Address reveiws - Add BAD example to doc, add doc example to tests and fix typo.

2026-04-29 10:45:15 +02:00 · 2024-02-16 12:00:51 +00:00
parent 3a4a841844
commit 9ad05fe51c
4 changed files with 69 additions and 1 deletions
--- a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/Test.java
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/Test.java
@@ -1,6 +1,7 @@
 import android.security.keystore.KeyGenParameterSpec;
 import android.hardware.biometrics.BiometricPrompt;
 import android.security.keystore.KeyProperties;
+import javax.crypto.KeyGenerator;

 class Test {
    void test() {
@@ -9,6 +10,23 @@ class Test {
        builder.setInvalidatedByBiometricEnrollment(false); // $insecure-key
        builder.setUserAuthenticationValidityDurationSeconds(30); // $insecure-key
    }
+
+    private void generateSecretKey() throws Exception {
+        KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+            "MySecretKey",
+            KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+            .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+            // GOOD: Secure parameters are used to generate a key for biometric authentication.
+            .setUserAuthenticationRequired(true)
+            .setInvalidatedByBiometricEnrollment(true)
+            .setUserAuthenticationParameters(0, KeyProperties.AUTH_BIOMETRIC_STRONG)
+            .build();
+        KeyGenerator keyGenerator = KeyGenerator.getInstance(
+                KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+        keyGenerator.init(keyGenParameterSpec);
+        keyGenerator.generateKey();
+    }
 }

 class Callback extends BiometricPrompt.AuthenticationCallback {