Crypto: Formatting test cases, more removal of non-ascii

2026-04-29 02:35:15 +02:00 · 2025-10-06 10:46:09 -04:00
parent 96f6832a6f
commit abeb3141b1
26 changed files with 5173 additions and 5421 deletions
--- a/java/ql/test/experimental/library-tests/quantum/jca/Encryption2.java
+++ b/java/ql/test/experimental/library-tests/quantum/jca/Encryption2.java
@@ -1,60 +1,52 @@
 package com.example.crypto.algorithms;

 //import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import java.security.*;
+import java.security.spec.ECGenParameterSpec;
+import java.util.Arrays;
+import java.util.Base64;
 import javax.crypto.Cipher;
 import javax.crypto.KeyAgreement;
+import javax.crypto.Mac;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
-import java.security.*;
-import java.security.spec.ECGenParameterSpec;
-import java.util.Base64;
-import java.util.Arrays;
-import javax.crypto.Mac;

 /**
 * This class demonstrates encryption schemes using elliptic-curve
- * Diffie-Hellman (ECDH)
- * and hybrid encryption methods, including a post-quantum hybrid scheme.
+ * Diffie-Hellman (ECDH) and hybrid encryption methods, including a post-quantum
+ * hybrid scheme.
 *
 * SAST/CBOM Classification:
- * 
- * 1. EC Key Generation & ECDH Key Agreement:
- * - Parent Classification: Asymmetric Key Generation / Key Agreement.
- * - SAST: Secure when using established curves (secp256r1) and reputable
- * providers (BouncyCastle).
 *
- * 2. ECDH Hybrid Encryption:
- * - Parent Classification: Hybrid Cryptosystem (ECDH + AEAD).
- * - SAST: Uses ECDH for key agreement and AES/GCM for encryption. However, the
- * derivation of an AES key
- * by applying a single SHA-256 hash to the shared secret may be flagged as a
- * weak key derivation method.
- * A dedicated KDF (e.g., HKDF) is recommended.
+ * 1. EC Key Generation & ECDH Key Agreement: - Parent Classification:
+ * Asymmetric Key Generation / Key Agreement. - SAST: Secure when using
+ * established curves (secp256r1) and reputable providers (BouncyCastle).
 *
- * 3. Post-Quantum Hybrid Encryption:
- * - Parent Classification: Hybrid Cryptosystem (Classical ECDH + Post-Quantum
- * Secret + KDF + AEAD).
- * - SAST: Combining classical and post-quantum components is advanced and
- * secure if implemented properly.
- * The custom HKDF expand function provided here is simplistic and may be
- * flagged in a CBOM analysis;
- * a standard HKDF library should be used in production.
+ * 2. ECDH Hybrid Encryption: - Parent Classification: Hybrid Cryptosystem (ECDH
+ * + AEAD). - SAST: Uses ECDH for key agreement and AES/GCM for encryption.
+ * However, the derivation of an AES key by applying a single SHA-256 hash to
+ * the shared secret may be flagged as a weak key derivation method. A dedicated
+ * KDF (e.g., HKDF) is recommended.
+ *
+ * 3. Post-Quantum Hybrid Encryption: - Parent Classification: Hybrid
+ * Cryptosystem (Classical ECDH + Post-Quantum Secret + KDF + AEAD). - SAST:
+ * Combining classical and post-quantum components is advanced and secure if
+ * implemented properly. The custom HKDF expand function provided here is
+ * simplistic and may be flagged in a CBOM analysis; a standard HKDF library
+ * should be used in production.
 */
 public class Encryption2 {

    // static {
    //     Security.addProvider(new BouncyCastleProvider());
    // }
-
    /**
     * Generates an Elliptic Curve (EC) key pair using the secp256r1 curve.
     *
-     * SAST/CBOM Notes:
-     * - Algorithm: EC key pair generation.
-     * - Parent Classification: Asymmetric Key Generation.
-     * - SAST: Considered secure when using strong randomness and a reputable
-     * provider.
+     * SAST/CBOM Notes: - Algorithm: EC key pair generation. - Parent
+     * Classification: Asymmetric Key Generation. - SAST: Considered secure when
+     * using strong randomness and a reputable provider.
     *
     * @return an EC KeyPair.
     */
@@ -67,13 +59,12 @@ public class Encryption2 {
    /**
     * Derives a shared secret using Elliptic Curve Diffie-Hellman (ECDH).
     *
-     * SAST/CBOM Notes:
-     * - Algorithm: ECDH key agreement.
-     * - Parent Classification: Asymmetric Key Agreement.
-     * - SAST: Secure when both parties use strong EC keys and proper randomness.
+     * SAST/CBOM Notes: - Algorithm: ECDH key agreement. - Parent
+     * Classification: Asymmetric Key Agreement. - SAST: Secure when both
+     * parties use strong EC keys and proper randomness.
     *
     * @param privateKey the private key of one party.
-     * @param publicKey  the public key of the other party.
+     * @param publicKey the public key of the other party.
     * @return the derived shared secret as a byte array.
     */
    public byte[] deriveSharedSecret(PrivateKey privateKey, PublicKey publicKey) throws Exception {
@@ -84,21 +75,17 @@ public class Encryption2 {
    }

    /**
-     * Performs hybrid encryption using ECDH to derive a shared secret, then derives
-     * an AES key
-     * by hashing the shared secret with SHA-256, and finally encrypts the data with
-     * AES-GCM.
+     * Performs hybrid encryption using ECDH to derive a shared secret, then
+     * derives an AES key by hashing the shared secret with SHA-256, and finally
+     * encrypts the data with AES-GCM.
     *
-     * SAST/CBOM Notes:
-     * - Parent Classification: Hybrid Cryptosystem (ECDH + AES-GCM).
-     * - SAST: While ECDH and AES-GCM are secure, the key derivation method here (a
-     * single SHA-256 hash)
-     * is not as robust as using a dedicated KDF. This approach may be flagged and
-     * is recommended for
-     * improvement.
+     * SAST/CBOM Notes: - Parent Classification: Hybrid Cryptosystem (ECDH +
+     * AES-GCM). - SAST: While ECDH and AES-GCM are secure, the key derivation
+     * method here (a single SHA-256 hash) is not as robust as using a dedicated
+     * KDF. This approach may be flagged and is recommended for improvement.
     *
     * @param recipientPublicKey the recipient's public EC key.
-     * @param data               the plaintext data to encrypt.
+     * @param data the plaintext data to encrypt.
     */
    public void ecdhHybridEncryption(PublicKey recipientPublicKey, String data) throws Exception {
        // Generate an ephemeral EC key pair for the sender.
@@ -127,24 +114,20 @@ public class Encryption2 {
    }

    /**
-     * Performs post-quantum hybrid encryption by combining a classical ECDH-derived
-     * secret with a
-     * post-quantum shared secret. The two secrets are combined using a custom HKDF
-     * expansion, and the
-     * derived key is used to encrypt data with AES-GCM.
+     * Performs post-quantum hybrid encryption by combining a classical
+     * ECDH-derived secret with a post-quantum shared secret. The two secrets
+     * are combined using a custom HKDF expansion, and the derived key is used
+     * to encrypt data with AES-GCM.
     *
-     * SAST/CBOM Notes:
-     * - Parent Classification: Hybrid Cryptosystem (Classical ECDH + Post-Quantum
-     * Secret + KDF + AES-GCM).
-     * - SAST: The combination of classical and post-quantum secrets is a modern
-     * approach. However, the
-     * custom HKDF expand function is simplistic and may be flagged as insecure. Use
-     * a standard HKDF
-     * implementation in production.
+     * SAST/CBOM Notes: - Parent Classification: Hybrid Cryptosystem (Classical
+     * ECDH + Post-Quantum Secret + KDF + AES-GCM). - SAST: The combination of
+     * classical and post-quantum secrets is a modern approach. However, the
+     * custom HKDF expand function is simplistic and may be flagged as insecure.
+     * Use a standard HKDF implementation in production.
     *
-     * @param ecPublicKey    the recipient's EC public key.
+     * @param ecPublicKey the recipient's EC public key.
     * @param pqSharedSecret the post-quantum shared secret from a separate
-     *                       algorithm.
+     * algorithm.
     */
    public void postQuantumHybridEncryption(PublicKey ecPublicKey, byte[] pqSharedSecret) throws Exception {
        // Step 1: Perform classical ECDH key agreement to derive a shared secret.
@@ -171,21 +154,19 @@ public class Encryption2 {
    }

    /**
-     * A simplified HKDF expansion function that uses HMAC-SHA256 to derive a key of
-     * a desired length.
+     * A simplified HKDF expansion function that uses HMAC-SHA256 to derive a
+     * key of a desired length.
     *
-     * SAST/CBOM Notes:
-     * - Parent Classification: Key Derivation Function (KDF).
-     * - SAST: Custom KDF implementations are risky if not thoroughly vetted. This
-     * simple HKDF expand
-     * function lacks the full HKDF mechanism (e.g., multiple iterations, info, and
-     * context parameters)
-     * and may be flagged. It is recommended to use a standardized HKDF library.
+     * SAST/CBOM Notes: - Parent Classification: Key Derivation Function (KDF).
+     * - SAST: Custom KDF implementations are risky if not thoroughly vetted.
+     * This simple HKDF expand function lacks the full HKDF mechanism (e.g.,
+     * multiple iterations, info, and context parameters) and may be flagged. It
+     * is recommended to use a standardized HKDF library.
     *
     * @param inputKey the input key material.
-     * @param salt     a salt value (here, the post-quantum shared secret is used as
-     *                 the salt).
-     * @param length   the desired length of the derived key.
+     * @param salt a salt value (here, the post-quantum shared secret is used as
+     * the salt).
+     * @param length the desired length of the derived key.
     * @return a derived key of the specified length.
     */
    private byte[] hkdfExpand(byte[] inputKey, byte[] salt, int length) throws Exception {