Merge pull request #11192 from jcogs33/jcogs33/share-key-sizes

Share encryption key sizes between Java and Python
2026-03-27 01:38:22 +01:00 · 2022-12-07 08:08:24 -05:00
parent 2c08b95430 f54480b7c8
commit 5e694b5983
9 changed files with 100 additions and 21 deletions
--- a/java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll
+++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll
@@ -2,6 +2,7 @@

 private import semmle.code.java.security.Encryption
 private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.security.internal.EncryptionKeySizes

 /** A source for an insufficient key size. */
 abstract class InsufficientKeySizeSource extends DataFlow::Node {
@@ -21,39 +22,67 @@ private module Asymmetric {
  private module NonEllipticCurve {
    /** A source for an insufficient key size used in RSA, DSA, and DH algorithms. */
    private class Source extends InsufficientKeySizeSource {
-      Source() { this.asExpr().(IntegerLiteral).getIntValue() < getMinKeySize() }
+      string algoName;

-      override predicate hasState(DataFlow::FlowState state) { state = getMinKeySize().toString() }
+      Source() { this.asExpr().(IntegerLiteral).getIntValue() < getMinKeySize(algoName) }
+
+      override predicate hasState(DataFlow::FlowState state) {
+        state = getMinKeySize(algoName).toString()
+      }
    }

    /** A sink for an insufficient key size used in RSA, DSA, and DH algorithms. */
    private class Sink extends InsufficientKeySizeSink {
+      string algoName;
+
      Sink() {
        exists(KeyPairGenInit kpgInit, KeyPairGen kpg |
-          kpg.getAlgoName().matches(["RSA", "DSA", "DH"]) and
+          algoName in ["RSA", "DSA", "DH"] and
+          kpg.getAlgoName() = algoName and
          DataFlow::localExprFlow(kpg, kpgInit.getQualifier()) and
          this.asExpr() = kpgInit.getKeySizeArg()
        )
        or
-        exists(Spec spec | this.asExpr() = spec.getKeySizeArg())
+        exists(Spec spec | this.asExpr() = spec.getKeySizeArg() and algoName = spec.getAlgoName())
      }

-      override predicate hasState(DataFlow::FlowState state) { state = getMinKeySize().toString() }
+      override predicate hasState(DataFlow::FlowState state) {
+        state = getMinKeySize(algoName).toString()
+      }
    }

    /** Returns the minimum recommended key size for RSA, DSA, and DH algorithms. */
-    private int getMinKeySize() { result = 2048 }
+    private int getMinKeySize(string algoName) {
+      algoName = "RSA" and
+      result = minSecureKeySizeRsa()
+      or
+      algoName = "DSA" and
+      result = minSecureKeySizeDsa()
+      or
+      algoName = "DH" and
+      result = minSecureKeySizeDh()
+    }

    /** An instance of an RSA, DSA, or DH algorithm specification. */
    private class Spec extends ClassInstanceExpr {
+      string algoName;
+
      Spec() {
-        this.getConstructedType() instanceof RsaKeyGenParameterSpec or
-        this.getConstructedType() instanceof DsaGenParameterSpec or
-        this.getConstructedType() instanceof DhGenParameterSpec
+        this.getConstructedType() instanceof RsaKeyGenParameterSpec and
+        algoName = "RSA"
+        or
+        this.getConstructedType() instanceof DsaGenParameterSpec and
+        algoName = "DSA"
+        or
+        this.getConstructedType() instanceof DhGenParameterSpec and
+        algoName = "DH"
      }

      /** Gets the `keysize` argument of this instance. */
      Argument getKeySizeArg() { result = this.getArgument(0) }
+
+      /** Gets the algorithm name of this spec. */
+      string getAlgoName() { result = algoName }
    }
  }

@@ -87,7 +116,7 @@ private module Asymmetric {
    }

    /** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */
-    private int getMinKeySize() { result = 256 }
+    private int getMinKeySize() { result = minSecureKeySizeEcc() }

    /** Returns the key size from an EC algorithm's curve name string */
    bindingset[algorithm]
@@ -168,7 +197,7 @@ private module Symmetric {
  }

  /** Returns the minimum recommended key size for AES algorithms. */
-  private int getMinKeySize() { result = 128 }
+  private int getMinKeySize() { result = minSecureKeySizeAes() }

  /** A call to the `init` method declared in `javax.crypto.KeyGenerator`. */
  private class KeyGenInit extends MethodAccess {
--- a/java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll
+++ b/java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll
@@ -0,0 +1,21 @@
+/**
+ * INTERNAL: Do not use.
+ *
+ * Provides predicates for recommended encryption key sizes.
+ * Such that we can share this logic across our CodeQL analysis of different languages.
+ */
+
+/** Returns the minimum recommended key size for RSA. */
+int minSecureKeySizeRsa() { result = 2048 }
+
+/** Returns the minimum recommended key size for DSA. */
+int minSecureKeySizeDsa() { result = 2048 }
+
+/** Returns the minimum recommended key size for DH. */
+int minSecureKeySizeDh() { result = 2048 }
+
+/** Returns the minimum recommended key size for elliptic curve cryptography. */
+int minSecureKeySizeEcc() { result = 256 }
+
+/** Returns the minimum recommended key size for AES. */
+int minSecureKeySizeAes() { result = 128 }