Merge pull request #9982 from joefarebrother/rsa-without-oaep

Java: Add query for RSA without OAEP
2025-12-21 11:16:30 +01:00 · 2022-08-23 09:14:46 +01:00
parent a3f27d4abe e8f027dab2
commit ac79866799
8 changed files with 108 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java
+++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java
@@ -0,0 +1,7 @@
+// BAD: No padding scheme is used
+Cipher rsa = Cipher.getInstance("RSA/ECB/NoPadding");
+...
+
+//GOOD: OAEP padding is used
+Cipher rsa = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
+...
--- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp
+++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp
@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Cryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption.
+    Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>Use the OAEP scheme when using RSA encryption.</p>
+  </recommendation>
+
+  <example>
+    <p>In the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.</p>
+    <sample src="RsaWithoutOaep.java" />
+  </example>
+
+  <references>
+    <li>
+      <a href="https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations">Mobile Security Testing Guide</a>.
+    </li>
+    <li>
+      <a href="https://robertheaton.com/2013/07/29/padding-oracle-attack/">The Padding Oracle Attack</a>.
+    </li>
+  </references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
+++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Use of RSA algorithm without OAEP
+ * @description Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id java/rsa-without-oaep
+ * @tags security
+ *       external/cwe/cwe-780
+ */
+
+import java
+import semmle.code.java.security.RsaWithoutOaepQuery
+import DataFlow::PathGraph
+
+from RsaWithoutOaepConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select source, source, sink,
+  "This specification is used to initialize an RSA cipher without OAEP padding $@.", sink, "here"