Adjusted sources and sanitizer of UnsafeCertTrust taint tracking config

java/ql/lib/semmle/code/java/security/Encryption.qll

@@ -122,6 +122,30 @@ class SetDefaultHostnameVerifierMethod extends Method {
   }
 }
 
+/** The `beginHandshake` method of the class `javax.net.ssl.SSLEngine`. */
+class BeginHandshakeMethod extends Method {
+  BeginHandshakeMethod() {
+    this.hasName("beginHandshake") and
+    this.getDeclaringType().getASupertype*() instanceof SSLEngine
+  }
+}
+
+/** The `wrap` method of the class `javax.net.ssl.SSLEngine`. */
+class SslWrapMethod extends Method {
+  SslWrapMethod() {
+    this.hasName("wrap") and
+    this.getDeclaringType().getASupertype*() instanceof SSLEngine
+  }
+}
+
+/** The `unwrap` method of the class `javax.net.ssl.SSLEngine`. */
+class SslUnwrapMethod extends Method {
+  SslUnwrapMethod() {
+    this.hasName("unwrap") and
+    this.getDeclaringType().getASupertype*() instanceof SSLEngine
+  }
+}
+
 /** The `getSession` method of the class `javax.net.ssl.SSLSession`.select */
 class GetSslSessionMethod extends Method {
   GetSslSessionMethod() {

java/ql/lib/semmle/code/java/security/UnsafeCertTrust.qll

@@ -8,6 +8,7 @@ private import semmle.code.java.dataflow.DataFlow2
 
 /**
  * The creation of an object that prepares an SSL connection.
+ *
  * This is a source for `SslEndpointIdentificationFlowConfig`.
  */
 class SslConnectionInit extends DataFlow::Node {
@@ -19,12 +20,15 @@ class SslConnectionInit extends DataFlow::Node {
 
 /**
  * A call to a method that establishes an SSL connection.
+ *
  * This is a sink for `SslEndpointIdentificationFlowConfig`.
  */
 class SslConnectionCreation extends DataFlow::Node {
   SslConnectionCreation() {
     exists(MethodAccess ma, Method m |
-      m instanceof GetSslSessionMethod or
+      m instanceof BeginHandshakeMethod or
+      m instanceof SslWrapMethod or
+      m instanceof SslUnwrapMethod or
       m instanceof SocketConnectMethod
     |
       ma.getMethod() = m and
@@ -44,10 +48,16 @@ class SslConnectionCreation extends DataFlow::Node {
 }
 
 /**
- * An SSL object that was assigned a safe `SSLParameters` object and can be considered safe.
+ * An SSL object that correctly verifies hostnames, or doesn't need to (because e.g. it's a server).
+ *
  * This is a sanitizer for `SslEndpointIdentificationFlowConfig`.
  */
-class SslConnectionWithSafeSslParameters extends DataFlow::Node {
+abstract class SslUnsafeCertTrustSanitizer extends DataFlow::Node { }
+
+/**
+ * An SSL object that was assigned a safe `SSLParameters` object and can be considered safe.
+ */
+private class SslConnectionWithSafeSslParameters extends SslUnsafeCertTrustSanitizer {
   SslConnectionWithSafeSslParameters() {
     exists(SafeSslParametersFlowConfig config, DataFlow::Node safe |
       config.hasFlowTo(safe) and
@@ -56,6 +66,21 @@ class SslConnectionWithSafeSslParameters extends DataFlow::Node {
   }
 }
 
+/**
+ * An `SSLEngine` set in server mode.
+ */
+private class SslEngineServerMode extends SslUnsafeCertTrustSanitizer {
+  SslEngineServerMode() {
+    exists(MethodAccess ma, Method m |
+      m.hasName("setUseClientMode") and
+      m.getDeclaringType().getASupertype*() instanceof SSLEngine and
+      ma.getMethod() = m and
+      ma.getArgument(0).(CompileTimeConstantExpr).getBooleanValue() = false and
+      this = DataFlow::exprNode(ma.getQualifier())
+    )
+  }
+}
+
 /**
  * Holds if the return value of `createSocket` is cast to `SSLSocket`
  * or the qualifier of `createSocket` is an instance of `SSLSocketFactory`.

java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql

@@ -23,7 +23,7 @@ class SslEndpointIdentificationFlowConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer instanceof SslConnectionWithSafeSslParameters
+    sanitizer instanceof SslUnsafeCertTrustSanitizer
   }
 }
 

java/ql/src/semmle/code/java/security/Encryption.qll

@@ -0,0 +1,373 @@
+/**
+ * Provides predicates and classes relating to encryption in Java.
+ */
+
+import java
+
+class SSLClass extends RefType {
+  SSLClass() {
+    exists(Class c | this.getASupertype*() = c |
+      c.hasQualifiedName("javax.net.ssl", _) or
+      c.hasQualifiedName("javax.rmi.ssl", _)
+    )
+  }
+}
+
+class X509TrustManager extends RefType {
+  X509TrustManager() { this.hasQualifiedName("javax.net.ssl", "X509TrustManager") }
+}
+
+class HttpsURLConnection extends RefType {
+  HttpsURLConnection() { hasQualifiedName("javax.net.ssl", "HttpsURLConnection") }
+}
+
+class SSLSocketFactory extends RefType {
+  SSLSocketFactory() { this.hasQualifiedName("javax.net.ssl", "SSLSocketFactory") }
+}
+
+class SSLContext extends RefType {
+  SSLContext() { hasQualifiedName("javax.net.ssl", "SSLContext") }
+}
+
+/** The `javax.net.ssl.SSLSession` class. */
+class SSLSession extends RefType {
+  SSLSession() { hasQualifiedName("javax.net.ssl", "SSLSession") }
+}
+
+class SSLEngine extends RefType {
+  SSLEngine() { this.hasQualifiedName("javax.net.ssl", "SSLEngine") }
+}
+
+class SSLSocket extends RefType {
+  SSLSocket() { this.hasQualifiedName("javax.net.ssl", "SSLSocket") }
+}
+
+/** The `javax.net.ssl.SSLParameters` class. */
+class SSLParameters extends RefType {
+  SSLParameters() { this.hasQualifiedName("javax.net.ssl", "SSLParameters") }
+}
+
+class HostnameVerifier extends RefType {
+  HostnameVerifier() { hasQualifiedName("javax.net.ssl", "HostnameVerifier") }
+}
+
+/** The Java class `javax.crypto.KeyGenerator`. */
+class KeyGenerator extends RefType {
+  KeyGenerator() { this.hasQualifiedName("javax.crypto", "KeyGenerator") }
+}
+
+/** The Java class `java.security.KeyPairGenerator`. */
+class KeyPairGenerator extends RefType {
+  KeyPairGenerator() { this.hasQualifiedName("java.security", "KeyPairGenerator") }
+}
+
+/** The `verify` method of the class `javax.net.ssl.HostnameVerifier`. */
+class HostnameVerifierVerify extends Method {
+  HostnameVerifierVerify() {
+    hasName("verify") and
+    getDeclaringType().getASupertype*() instanceof HostnameVerifier and
+    getParameterType(0) instanceof TypeString and
+    getParameterType(1) instanceof SSLSession
+  }
+}
+
+class TrustManagerCheckMethod extends Method {
+  TrustManagerCheckMethod() {
+    (this.hasName("checkClientTrusted") or this.hasName("checkServerTrusted")) and
+    this.getDeclaringType().getASupertype*() instanceof X509TrustManager
+  }
+}
+
+class CreateSocket extends Method {
+  CreateSocket() {
+    hasName("createSocket") and
+    getDeclaringType() instanceof SSLSocketFactory
+  }
+}
+
+class GetSocketFactory extends Method {
+  GetSocketFactory() {
+    hasName("getSocketFactory") and
+    getDeclaringType() instanceof SSLContext
+  }
+}
+
+/** The `createSSLEngine` method of the class `javax.net.ssl.SSLContext` */
+class CreateSslEngineMethod extends Method {
+  CreateSslEngineMethod() {
+    this.hasName("createSSLEngine") and
+    this.getDeclaringType() instanceof SSLContext
+  }
+}
+
+class SetConnectionFactoryMethod extends Method {
+  SetConnectionFactoryMethod() {
+    hasName("setSSLSocketFactory") and
+    getDeclaringType().getASupertype*() instanceof HttpsURLConnection
+  }
+}
+
+class SetHostnameVerifierMethod extends Method {
+  SetHostnameVerifierMethod() {
+    hasName("setHostnameVerifier") and
+    getDeclaringType().getASupertype*() instanceof HttpsURLConnection
+  }
+}
+
+/** The `setDefaultHostnameVerifier` method of the class `javax.net.ssl.HttpsURLConnection`. */
+class SetDefaultHostnameVerifierMethod extends Method {
+  SetDefaultHostnameVerifierMethod() {
+    hasName("setDefaultHostnameVerifier") and
+    getDeclaringType().getASupertype*() instanceof HttpsURLConnection
+  }
+}
+
+/** The `beginHandshake` method of the class `javax.net.ssl.SSLEngine`. */
+class BeginHandshakeMethod extends Method {
+  BeginHandshakeMethod() {
+    hasName("beginHandshake") and
+    getDeclaringType().getASupertype*() instanceof SSLEngine
+  }
+}
+
+/** The `wrap` method of the class `javax.net.ssl.SSLEngine`. */
+class SslWrapMethod extends Method {
+  SslWrapMethod() {
+    hasName("wrap") and
+    getDeclaringType().getASupertype*() instanceof SSLEngine
+  }
+}
+
+/** The `unwrap` method of the class `javax.net.ssl.SSLEngine`. */
+class SslUnwrapMethod extends Method {
+  SslUnwrapMethod() {
+    hasName("unwrap") and
+    getDeclaringType().getASupertype*() instanceof SSLEngine
+  }
+}
+
+bindingset[algorithmString]
+private string algorithmRegex(string algorithmString) {
+  // Algorithms usually appear in names surrounded by characters that are not
+  // alphabetical characters in the same case. This handles the upper and lower
+  // case cases.
+  result =
+    "((^|.*[^A-Z])(" + algorithmString + ")([^A-Z].*|$))" +
+      // or...
+      "|" +
+      // For lowercase, we want to be careful to avoid being confused by camelCase
+      // hence we require two preceding uppercase letters to be sure of a case switch,
+      // or a preceding non-alphabetic character
+      "((^|.*[A-Z]{2}|.*[^a-zA-Z])(" + algorithmString.toLowerCase() + ")([^a-z].*|$))"
+}
+
+/**
+ * Gets the name of an algorithm that is known to be insecure.
+ */
+string getAnInsecureAlgorithmName() {
+  result =
+    [
+      "DES", "RC2", "RC4", "RC5",
+      // ARCFOUR is a variant of RC4
+      "ARCFOUR",
+      // Encryption mode ECB like AES/ECB/NoPadding is vulnerable to replay and other attacks
+      "ECB",
+      // CBC mode of operation with PKCS#5 or PKCS#7 padding is vulnerable to padding oracle attacks
+      "AES/CBC/PKCS[57]Padding"
+    ]
+}
+
+/**
+ * Gets the name of a hash algorithm that is insecure if it is being used for
+ * encryption.
+ */
+string getAnInsecureHashAlgorithmName() {
+  result = "SHA1" or
+  result = "MD5"
+}
+
+private string rankedInsecureAlgorithm(int i) {
+  // In this case we know these are being used for encryption, so we want to match
+  // weak hash algorithms too.
+  result =
+    rank[i](string s | s = getAnInsecureAlgorithmName() or s = getAnInsecureHashAlgorithmName())
+}
+
+private string insecureAlgorithmString(int i) {
+  i = 1 and result = rankedInsecureAlgorithm(i)
+  or
+  result = rankedInsecureAlgorithm(i) + "|" + insecureAlgorithmString(i - 1)
+}
+
+/**
+ * Gets the regular expression used for matching strings that look like they
+ * contain an algorithm that is known to be insecure.
+ */
+string getInsecureAlgorithmRegex() {
+  result = algorithmRegex(insecureAlgorithmString(max(int i | exists(rankedInsecureAlgorithm(i)))))
+}
+
+/**
+ * Gets the name of an algorithm that is known to be secure.
+ */
+string getASecureAlgorithmName() {
+  result =
+    [
+      "RSA", "SHA256", "SHA512", "CCM", "GCM", "AES([^a-zA-Z](?!ECB|CBC/PKCS[57]Padding)).*",
+      "Blowfish", "ECIES"
+    ]
+}
+
+private string rankedSecureAlgorithm(int i) { result = rank[i](getASecureAlgorithmName()) }
+
+private string secureAlgorithmString(int i) {
+  i = 1 and result = rankedSecureAlgorithm(i)
+  or
+  result = rankedSecureAlgorithm(i) + "|" + secureAlgorithmString(i - 1)
+}
+
+/**
+ * Gets a regular expression for matching strings that look like they
+ * contain an algorithm that is known to be secure.
+ */
+string getSecureAlgorithmRegex() {
+  result = algorithmRegex(secureAlgorithmString(max(int i | exists(rankedSecureAlgorithm(i)))))
+}
+
+/**
+ * DEPRECATED: Terminology has been updated. Use `getAnInsecureAlgorithmName()`
+ * instead.
+ */
+deprecated string algorithmBlacklist() { result = getAnInsecureAlgorithmName() }
+
+/**
+ * DEPRECATED: Terminology has been updated. Use
+ * `getAnInsecureHashAlgorithmName()` instead.
+ */
+deprecated string hashAlgorithmBlacklist() { result = getAnInsecureHashAlgorithmName() }
+
+/**
+ * DEPRECATED: Terminology has been updated. Use `getInsecureAlgorithmRegex()` instead.
+ */
+deprecated string algorithmBlacklistRegex() { result = getInsecureAlgorithmRegex() }
+
+/**
+ * DEPRECATED: Terminology has been updated. Use `getASecureAlgorithmName()`
+ * instead.
+ */
+deprecated string algorithmWhitelist() { result = getASecureAlgorithmName() }
+
+/**
+ * DEPRECATED: Terminology has been updated. Use `getSecureAlgorithmRegex()` instead.
+ */
+deprecated string algorithmWhitelistRegex() { result = getSecureAlgorithmRegex() }
+
+/**
+ * Any use of a cryptographic element that specifies an encryption
+ * algorithm. For example, methods returning ciphers, decryption methods,
+ * constructors of cipher classes, etc.
+ */
+abstract class CryptoAlgoSpec extends Top {
+  CryptoAlgoSpec() { this instanceof Call }
+
+  abstract Expr getAlgoSpec();
+}
+
+abstract class JavaxCryptoAlgoSpec extends CryptoAlgoSpec { }
+
+class JavaxCryptoCipher extends JavaxCryptoAlgoSpec {
+  JavaxCryptoCipher() {
+    exists(Method m | m.getAReference() = this |
+      m.getDeclaringType().getQualifiedName() = "javax.crypto.Cipher" and
+      m.getName() = "getInstance"
+    )
+  }
+
+  override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
+}
+
+class JavaxCryptoSecretKey extends JavaxCryptoAlgoSpec {
+  JavaxCryptoSecretKey() {
+    exists(Constructor c | c.getAReference() = this |
+      c.getDeclaringType().getQualifiedName() = "javax.crypto.spec.SecretKeySpec"
+    )
+  }
+
+  override Expr getAlgoSpec() {
+    exists(ConstructorCall c | c = this |
+      if c.getNumArgument() = 2 then result = c.getArgument(1) else result = c.getArgument(3)
+    )
+  }
+}
+
+class JavaxCryptoKeyGenerator extends JavaxCryptoAlgoSpec {
+  JavaxCryptoKeyGenerator() {
+    exists(Method m | m.getAReference() = this |
+      m.getDeclaringType() instanceof KeyGenerator and
+      m.getName() = "getInstance"
+    )
+  }
+
+  override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
+}
+
+class JavaxCryptoKeyAgreement extends JavaxCryptoAlgoSpec {
+  JavaxCryptoKeyAgreement() {
+    exists(Method m | m.getAReference() = this |
+      m.getDeclaringType().getQualifiedName() = "javax.crypto.KeyAgreement" and
+      m.getName() = "getInstance"
+    )
+  }
+
+  override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
+}
+
+class JavaxCryptoKeyFactory extends JavaxCryptoAlgoSpec {
+  JavaxCryptoKeyFactory() {
+    exists(Method m | m.getAReference() = this |
+      m.getDeclaringType().getQualifiedName() = "javax.crypto.SecretKeyFactory" and
+      m.getName() = "getInstance"
+    )
+  }
+
+  override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
+}
+
+abstract class JavaSecurityAlgoSpec extends CryptoAlgoSpec { }
+
+class JavaSecurityMessageDigest extends JavaSecurityAlgoSpec {
+  JavaSecurityMessageDigest() {
+    exists(Constructor c | c.getAReference() = this |
+      c.getDeclaringType().hasQualifiedName("java.security", "MessageDigest")
+    )
+    or
+    exists(Method m | m.getAReference() = this |
+      m.getDeclaringType().hasQualifiedName("java.security", "MessageDigest") and
+      m.getName() = "getInstance"
+    )
+  }
+
+  override Expr getAlgoSpec() { result = this.(Call).getArgument(0) }
+}
+
+class JavaSecuritySignature extends JavaSecurityAlgoSpec {
+  JavaSecuritySignature() {
+    exists(Constructor c | c.getAReference() = this |
+      c.getDeclaringType().getQualifiedName() = "java.security.Signature"
+    )
+  }
+
+  override Expr getAlgoSpec() { result = this.(ConstructorCall).getArgument(0) }
+}
+
+/** A method call to the Java class `java.security.KeyPairGenerator`. */
+class JavaSecurityKeyPairGenerator extends JavaxCryptoAlgoSpec {
+  JavaSecurityKeyPairGenerator() {
+    exists(Method m | m.getAReference() = this |
+      m.getDeclaringType() instanceof KeyPairGenerator and
+      m.getName() = "getInstance"
+    )
+  }
+
+  override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
+}

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.java

@@ -1,5 +1,6 @@
 import java.net.InetSocketAddress;
 import java.net.Socket;
+import java.nio.ByteBuffer;
 import javax.net.SocketFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
@@ -13,41 +14,61 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL engine is set to null
 	 */
-	public void testSSLEngineEndpointIdSetNull() throws java.security.NoSuchAlgorithmException {
+	public void testSSLEngineEndpointIdSetNull() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
 		SSLParameters sslParameters = sslEngine.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm(null);
 		sslEngine.setSSLParameters(sslParameters);
-		sslEngine.getSession(); // $hasUnsafeCertTrust
+		sslEngine.beginHandshake(); // $hasUnsafeCertTrust
+		sslEngine.wrap(new ByteBuffer[] {}, null); // $hasUnsafeCertTrust
+		sslEngine.unwrap(null, null, 0, 0); // $hasUnsafeCertTrust
 	}
 
 	/**
-	 * Test the endpoint identification of SSL engine is not set
+	 * Test the endpoint identification of SSL engine is set to null
 	 */
-	public void testSSLEngineEndpointIdNotSet() throws java.security.NoSuchAlgorithmException {
+	public void testSSLEngineEndpointIdSetEmpty() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
-		sslEngine.getSession(); // $hasUnsafeCertTrust
+		SSLParameters sslParameters = sslEngine.getSSLParameters();
+		sslParameters.setEndpointIdentificationAlgorithm("");
+		sslEngine.setSSLParameters(sslParameters);
+		sslEngine.beginHandshake(); // $hasUnsafeCertTrust
+		sslEngine.wrap(new ByteBuffer[] {}, null); // $hasUnsafeCertTrust
+		sslEngine.unwrap(null, null, 0, 0); // $hasUnsafeCertTrust
 	}
 
 	/**
 	 * Test the endpoint identification of SSL engine is set to HTTPS
 	 */
-	public void testSSLEngineEndpointIdSafe() throws java.security.NoSuchAlgorithmException {
+	public void testSSLEngineEndpointIdSafe() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLEngine sslEngine = sslContext.createSSLEngine();
 		SSLParameters sslParameters = sslEngine.getSSLParameters();
 		sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
 		sslEngine.setSSLParameters(sslParameters);
-		sslEngine.getSession(); // Safe
+		sslEngine.beginHandshake(); // Safe
+		sslEngine.wrap(new ByteBuffer[] {}, null); // Safe
+		sslEngine.unwrap(null, null, 0, 0); // Safe
+	}
+
+	/**
+	 * Test the endpoint identification of SSL engine is set to HTTPS
+	 */
+	public void testSSLEngineInServerMode() throws Exception {
+		SSLContext sslContext = SSLContext.getInstance("TLS");
+		SSLEngine sslEngine = sslContext.createSSLEngine();
+		sslEngine.setUseClientMode(false);
+		sslEngine.beginHandshake(); // Safe
+		sslEngine.wrap(new ByteBuffer[] {}, null); // Safe
+		sslEngine.unwrap(null, null, 0, 0); // Safe
 	}
 
 	/**
 	 * Test the endpoint identification of SSL socket is not set
 	 */
-	public void testSSLSocketImmediatelyConnects()
-			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+	public void testSSLSocketImmediatelyConnects() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443); // $hasUnsafeCertTrust
@@ -56,8 +77,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL socket is not set
 	 */
-	public void testSSLSocketEndpointIdNotSet()
-			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+	public void testSSLSocketEndpointIdNotSet() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
@@ -67,8 +87,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL socket is set to null
 	 */
-	public void testSSLSocketEndpointIdSetNull()
-			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+	public void testSSLSocketEndpointIdSetNull() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
@@ -81,8 +100,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL socket is set to empty
 	 */
-	public void testSSLSocketEndpointIdSetEmpty()
-			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+	public void testSSLSocketEndpointIdSetEmpty() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
@@ -95,8 +113,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL socket is not set
 	 */
-	public void testSSLSocketEndpointIdAfterConnecting()
-			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+	public void testSSLSocketEndpointIdAfterConnecting() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket("www.example.com", 443); // $hasUnsafeCertTrust
@@ -108,8 +125,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of SSL socket is not set
 	 */
-	public void testSSLSocketEndpointIdSafe()
-			throws java.security.NoSuchAlgorithmException, java.io.IOException {
+	public void testSSLSocketEndpointIdSafe() throws Exception {
 		SSLContext sslContext = SSLContext.getInstance("TLS");
 		SSLSocketFactory socketFactory = sslContext.getSocketFactory();
 		SSLSocket socket = (SSLSocket) socketFactory.createSocket();
@@ -122,7 +138,7 @@ public class UnsafeCertTrustTest {
 	/**
 	 * Test the endpoint identification of regular socket is not set
 	 */
-	public void testSocketEndpointIdNotSet() throws java.io.IOException {
+	public void testSocketEndpointIdNotSet() throws Exception {
 		SocketFactory socketFactory = SocketFactory.getDefault();
 		Socket socket = socketFactory.createSocket("www.example.com", 80); // Safe
 	}

java/ql/test/query-tests/security/CWE-273/UnsafeCertTrustTest.ql

@@ -12,7 +12,7 @@ class Conf extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof SslConnectionCreation }
 
   override predicate isSanitizer(DataFlow::Node sanitizer) {
-    sanitizer instanceof SslConnectionWithSafeSslParameters
+    sanitizer instanceof SslUnsafeCertTrustSanitizer
   }
 }