hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Crypto: WeakKDFKeySize tests.

Browse Source
This commit is contained in:
REDMOND\brodes
2025-10-17 12:32:24 -04:00
parent 628bab92fc
commit e12734162f
3 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/Test.java Normal file
View File

@@ -0,0 +1,42 @@
import java.security.SecureRandom;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
public class Test {
public static byte[] generateSalt(int length) {
SecureRandom random = new SecureRandom();
byte[] salt = new byte[length];
random.nextBytes(salt);
return salt;
}
/**
* PBKDF2 derivation with a weak key size.
*
* SAST/CBOM: - Parent: PBKDF2. - Key size is only 64 bits, which is far below acceptable security standards.
* - Flagged as insecure.
*/
public void pbkdf2WeakKeySize(String password) throws Exception {
byte[] salt = generateSalt(16);
int iterationCount = 100_000;
int keySize = 64; // $Source
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize); // $Alert[java/quantum/weak-kdf-key-size]
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
/**
* PBKDF2 derivation with a secure key size.
*
* SAST/CBOM: - Parent: PBKDF2. - Key size is 256 bits, which meets modern security standards.
*/
public void pbkdf2SecureKeySize(String password) throws Exception {
byte[] salt = generateSalt(16);
int iterationCount = 100_000;
int keySize = 256;
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize);
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
byte[] key = factory.generateSecret(spec).getEncoded();
}
}

11
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/WeakKDFKeySize.expected Normal file
View File

@@ -0,0 +1,11 @@
#select
| Test.java:24:88:24:94 | keySize | Test.java:23:23:23:24 | 64 : Number | Test.java:24:88:24:94 | keySize | Key derivation operation configures output key length below 256: $@ | Test.java:23:23:23:24 | 64 | 64 |
edges
| Test.java:23:23:23:24 | 64 : Number | Test.java:24:88:24:94 | keySize | provenance | |
| Test.java:37:23:37:25 | 256 : Number | Test.java:38:88:38:94 | keySize | provenance | |
nodes
| Test.java:23:23:23:24 | 64 : Number | semmle.label | 64 : Number |
| Test.java:24:88:24:94 | keySize | semmle.label | keySize |
| Test.java:37:23:37:25 | 256 : Number | semmle.label | 256 : Number |
| Test.java:38:88:38:94 | keySize | semmle.label | keySize |
subpaths

4
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/WeakKDFKeySize.qlref Normal file
View File

@@ -0,0 +1,4 @@
query: experimental/quantum/Examples/WeakKDFKeySize.ql
postprocess:
- utils/test/PrettyPrintModels.ql
- utils/test/InlineExpectationsTestQuery.ql