAlgorithm(){
+      this = hashlibMemberHashAlgorithm(_)
+    }
+
+    override string getName(){
+      exists(string rawName | 
+        result = super.normalizeName(rawName) and this = hashlibMemberHashAlgorithm(rawName)
+        )
+    }
+  }
+}
+// -----------------------------------------------
+// Key Derivation Functions
+// -----------------------------------------------
+ module KDF{
+
+  // NOTE: Only finds the params of `pbkdf2_hmac` that are non-optional
+  //       dk_len is optional, i.e., can be None, and if addressed in this predicate
+  //       would result in an unsatisfiable predicate. 
+  predicate hashlibPBDKF2HMACKDFRequiredParams(HashlibPbkdf2HMACOperation kdf, 
+    API::Node hashParam, API::Node saltParam, API::Node iterationParam){
+    kdf.getParameter(0, "hash_name") = hashParam and
+    kdf.getParameter(2, "salt") = saltParam and
+    kdf.getParameter(3, "iterations") = iterationParam 
+  }
+
+  predicate hashlibPBDKF2HMACKDFOptionalParams(HashlibPbkdf2HMACOperation kdf, API::Node keylenParam){
+    kdf.getParameter(4, "dklen") = keylenParam
+  }
+
+  /**
+   * Identifies kery derivation function hashlib.pbdkf2_hmac accesses.
+   *   https://docs.python.org/3/library/hashlib.html#hashlib.pbkdf2_hmac
+   */
+  class HashlibPbkdf2HMACOperation extends KeyDerivationAlgorithm, KeyDerivationOperation
+  {
+    HashlibPbkdf2HMACOperation(){
+      this = API::moduleImport("hashlib").getMember("pbkdf2_hmac").getACall()
+    }
+
+    override string getName(){
+      result = super.normalizeName("pbkdf2_hmac")
+    }
+
+    override DataFlow::Node getIterationSizeSrc(){
+      exists(API::Node it |  hashlibPBDKF2HMACKDFRequiredParams(this, _, _, it) |
+        result = Utils::getUltimateSrcFromApiNode(it)
+      )
+    }
+
+    override DataFlow::Node getSaltConfigSrc(){
+      exists(API::Node s |  hashlibPBDKF2HMACKDFRequiredParams(this, _, s, _) |
+        result = Utils::getUltimateSrcFromApiNode(s)
+      )
+    }
+  
+    override DataFlow::Node getHashConfigSrc(){
+      exists(API::Node h |  hashlibPBDKF2HMACKDFRequiredParams(this,h,_,_) |
+        result = Utils::getUltimateSrcFromApiNode(h)
+      )
+    }
+  
+    override DataFlow::Node getDerivedKeySizeSrc(){
+      exists(API::Node dk |  hashlibPBDKF2HMACKDFOptionalParams(this,dk) |
+        result = Utils::getUltimateSrcFromApiNode(dk)
+      )
+    }
+
+    // TODO: if DK is none, then the length is based on the hash type, if hash length not known, must call this unknown
+    //    The issue is the src is what we model not the size
+    //    For now, we are not modeling this and are relying on the fact that the accepted hashes are of accepted length.
+    //    I.e., any query looking at length will ignore cases where it is unknown
+
+    override KeyDerivationAlgorithm getAlgorithm(){
+      result = this
+    }
+
+    override predicate requiresHash(){ any() }
+
+    override predicate requiresMode(){none()}
+
+    override predicate requiresSalt(){any()}
+
+    override predicate requiresIteration(){any()}
+  }
+
+
+  // TODO: better modeling of scrypt
+
+  /**
+   * Identifies key derivation fucntion hashlib.scrypt accesses.
+   */
+  class HashlibScryptAlgorithm extends KeyDerivationAlgorithm, KeyDerivationOperation
+  {
+    HashlibScryptAlgorithm(){
+      this = API::moduleImport("hashlib").getMember("scrypt").getACall()
+    }
+
+    override string getName(){
+      result = super.normalizeName("scrypt")
+    }
+
+    override DataFlow::Node getIterationSizeSrc(){
+      none()
+    }
+
+    override DataFlow::Node getSaltConfigSrc(){
+      // TODO: need to address getting salt from params, unsure how this works in CodeQL
+      // since the signature is defined as hashlib.scrypt(password, *, salt, n, r, p, maxmem=0, dklen=64)
+      // What position is 'salt' then such that we can reliably extract it?
+      none()
+    }
+  
+    override DataFlow::Node getHashConfigSrc(){
+      none()
+    }
+  
+    override DataFlow::Node getDerivedKeySizeSrc(){
+      //TODO: see comment for getSaltConfigSrc above
+      none()
+    }
+
+    override KeyDerivationAlgorithm getAlgorithm(){
+      result = this
+    }
+
+    override predicate requiresHash(){ none() }
+
+    override predicate requiresMode(){none()}
+
+    override predicate requiresSalt(){any()}
+
+    override predicate requiresIteration(){none()}
+  }
+}

python/ql/lib/experimental/cryptography/modules/stdlib/HmacModule.qll

@@ -0,0 +1,80 @@
+import python
+import semmle.python.ApiGraphs
+import experimental.cryptography.CryptoArtifact
+private import experimental.cryptography.utils.Utils as Utils
+private import experimental.cryptography.CryptoAlgorithmNames
+private import experimental.cryptography.modules.stdlib.HashlibModule as HashlibModule
+
+/**
+ * `hmac` is a ptyhon standard library module for key-based hashing algorithms.
+ *    https://docs.python.org/3/library/hmac.html
+ */
+
+// -----------------------------------------------
+// Hash Artifacts
+// -----------------------------------------------
+module Hashes{
+
+  class GenericHmacHashCall extends API::CallNode
+  {
+    GenericHmacHashCall(){
+      this = API::moduleImport("hmac").getMember("new").getACall()
+      or  this = API::moduleImport("hmac").getMember("HMAC").getACall()
+      or this = API::moduleImport("hmac").getMember("digest").getACall()
+    }
+  }
+
+
+   DataFlow::Node getDigestModParamSrc(GenericHmacHashCall call){
+    result = Utils::getUltimateSrcFromApiNode(call.(API::CallNode).getParameter(2, "digestmod"))
+  }
+
+  /**
+   * This class captures the common behavior for all HMAC operations:
+   *    hmac.HMAC     https://docs.python.org/3/library/hmac.html#hmac.HMAC
+   *    hmac.new      https://docs.python.org/3/library/hmac.html#hmac.new
+   *    hmac.digest   https://docs.python.org/3/library/hmac.html#hmac.digest
+   * These operations commonly set the algorithm as a string in the third argument (`digestmod`) 
+   * of the operation itself.
+   * 
+   * NOTE: `digestmod` is the digest name, digest constructor or module for the HMAC object to use, however
+   *    this class only identifies string names. The other forms are found by CryptopgraphicArtifacts,
+   *    modeled in `HmacHMACConsArtifact` and `Hashlib.qll`, specifically through hashlib.new and 
+   *    direct member accesses (e.g., hashlib.md5).
+   * 
+   * Where no `digestmod` exists, the algorithm is assumed to be `md5` per the docs found here:
+   *  https://docs.python.org/3/library/hmac.html#hmac.new
+   * 
+   * Where `digestmod` exists but is not a string and not a hashlib algorithm, it is assumed
+   * to be `UNKNOWN`. Note this includes cases wheere the digest is provided as a `A module supporting PEP 247.`
+   * Such modules are currently not modeled. 
+   */
+  class HmacGenericAlgorithm extends HashAlgorithm {
+
+    HmacGenericAlgorithm(){
+      exists(GenericHmacHashCall c | 
+        if not exists(getDigestModParamSrc(c))
+        then this = c
+        else this = getDigestModParamSrc(c)
+      )
+      and
+      // Ignore case where the algorithm is a hashlib algorithm, rely on `HashlibMemberAlgorithm` to catch these cases
+      not this instanceof HashlibModule::Hashes::HashlibMemberAlgorithm
+      // NOTE: the docs say the digest can be `A module supporting PEP 247.`, however, this is not modeled, and will be considered UNKNOWN
+    }
+
+    override string getName(){
+      // when the this is a generic hmac call
+      // it means the algorithm parameter was not identified, assume the default case of 'md5' (per the docs)
+      if  this instanceof GenericHmacHashCall
+      then result = super.normalizeName("MD5")
+      else 
+      (
+        // Else get the string name, if its a string constant, or UNKNOWN if otherwise
+        result = super.normalizeName(this.asExpr().(StrConst).getText())
+        or
+        (not this.asExpr() instanceof StrConst and result = unknownAlgorithm())
+      )
+    }
+  }
+}

python/ql/lib/experimental/cryptography/utils/CallCfgNodeWithTarget.qll

@@ -0,0 +1,15 @@
+/**
+ * Patches all DataFlow::CallCfgNode adding a getTarget predicate to a new 
+ * subclass of CallCfgNode
+ */
+
+import python
+private import semmle.python.dataflow.new.internal.TypeTrackerSpecific
+private import semmle.python.ApiGraphs
+
+class CallCfgNodeWithTarget extends DataFlow::Node instanceof DataFlow::CallCfgNode{
+
+ DataFlow::Node getTarget(){
+  returnStep(result, this) 
+ }
+}

python/ql/lib/experimental/cryptography/utils/Utils.qll

@@ -0,0 +1,28 @@
+import python
+private import semmle.python.ApiGraphs
+private import experimental.cryptography.utils.CallCfgNodeWithTarget
+/**
+ * Gets an ultimate local source (not a source in a library)
+ */
+DataFlow::Node getUltimateSrcFromApiNode(API::Node n){
+ result = n.getAValueReachingSink()
+ and 
+ (
+    // the result is a call to a library only
+    (
+      result instanceof CallCfgNodeWithTarget and
+      not result.(CallCfgNodeWithTarget).getTarget().asExpr().getEnclosingModule().inSource()
+    )
+    // the result is not a call, and not a function signataure or parameter
+    or
+    (
+      not result instanceof CallCfgNodeWithTarget
+      and
+      not result instanceof DataFlow::ParameterNode
+      and
+      not result.asExpr() instanceof FunctionExpr
+      and
+      result.asExpr().getEnclosingModule().inSource()
+    )
+ )
+}

python/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Unknown key generation key size
+ * @description 
+ * @id py/unknown-asymmetric-key-gen-size
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-326
+ */
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricKeyGen op, DataFlow::Node configSrc, string algName
+where 
+not op.hasKeySize(configSrc) and
+configSrc = op.getKeyConfigSrc() and 
+algName = op.getAlgorithm().getName()
+select op, "Non-statically verifiable key size used for key generation for algorithm " + algName.toString() + " at config source $@", 
+ configSrc, configSrc.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Weak key generation key size (< 2048 bits)
+ * @description 
+ * @id py/weak-asymmetric-key-gen-size
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *     external/cwe/cwe-326
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricKeyGen op, DataFlow::Node configSrc, int keySize, string algName
+where 
+keySize = op.getKeySizeInBits(configSrc)
+and keySize < 2048
+and algName = op.getAlgorithm().getName()
+// Can't be an elliptic curve
+and not isEllipticCurveAlgorithm(algName, _) 
+select op, "Use of weak asymmetric key size (int bits)" + keySize.toString() + " for algorithm " + algName.toString() +" at config source $@", 
+  configSrc, configSrc.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricPadding.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Weak or unknown asymmetric padding
+ * @description 
+ * @id py/weak-asymmetric-padding
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricPadding pad, string name
+where 
+name = pad.getPaddingName() and
+not name = ["OAEP", "KEM", "PSS"]
+select pad, "Use of unapproved, weak, or unknown asymmetric padding algorithm or API: " + name

python/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql

@@ -0,0 +1,49 @@
+/**
+ * @name Weak block mode
+ * @description Finds uses of symmetric encryption block modes that are weak, obsolete, or otherwise unaccepted.
+ * @id py/weak-block-mode
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+ import python
+ import experimental.cryptography.Concepts
+
+
+ from CryptographicArtifact op, string msg
+ where 
+// False positive hack, some projects are directly including all of cryptography, 
+// filter any match that is in cryptography/hazmat
+// Specifically happening for ECB being used in keywrap operations internally to the cryptography keywrap/unwrap API
+not op.asExpr().getLocation().getFile().getAbsolutePath().toString().matches("%cryptography/hazmat/%") and
+(
+  (
+    op instanceof BlockMode and
+    // ECB is only allowed for KeyWrapOperations, i.e., only alert on ECB is not a KeyWrapOperation
+    (op.(BlockMode).getBlockModeName() = "ECB" implies not op instanceof KeyWrapOperation)
+    and
+      exists(string name | name = op.(BlockMode).getBlockModeName() |
+        // Only CBC, CTS, XTS modes are allowed. 
+        //  https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.Cryptography.10002
+        not name = ["CBC","CTS","XTS"] and
+        if name = unknownAlgorithm()
+        then msg = "Use of unrecognized block mode algorithm." 
+        else if name in ["GCM", "CCM"]
+        then msg = "Use of block mode algorithm " + name + " requires special crypto board approval/review."
+        else msg = "Use of unapproved block mode algorithm or API " + name + "."
+      )
+  )
+  or
+  (
+    op instanceof SymmetricCipher and 
+    not op.(SymmetricCipher).hasBlockMode() and
+    msg = "Cipher has unspecified block mode algorithm."
+  )
+)
+select op, msg
+
+
+ 

python/ql/src/experimental/cryptography/example_alerts/WeakBlockModeIVorNonce.ql

@@ -0,0 +1,36 @@
+/**
+ * @name Weak block mode IV or nonce
+ * @description Finds initialization vectors or nonces used by block modes that are weak, obsolete, or otherwise unaccepted.
+ *              Looks for IVs or nonces that are not generated by a cryptographically secure random number generator
+ *              
+ *            NOTE: for simplicity, if an IV or nonce is not known or not form os.urandom it is flagged. 
+ *                  More specific considerations, such as correct use of nonces are currently not handled. 
+ *                  In particular, GCM requires the use of a nonce. Using urandom is possible but may still be configured 
+ *                  incorrectly. We currently assume that GCM is flagged as a block mode regardless through a separate
+ *                  query, and such uses will need to be reivewed by the crypto board. 
+ *              
+ *                  Additionally, some functions, which infer a mode and IV may be flagged by this query.
+ *                  For now, we will rely on users suppressing these cases rather than filtering them out.
+ *                  The exception is Fernet, which is explicitly ignored since it's implementation uses os.urandom.
+ * 
+ * @id py/weak-block-mode-iv-or-nonce
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+
+
+import python
+import experimental.cryptography.Concepts
+
+from BlockMode op, string msg, DataFlow::Node conf
+where 
+not op instanceof CryptographyModule::Encryption::SymmetricEncryption::Fernet::CryptographyFernet and
+(not op.hasIVorNonce() or not API::moduleImport("os").getMember("urandom").getACall() = op.getIVorNonce())
+and 
+if not op.hasIVorNonce()
+then conf = op and msg = "Block mode is missing IV/Nonce initialization."
+else conf = op.getIVorNonce() and msg = "Block mode is not using an accepted IV/Nonce initialization: $@"
+select op, msg, conf, conf.toString()
+

python/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql

@@ -0,0 +1,32 @@
+/**
+ * @name Weak elliptic curve
+ * @description Finds uses of cryptography algorithms that are unapproved or otherwise weak.
+ * @id py/weak-elliptic-curve
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+import python
+import experimental.cryptography.Concepts
+
+from EllipticCurveAlgorithm op, string msg, string name
+where 
+(
+      (name = op.getCurveName() and name = unknownAlgorithm() and msg = "Use of unrecognized curve algorithm.")
+      or
+      (
+            name != unknownAlgorithm() and
+            name = op.getCurveName() and
+            not name = ["SECP256R1", "PRIME256V1",//P-256
+                  "SECP384R1",        //P-384
+                  "SECP521R1",       //P-521
+                  "NUMSP256T1",
+                  "NUMSP384T1",
+                  "NUMSP512T1",
+                  "ED25519", "X25519"] and
+            msg = "Use of weak curve algorithm " + name + "."
+      )
+)
+select op, msg

python/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Weak hashes
+ * @description Finds uses of cryptography algorithms that are unapproved or otherwise weak.
+ * @id py/weak-hashes
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from HashAlgorithm op, string name, string msg
+where 
+name = op.getHashName() and 
+not name = ["SHA256", "SHA384", "SHA512"] and
+if name = unknownAlgorithm()
+then msg = "Use of unrecognized hash algorithm." 
+else msg = "Use of unapproved hash algorithm or API " + name + "."
+select op, msg

python/ql/src/experimental/cryptography/example_alerts/WeakKDFAlgorithm.ql

@@ -0,0 +1,19 @@
+
+/**
+ * @name  Weak KDF algorithm.
+ * @description Approved KDF algorithms must one of the following
+ *  ["PBKDF2" , "PBKDF2HMAC", "KBKDF", "KBKDFHMAC", "CONCATKDF", "CONCATKDFHASH"]
+ * @assumption The value being used to derive a key (either a key or a password) is correct for the algorithm (i.e., a key is used for KBKDF and a password for PBKDF).
+ * @kind problem
+ * @id py/weak-kdf-algorithm
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+import python
+import experimental.cryptography.Concepts
+
+from KeyDerivationAlgorithm op 
+where 
+not op.getKDFName() = ["PBKDF2" , "PBKDF2HMAC", "KBKDF", "KBKDFHMAC", "KBKDFCMAC", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC"]
+select op, "Use of unapproved, weak, or unknown key derivation algorithm or API."

python/ql/src/experimental/cryptography/example_alerts/WeakKDFIteration.ql

@@ -0,0 +1,35 @@
+/**
+ * @name Use iteration count at least 100k to prevent brute force attacks
+ * @description When deriving cryptographic keys from user-provided inputs such as password, 
+ * use sufficient iteration count (at least 100k).
+ * 
+ * This query will alert if the iteration count is less than 10000 (i.e., a constant <100000 is observed)
+ * or if the source for the iteration count is not known statically. 
+
+ * @kind problem
+ * @id py/kdf-low-iteration-count
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+import python
+import experimental.cryptography.Concepts
+private import experimental.cryptography.utils.Utils as Utils
+
+from KeyDerivationOperation op, string msg, DataFlow::Node iterConfSrc
+where 
+op.requiresIteration() and
+iterConfSrc = op.getIterationSizeSrc() and
+(
+ (
+  exists(iterConfSrc.asExpr().(IntegerLiteral).getValue()) 
+  and iterConfSrc.asExpr().(IntegerLiteral).getValue()< 10000
+  and msg = "Iteration count is too low. "
+ )
+ or
+ (
+  not exists(iterConfSrc.asExpr().(IntegerLiteral).getValue()) 
+  and msg = "Iteration count is not a statically verifiable size. "
+ )
+)
+select op, msg + "Iteration count must be a minimum of 10000. Iteration Config: $@", iterConfSrc.asExpr(), iterConfSrc.asExpr().toString()

python/ql/src/experimental/cryptography/example_alerts/WeakKDFKeyLength.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Small KDF derived key length.
+ * @description KDF derived keys should be a minimum of 128 bits (16 bytes).
+ * @assumption If the key length is not explicitly provided (e.g., it is None or otherwise not specified) assumes the length is derived from the hash length. 
+ * @assumption The query assumes only hashes with adequately sized lengths are chosen ("SHA256", "SHA384", "SHA512"), not verified here.
+ * This alerts if a constant traces to to a key length sink less than 128-bits or
+ * if the value that traces to a key length sink is not known statically. If the value is None or does not exist, we will assume the length
+ * is from the hash length, and again assume other queries will assess that those are of sufficient quality (length).
+ * @kind problem
+ * @id py/kdf-small-key-size
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+import python
+import experimental.cryptography.Concepts
+private import experimental.cryptography.utils.Utils as Utils
+
+from KeyDerivationOperation op, string msg, DataFlow::Node derivedKeySizeSrc
+where 
+// NOTE/ASSUMPTION: if the key size is not specified or explicitly None, it is common that the size is derived from the hash used.
+//       The only acceptable hashes are currently "SHA256", "SHA384", "SHA512", which are all large enough.
+//       We will currently rely on other acceptable hash queries therefore to determine if the size is 
+//       is sufficient where the key is not specified. 
+derivedKeySizeSrc = op.getDerivedKeySizeSrc() and not derivedKeySizeSrc.asExpr() instanceof None and
+(
+ (
+  exists(derivedKeySizeSrc.asExpr().(IntegerLiteral).getValue()) 
+  and derivedKeySizeSrc.asExpr().(IntegerLiteral).getValue() < 16
+  and msg = "Derived key size is too small. "
+ )
+ or
+ (
+  not exists(derivedKeySizeSrc.asExpr().(IntegerLiteral).getValue()) 
+  and msg = "Derived key size is not a statically verifiable size. "
+ )
+)
+select op, msg + "Derived key size must be a minimum of 16 (bytes). Derived Key Size Config: $@", derivedKeySizeSrc.asExpr(), derivedKeySizeSrc.asExpr().toString()

python/ql/src/experimental/cryptography/example_alerts/WeakKDFMode.ql

@@ -0,0 +1,26 @@
+/**
+ * @name Weak KDF Modee
+ * @description KDF mode, if specified, must be CounterMode
+ * @kind problem
+ * @id py/kdf-weak-mode
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+import python
+import experimental.cryptography.Concepts
+private import experimental.cryptography.utils.Utils as Utils
+
+
+from KeyDerivationOperation op, DataFlow::Node modeConfSrc
+where 
+op.requiresMode()
+and modeConfSrc = op.getModeSrc()
+and not modeConfSrc = API::moduleImport("cryptography")
+ .getMember("hazmat")
+ .getMember("primitives")
+ .getMember("kdf")
+ .getMember("kbkdf")
+ .getMember("Mode")
+ .getMember("CounterMode").asSource()
+select op, "Key derivation mode is not set to CounterMode. Mode Config: $@", modeConfSrc, modeConfSrc.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakKDFSaltGen.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Weak KDF salt generation.
+ * @description KDF salts must be generated by an approved random number generator (os.urandom)
+ * @kind problem
+ * @id py/kdf-weak-salt-gen
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+import python
+import experimental.cryptography.Concepts
+private import experimental.cryptography.utils.Utils as Utils
+
+from KeyDerivationOperation op, DataFlow::Node saltSrc
+where 
+op.requiresSalt()
+and not API::moduleImport("os").getMember("urandom").getACall() = saltSrc
+and saltSrc = op.getSaltConfigSrc()
+select op, "Salt configuration is not from an accepted random source: $@. Must be os.urandom", saltSrc, saltSrc.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakKDFSaltSize.ql

@@ -0,0 +1,30 @@
+/**
+ * @name Small KDF salt length.
+ * @description KDF salts should be a minimum of 128 bits (16 bytes).
+ * 
+ * This alerts if a constant traces to to a salt length sink less than 128-bits or
+ * if the value that traces to a salt length sink is not known statically. 
+ * @kind problem
+ * @id py/kdf-small-salt-size
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ */
+
+import python
+import experimental.cryptography.Concepts
+private import experimental.cryptography.utils.Utils as Utils
+
+from KeyDerivationOperation op, DataFlow::Node randConfSrc, API::CallNode call, string msg
+where 
+op.requiresSalt() and
+ API::moduleImport("os").getMember("urandom").getACall() = call 
+ and call = op.getSaltConfigSrc() 
+ and randConfSrc = Utils::getUltimateSrcFromApiNode(call.getParameter(0, "size")) 
+ and
+ (
+  (not exists(randConfSrc.asExpr().(IntegerLiteral).getValue()) and msg = "Salt config is not a statically verifiable size. ")
+  or
+  (randConfSrc.asExpr().(IntegerLiteral).getValue() < 16 and msg = "Salt config is insufficiently large. ")
+ )
+select op, msg + "Salt size must be a minimum of 16 (bytes). os.urandom Config: $@, Size Config: $@", call, call.toString(), randConfSrc, randConfSrc.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakSymmetricEncryption.ql

@@ -0,0 +1,29 @@
+/**
+ * @name Weak symmetric encryption algorithm
+ * @description Finds uses of symmetric cryptography algorithms that are weak, obsolete, or otherwise unaccepted.
+    
+ *              The key lengths allowed are 128, 192, and 256 bits. These are all the key lengths supported by AES, so any 
+ *              application of AES is considered acceptable.
+ * 
+ * @id py/weak-symmetric-encryption
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+
+import python
+import experimental.cryptography.Concepts
+
+from
+  SymmetricEncryptionAlgorithm op, string name, string msg
+where
+name = op.getEncryptionName() and
+not name = ["AES","AES128", "AES192", "AES256"] and
+if name = unknownAlgorithm()
+then msg = "Use of unrecognized symmetric encryption algorithm." 
+else msg = "Use of unapproved symmetric encryption algorithm or API " + name + "."
+select op, msg
+

python/ql/src/experimental/cryptography/inventory/AllAsymmetricAlgorithms.ql

@@ -0,0 +1,17 @@
+/**
+ * @name All Asymmetric Algorithms
+ * @description Finds all potential usage of asymmeric keys (RSA & ECC) using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/all-asymmetric-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricAlgorithm alg
+select alg, "Use of algorithm " + alg.getName()

python/ql/src/experimental/cryptography/inventory/AllCryptoAlgorithms.ql

@@ -0,0 +1,17 @@
+/**
+ * @name All Cryptographic Algorithms
+ * @description Finds all potential usage of cryptographic algorithms usage using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/all-cryptographic-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from CryptographicAlgorithm alg
+select alg, "Use of algorithm " + alg.getName()

python/ql/src/experimental/cryptography/inventory/AsymmetricEncryptionAlgorithms.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Asymmetric Encryption Algorithms
+ * @description Finds all potential usage of asymmeric keys for encryption or key exchange using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/all-asymmetric-encryption-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricEncryptionAlgorithm alg
+select alg, "Use of algorithm " + alg.getEncryptionName()

python/ql/src/experimental/cryptography/inventory/AsymmetricKeyGenOperation.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Known asymmetric key source generation
+ * @description Finds all known potential sources for asymmetric key generation while using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/asymmetric-key-generation
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricKeyGen op, DataFlow::Node confSrc
+where op.getKeyConfigSrc() = confSrc
+select op,
+  "Asymmetric key generation for algorithm " + op.getAlgorithm().getName() +
+    " with key config source $@", confSrc, confSrc.toString()

python/ql/src/experimental/cryptography/inventory/AsymmetricPaddingAlgorithms.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Asymmetric Padding Schemes
+ * @description Finds all potential usage of padding schemes used with asymmeric algorithms.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/asymmetric-padding-schemes
+ * @problem.severity error
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricPadding alg
+select alg, "Use of algorithm " + alg.getPaddingName()

python/ql/src/experimental/cryptography/inventory/AuthenticatedEncryptionAlgorithms.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Authenticated Encryption Algorithms
+ * @description Finds all potential usage of authenticated encryption schemes using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/authenticated-encryption-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AuthenticatedEncryptionAlgorithm alg
+select alg, "Use of algorithm " + alg.getAuthticatedEncryptionName()

python/ql/src/experimental/cryptography/inventory/BlockModeAlgorithms.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Block cipher mode of operation
+ * @description Finds all potential block cipher modes of operations using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/block-cipher-mode
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from BlockMode alg
+select alg, "Use of algorithm " + alg.getBlockModeName()

python/ql/src/experimental/cryptography/inventory/BlockModeKnownIVsOrNonces.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Initialization Vector (IV) or nonces
+ * @description Finds all potential sources for initialization vectors (IV) or nonce used in block ciphers while using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/iv-sources
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from BlockMode alg
+select alg.getIVorNonce().asExpr(), "Block mode IV/Nonce source"

python/ql/src/experimental/cryptography/inventory/BlockModeUnknownIVsOrNonces.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Unknown Initialization Vector (IV) or nonces
+ * @description Finds all potentially unknown sources for initialization vectors (IV) or nonce used in block ciphers while using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/unkown-iv-sources
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from BlockMode alg
+where not alg.hasIVorNonce()
+select alg, "Block mode with unknown IV or Nonce configuration"

python/ql/src/experimental/cryptography/inventory/EllipticCurveAlgorithms.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Elliptic Curve Algorithms
+ * @description Finds all potential usage of elliptic curve algorithms using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/elliptic-curve-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from EllipticCurveAlgorithm alg
+select alg,
+  "Use of algorithm " + alg.getCurveName() + " with key size (in bits) " +
+    alg.getCurveBitSize().toString()

python/ql/src/experimental/cryptography/inventory/HashingAlgorithms.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Hash Algorithms
+ * @description Finds all potential usage of cryptographic hash algorithms using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/hash-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from HashAlgorithm alg
+select alg, "Use of algorithm " + alg.getName()

python/ql/src/experimental/cryptography/inventory/KeyDerivationAlgorithms.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Key Derivation Algorithms
+ * @description Finds all potential usage of key derivation using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/key-derivation
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from KeyDerivationOperation op
+// TODO: pull out all configuration from the operation?
+select op,
+  "Use of key derivation algorithm " + op.getAlgorithm().(KeyDerivationAlgorithm).getKDFName()

python/ql/src/experimental/cryptography/inventory/KeyExchangeAlgorithms.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Key Exchange Algorithms
+ * @description Finds all potential usage of key exchange using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/key-exchange
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from KeyExchangeAlgorithm alg
+select alg, "Use of algorithm " + alg.getName()

python/ql/src/experimental/cryptography/inventory/SigningAlgorithms.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Signing Algorithms
+ * @description Finds all potential usage of signing algorithms using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/signing-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from SigningAlgorithm alg
+select alg, "Use of algorithm " + alg.getName()

python/ql/src/experimental/cryptography/inventory/SymmetricEncryptionAlgorithms.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Symmetric Encryption Algorithms
+ * @description Finds all potential usage of symmetric encryption algorithms using the supported libraries.
+ * @kind problem
+ * @id cpp/quantum-readiness/cbom/symmetric-encryption-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from SymmetricEncryptionAlgorithm alg
+select alg, "Use of algorithm " + alg.getEncryptionName()

python/ql/src/experimental/cryptography/inventory/SymmetricPaddingAlgorithms.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Symmetric Padding Schemes
+ * @description Finds all potential usage of padding schemes used with symmeric algorithms.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/symmetric-padding-schemes
+ * @problem.severity error
+ * @tags security
+ *       cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from SymmetricPadding alg
+select alg, "Use of algorithm " + alg.getPaddingName()