Add query for insecure key generation

java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Insecurely generated keys for local authentication
+ * @description Keys used for local biometric authentication should be generated with secure parameters.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 9.3
+ * @precision medium
+ * @id java/android/insecure-local-key-gen
+ * @tags security
+ *       external/cwe/cwe-287
+ */
+
+import java
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+/** Holds if the application contains an instance of a key being used for local biometric authentication. */
+predicate usesLocalAuth() { exists(AuthenticationSuccessCallback cb | exists(cb.getAResultUse())) }
+
+from InsecureBiometricKeyParam call
+where usesLocalAuth()
+select call, "This key is not secure for biometric authentication."