Merge pull request #9982 from joefarebrother/rsa-without-oaep

Java: Add query for RSA without OAEP
2025-12-24 04:36:35 +01:00 · 2022-08-23 09:14:46 +01:00
parent a3f27d4abe e8f027dab2
commit ac79866799
8 changed files with 108 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll
@@ -0,0 +1,23 @@
 /** Definitions for the RSA without OAEP query */
 import java
 import Encryption
 import semmle.code.java.dataflow.DataFlow
 /** A configuration for finding RSA ciphers initialized without using OAEP padding. */
 class RsaWithoutOaepConfig extends DataFlow::Configuration {
  RsaWithoutOaepConfig() { this = "RsaWithoutOaepConfig" }
  override predicate isSource(DataFlow::Node src) {
    exists(CompileTimeConstantExpr specExpr, string spec |
      specExpr.getStringValue() = spec and
      specExpr = src.asExpr() and
      spec.matches("RSA/%") and
      not spec.matches("%OAEP%")
    )
  }
  override predicate isSink(DataFlow::Node sink) {
    exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
  }
 }
--- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java
+++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java
@@ -0,0 +1,7 @@
 // BAD: No padding scheme is used
 Cipher rsa = Cipher.getInstance("RSA/ECB/NoPadding");
 ...
 //GOOD: OAEP padding is used
 Cipher rsa = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
 ...
--- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp
+++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp
@@ -0,0 +1,27 @@
 <!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
 <qhelp>
  <overview>
    <p>Cryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption.
    Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.
    </p>
  </overview>
  <recommendation>
    <p>Use the OAEP scheme when using RSA encryption.</p>
  </recommendation>
  <example>
    <p>In the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.</p>
    <sample src="RsaWithoutOaep.java" />
  </example>
  <references>
    <li>
      <a href="https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations">Mobile Security Testing Guide</a>.
    </li>
    <li>
      <a href="https://robertheaton.com/2013/07/29/padding-oracle-attack/">The Padding Oracle Attack</a>.
    </li>
  </references>
 </qhelp>
--- a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
+++ b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
@@ -0,0 +1,20 @@
 /**
 * @name Use of RSA algorithm without OAEP
 * @description Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption.
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 7.5
 * @precision high
 * @id java/rsa-without-oaep
 * @tags security
 *       external/cwe/cwe-780
 */
 import java
 import semmle.code.java.security.RsaWithoutOaepQuery
 import DataFlow::PathGraph
 from RsaWithoutOaepConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
 where conf.hasFlowPath(source, sink)
 select source, source, sink,
  "This specification is used to initialize an RSA cipher without OAEP padding $@.", sink, "here"
--- a/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md
+++ b/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md
@@ -0,0 +1,4 @@
 ---
 category: newQuery
 ---
 * A new query "Use of RSA algorithm without OAEP" (`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme.
--- a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected
+++ b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected
--- a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java
+++ b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java
@@ -0,0 +1,17 @@
 import javax.crypto.Cipher;
 class RsaWithoutOaep {
    public void test() throws Exception {
        Cipher rsaBad = Cipher.getInstance("RSA/ECB/NoPadding"); // $hasTaintFlow
        Cipher rsaGood = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding"); 
    }
    public Cipher getCipher(String spec) throws Exception {
        return Cipher.getInstance(spec); // $hasTaintFlow
    }
    public void test2() throws Exception {
        Cipher rsa = getCipher("RSA/ECB/NoPadding");
    }
 }
--- a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.ql
+++ b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.ql
@@ -0,0 +1,10 @@
 import java
 import TestUtilities.InlineExpectationsTest
 import TestUtilities.InlineFlowTest
 import semmle.code.java.security.RsaWithoutOaepQuery
 class HasFlowTest extends InlineFlowTest {
  override DataFlow::Configuration getTaintFlowConfig() { result instanceof RsaWithoutOaepConfig }
  override DataFlow::Configuration getValueFlowConfig() { none() }
 }