Fix QL-for-QL alerts

2026-05-14 19:29:28 +02:00 · 2026-02-23 00:41:05 +01:00
parent 61ec2aaa08
commit e277b6338a
9 changed files with 49 additions and 49 deletions
--- a/java/ql/lib/experimental/quantum/JCA.qll
+++ b/java/ql/lib/experimental/quantum/JCA.qll
@@ -1954,9 +1954,9 @@ module JCAModel {
      result = this
      or
      // Explicit PSS hash from PSSParameterSpec via Signature.setParameter()
-      exists(PSSParameterSpecInstantiation spec |
+      exists(PssParameterSpecInstantiation spec |
        pssSpecForSignatureLiteral(spec, this) and
-        result.(PSSParameterSpecDigestHashAlgorithmInstance).getSpec() = spec
+        result.(PssParameterSpecDigestHashAlgorithmInstance).getSpec() = spec
      )
    }

@@ -1965,9 +1965,9 @@ module JCAModel {
      result = this
      or
      // Explicit MGF1 hash from PSSParameterSpec via Signature.setParameter()
-      exists(PSSParameterSpecInstantiation spec |
+      exists(PssParameterSpecInstantiation spec |
        pssSpecForSignatureLiteral(spec, this) and
-        result.(PSSParameterSpecMgf1HashAlgorithmInstance).getSpec() = spec
+        result.(PssParameterSpecMgf1HashAlgorithmInstance).getSpec() = spec
      )
    }
  }
@@ -1976,8 +1976,8 @@ module JCAModel {
   * A PSSParameterSpec instantiation, e.g.,
   * new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1)
   */
-  class PSSParameterSpecInstantiation extends ClassInstanceExpr {
-    PSSParameterSpecInstantiation() {
+  class PssParameterSpecInstantiation extends ClassInstanceExpr {
+    PssParameterSpecInstantiation() {
      this.getConstructedType().hasQualifiedName("java.security.spec", "PSSParameterSpec")
    }

@@ -1999,8 +1999,8 @@ module JCAModel {
   * `MGF1ParameterSpec.SHA256`. These fields represent well-known MGF1 hash
   * algorithm configurations.
   */
-  class MGF1ParameterSpecFieldAccess extends FieldAccess {
-    MGF1ParameterSpecFieldAccess() {
+  class Mgf1ParameterSpecFieldAccess extends FieldAccess {
+    Mgf1ParameterSpecFieldAccess() {
      this.getField().getDeclaringType().hasQualifiedName("java.security.spec", "MGF1ParameterSpec") and
      this.getField().isStatic()
    }
@@ -2030,18 +2030,18 @@ module JCAModel {
   *
   * Type resolution delegates to hash_name_to_type_known from Standardization.
   */
-  class PSSParameterSpecDigestHashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof JavaConstant
+  class PssParameterSpecDigestHashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof JavaConstant
  {
-    PSSParameterSpecInstantiation spec;
+    PssParameterSpecInstantiation spec;

-    PSSParameterSpecDigestHashAlgorithmInstance() {
+    PssParameterSpecDigestHashAlgorithmInstance() {
      this = spec.getDigestAlgorithmArg() and
      // Only instantiate when the value resolves to a known hash type
      exists(hash_name_to_type_known(super.getValue(), _))
    }

    /** Gets the PSSParameterSpec this digest hash belongs to. */
-    PSSParameterSpecInstantiation getSpec() { result = spec }
+    PssParameterSpecInstantiation getSpec() { result = spec }

    override string getRawHashAlgorithmName() { result = super.getValue() }

@@ -2062,12 +2062,12 @@ module JCAModel {
   * The field name is normalized to a standard hash algorithm name (e.g.,
   * SHA256 -> SHA-256), then type resolution delegates to hash_name_to_type_known.
   */
-  class PSSParameterSpecMgf1HashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof MGF1ParameterSpecFieldAccess
+  class PssParameterSpecMgf1HashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof Mgf1ParameterSpecFieldAccess
  {
-    PSSParameterSpecInstantiation spec;
+    PssParameterSpecInstantiation spec;
    string normalizedName;

-    PSSParameterSpecMgf1HashAlgorithmInstance() {
+    PssParameterSpecMgf1HashAlgorithmInstance() {
      this = spec.getMgfSpecArg() and
      normalizedName = super.getHashAlgorithmName() and
      // Only instantiate when the normalized name resolves to a known hash type
@@ -2075,7 +2075,7 @@ module JCAModel {
    }

    /** Gets the PSSParameterSpec this MGF1 hash belongs to. */
-    PSSParameterSpecInstantiation getSpec() { result = spec }
+    PssParameterSpecInstantiation getSpec() { result = spec }

    override string getRawHashAlgorithmName() { result = super.getField().getName() }

@@ -2219,15 +2219,15 @@ module JCAModel {
  /**
   * Flow from `PSSParameterSpec` instantiation to `Signature.setParameter()` argument.
   */
-  module PSSSpecToSetParameterConfig implements DataFlow::ConfigSig {
-    predicate isSource(DataFlow::Node src) { src.asExpr() instanceof PSSParameterSpecInstantiation }
+  module PssSpecToSetParameterConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node src) { src.asExpr() instanceof PssParameterSpecInstantiation }

    predicate isSink(DataFlow::Node sink) {
      exists(SignatureSetParameterCall c | sink.asExpr() = c.getParameterSpecArg())
    }
  }

-  module PSSSpecToSetParameterFlow = DataFlow::Global<PSSSpecToSetParameterConfig>;
+  module PssSpecToSetParameterFlow = DataFlow::Global<PssSpecToSetParameterConfig>;

  /**
   * Connects a PSSParameterSpec instantiation to the signature PSS padding literal
@@ -2239,7 +2239,7 @@ module JCAModel {
   * 3. The PSSParameterSpec flows to the same setParameter's argument
   */
  private predicate pssSpecForSignatureLiteral(
-    PSSParameterSpecInstantiation spec, SignaturePssPaddingAlgorithmInstance literal
+    PssParameterSpecInstantiation spec, SignaturePssPaddingAlgorithmInstance literal
  ) {
    exists(
      SignatureSetParameterCall setParam, SignatureGetInstanceCall getInstance,
@@ -2249,7 +2249,7 @@ module JCAModel {
      consumer = getInstance.getAlgorithmArg() and
      SignatureToSetParameterFlow::flow(DataFlow::exprNode(getInstance),
        DataFlow::exprNode(setParam.getQualifier())) and
-      PSSSpecToSetParameterFlow::flow(DataFlow::exprNode(spec),
+      PssSpecToSetParameterFlow::flow(DataFlow::exprNode(spec),
        DataFlow::exprNode(setParam.getParameterSpecArg()))
    )
  }
--- a/java/ql/src/experimental/quantum/Examples/Demo/InventoryCurves.ql
+++ b/java/ql/src/experimental/quantum/Examples/Demo/InventoryCurves.ql
@@ -12,7 +12,7 @@ import experimental.quantum.Language

 from Crypto::EllipticCurveNode c, string detail
 where
-  if exists(string ks | c.properties("KeySize", ks, _))
+  if c.properties("KeySize", _, _)
  then
    exists(string ks |
      c.properties("KeySize", ks, _) and
--- a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_PS.ql
+++ b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_PS.ql
@@ -13,16 +13,16 @@ import Crypto::KeyOpAlg as KeyOpAlg

 from
  Crypto::SignatureOperationNode sigOp, Crypto::KeyOperationAlgorithmNode alg,
-  Crypto::PSSPaddingAlgorithmNode pss, Crypto::HashAlgorithmNode hash, int digestLen
+  Crypto::PssPaddingAlgorithmNode pss, Crypto::HashAlgorithmNode hash, int digestLen
 where
  alg = sigOp.getAKnownAlgorithm() and
  alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
  pss = alg.getPaddingAlgorithm() and
  // Get hash from the PSS padding or from the signature operation
  (
-    hash = pss.getPSSHashAlgorithm()
+    hash = pss.getPssHashAlgorithm()
    or
-    hash = sigOp.getHashAlgorithm() and not exists(pss.getPSSHashAlgorithm())
+    hash = sigOp.getHashAlgorithm() and not exists(pss.getPssHashAlgorithm())
  ) and
  hash.getHashType() = Crypto::SHA2() and
  digestLen = hash.getDigestLength() and
--- a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_RS.ql
+++ b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_RS.ql
@@ -18,7 +18,7 @@ where
  alg = sigOp.getAKnownAlgorithm() and
  alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
  // No PSS padding — implies PKCS#1 v1.5
-  not alg.getPaddingAlgorithm() instanceof Crypto::PSSPaddingAlgorithmNode and
+  not alg.getPaddingAlgorithm() instanceof Crypto::PssPaddingAlgorithmNode and
  // Hash is SHA-2 with standard JWS digest lengths
  hash = sigOp.getHashAlgorithm() and
  hash.getHashType() = Crypto::SHA2() and
--- a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_OAEP.ql
+++ b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_OAEP.ql
@@ -11,7 +11,7 @@
 import experimental.quantum.Language
 import Crypto::KeyOpAlg as KeyOpAlg

-from Crypto::KeyOperationAlgorithmNode alg, Crypto::OAEPPaddingAlgorithmNode pad
+from Crypto::KeyOperationAlgorithmNode alg, Crypto::OaepPaddingAlgorithmNode pad
 where
  alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
  pad = alg.getPaddingAlgorithm()
--- a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PKCS1v15.ql
+++ b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PKCS1v15.ql
@@ -21,7 +21,7 @@ where
    or
    // RSA signature without PSS — implies PKCS#1 v1.5 (e.g., SHA256withRSA)
    exists(Crypto::SignatureOperationNode sigOp | alg = sigOp.getAKnownAlgorithm()) and
-    not alg.getPaddingAlgorithm() instanceof Crypto::PSSPaddingAlgorithmNode and
+    not alg.getPaddingAlgorithm() instanceof Crypto::PssPaddingAlgorithmNode and
    variant = "implicit PKCS#1 v1.5 (RSA signature without PSS)"
  )
 select alg, "RSA PKCS#1 v1.5 protocol detected: " + variant + "."
--- a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PSS.ql
+++ b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PSS.ql
@@ -11,7 +11,7 @@
 import experimental.quantum.Language
 import Crypto::KeyOpAlg as KeyOpAlg

-from Crypto::KeyOperationAlgorithmNode alg, Crypto::PSSPaddingAlgorithmNode pss
+from Crypto::KeyOperationAlgorithmNode alg, Crypto::PssPaddingAlgorithmNode pss
 where
  alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
  pss = alg.getPaddingAlgorithm()
--- a/java/ql/src/experimental/quantum/Examples/Demo/QuantumVulnerablePadding.ql
+++ b/java/ql/src/experimental/quantum/Examples/Demo/QuantumVulnerablePadding.ql
@@ -14,14 +14,14 @@ from Crypto::PaddingAlgorithmNode pad, string msg
 where
  isQuantumVulnerablePaddingType(pad.getPaddingType()) and
  (
-    pad instanceof Crypto::PSSPaddingAlgorithmNode and
+    pad instanceof Crypto::PssPaddingAlgorithmNode and
    msg = "Quantum-vulnerable PSS padding scheme detected."
    or
-    pad instanceof Crypto::OAEPPaddingAlgorithmNode and
+    pad instanceof Crypto::OaepPaddingAlgorithmNode and
    msg = "Quantum-vulnerable OAEP padding scheme detected."
    or
-    not pad instanceof Crypto::PSSPaddingAlgorithmNode and
-    not pad instanceof Crypto::OAEPPaddingAlgorithmNode and
+    not pad instanceof Crypto::PssPaddingAlgorithmNode and
+    not pad instanceof Crypto::OaepPaddingAlgorithmNode and
    msg = "Quantum-vulnerable padding scheme: " + pad.getPaddingType().toString() + "."
  )
 select pad, msg
--- a/shared/quantum/codeql/quantum/experimental/Model.qll
+++ b/shared/quantum/codeql/quantum/experimental/Model.qll
@@ -2155,16 +2155,16 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
    override string getRawAlgorithmName() { result = instance.getRawPaddingAlgorithmName() }
  }

-  class OAEPPaddingAlgorithmNode extends PaddingAlgorithmNode {
+  class OaepPaddingAlgorithmNode extends PaddingAlgorithmNode {
    override OaepPaddingAlgorithmInstance instance;

-    OAEPPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) }
+    OaepPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) }

-    HashAlgorithmNode getOAEPEncodingHashAlgorithm() {
+    HashAlgorithmNode getOaepEncodingHashAlgorithm() {
      result.asElement() = instance.getOaepEncodingHashAlgorithm()
    }

-    HashAlgorithmNode getMGF1HashAlgorithm() {
+    HashAlgorithmNode getMgf1HashAlgorithm() {
      result.asElement() = instance.getMgf1HashAlgorithm()
    }

@@ -2173,26 +2173,26 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
      or
      // [KNOWN_OR_UNKNOWN]
      edgeName = "MD" and
-      if exists(this.getOAEPEncodingHashAlgorithm())
-      then result = this.getOAEPEncodingHashAlgorithm()
+      if exists(this.getOaepEncodingHashAlgorithm())
+      then result = this.getOaepEncodingHashAlgorithm()
      else result = this
      or
      // [KNOWN_OR_UNKNOWN]
      edgeName = "MGF1Hash" and
-      if exists(this.getMGF1HashAlgorithm())
-      then result = this.getMGF1HashAlgorithm()
+      if exists(this.getMgf1HashAlgorithm())
+      then result = this.getMgf1HashAlgorithm()
      else result = this
    }
  }

-  class PSSPaddingAlgorithmNode extends PaddingAlgorithmNode {
+  class PssPaddingAlgorithmNode extends PaddingAlgorithmNode {
    override PssPaddingAlgorithmInstance instance;

-    PSSPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) }
+    PssPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) }

-    HashAlgorithmNode getPSSHashAlgorithm() { result.asElement() = instance.getHashAlgorithm() }
+    HashAlgorithmNode getPssHashAlgorithm() { result.asElement() = instance.getHashAlgorithm() }

-    HashAlgorithmNode getMGF1HashAlgorithm() {
+    HashAlgorithmNode getMgf1HashAlgorithm() {
      result.asElement() = instance.getMgf1HashAlgorithm()
    }

@@ -2201,14 +2201,14 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
      or
      // [KNOWN_OR_UNKNOWN]
      edgeName = "MD" and
-      if exists(this.getPSSHashAlgorithm())
-      then result = this.getPSSHashAlgorithm()
+      if exists(this.getPssHashAlgorithm())
+      then result = this.getPssHashAlgorithm()
      else result = this
      or
      // [KNOWN_OR_UNKNOWN]
      edgeName = "MGF1Hash" and
-      if exists(this.getMGF1HashAlgorithm())
-      then result = this.getMGF1HashAlgorithm()
+      if exists(this.getMgf1HashAlgorithm())
+      then result = this.getMgf1HashAlgorithm()
      else result = this
    }
  }