Add query for insecure key generation

2026-04-24 16:25:15 +02:00 · 2024-02-07 16:37:40 +00:00
parent 75a2b9415c
commit c79a3eb6ae
2 changed files with 40 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll
@@ -1,6 +1,7 @@
 /** Definitions for the insecure local authentication query. */

 import java
+import semmle.code.java.dataflow.DataFlow

 /** A base class that is used as a callback for biometric authentication. */
 private class AuthenticationCallbackClass extends Class {
@@ -40,3 +41,21 @@ class AuthenticationSuccessCallback extends Method {
    not result = this.getASuperResultUse()
  }
 }
+
+/** A call that sets a parameter for key generation that is insecure for use with biometric authentication. */
+class InsecureBiometricKeyParam extends MethodCall {
+  InsecureBiometricKeyParam() {
+    exists(string name, CompileTimeConstantExpr val |
+      this.getMethod()
+          .hasQualifiedName("android.security.keystore", "KeyGenParameterSpec$Builder", name) and
+      DataFlow::localExprFlow(val, this.getArgument(0)) and
+      (
+        name = ["setUserAuthenticationRequired", "setInvalidatedByBiometricEnrollment"] and
+        val.getBooleanValue() = false
+        or
+        name = "setUserAuthenticationValidityDurationSeconds" and
+        val.getIntValue() != -1
+      )
+    )
+  }
+}
--- a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql
+++ b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Insecurely generated keys for local authentication
+ * @description Keys used for local biometric authentication should be generated with secure parameters.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 9.3
+ * @precision medium
+ * @id java/android/insecure-local-key-gen
+ * @tags security
+ *       external/cwe/cwe-287
+ */
+
+import java
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+/** Holds if the application contains an instance of a key being used for local biometric authentication. */
+predicate usesLocalAuth() { exists(AuthenticationSuccessCallback cb | exists(cb.getAResultUse())) }
+
+from InsecureBiometricKeyParam call
+where usesLocalAuth()
+select call, "This key is not secure for biometric authentication."