diff --git a/java/ql/lib/experimental/quantum/JCA.qll b/java/ql/lib/experimental/quantum/JCA.qll index 2c1db4e3abb..75b59e3ece7 100644 --- a/java/ql/lib/experimental/quantum/JCA.qll +++ b/java/ql/lib/experimental/quantum/JCA.qll @@ -1954,9 +1954,9 @@ module JCAModel { result = this or // Explicit PSS hash from PSSParameterSpec via Signature.setParameter() - exists(PSSParameterSpecInstantiation spec | + exists(PssParameterSpecInstantiation spec | pssSpecForSignatureLiteral(spec, this) and - result.(PSSParameterSpecDigestHashAlgorithmInstance).getSpec() = spec + result.(PssParameterSpecDigestHashAlgorithmInstance).getSpec() = spec ) } @@ -1965,9 +1965,9 @@ module JCAModel { result = this or // Explicit MGF1 hash from PSSParameterSpec via Signature.setParameter() - exists(PSSParameterSpecInstantiation spec | + exists(PssParameterSpecInstantiation spec | pssSpecForSignatureLiteral(spec, this) and - result.(PSSParameterSpecMgf1HashAlgorithmInstance).getSpec() = spec + result.(PssParameterSpecMgf1HashAlgorithmInstance).getSpec() = spec ) } } @@ -1976,8 +1976,8 @@ module JCAModel { * A PSSParameterSpec instantiation, e.g., * new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1) */ - class PSSParameterSpecInstantiation extends ClassInstanceExpr { - PSSParameterSpecInstantiation() { + class PssParameterSpecInstantiation extends ClassInstanceExpr { + PssParameterSpecInstantiation() { this.getConstructedType().hasQualifiedName("java.security.spec", "PSSParameterSpec") } @@ -1999,8 +1999,8 @@ module JCAModel { * `MGF1ParameterSpec.SHA256`. These fields represent well-known MGF1 hash * algorithm configurations. */ - class MGF1ParameterSpecFieldAccess extends FieldAccess { - MGF1ParameterSpecFieldAccess() { + class Mgf1ParameterSpecFieldAccess extends FieldAccess { + Mgf1ParameterSpecFieldAccess() { this.getField().getDeclaringType().hasQualifiedName("java.security.spec", "MGF1ParameterSpec") and this.getField().isStatic() } @@ -2030,18 +2030,18 @@ module JCAModel { * * Type resolution delegates to hash_name_to_type_known from Standardization. */ - class PSSParameterSpecDigestHashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof JavaConstant + class PssParameterSpecDigestHashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof JavaConstant { - PSSParameterSpecInstantiation spec; + PssParameterSpecInstantiation spec; - PSSParameterSpecDigestHashAlgorithmInstance() { + PssParameterSpecDigestHashAlgorithmInstance() { this = spec.getDigestAlgorithmArg() and // Only instantiate when the value resolves to a known hash type exists(hash_name_to_type_known(super.getValue(), _)) } /** Gets the PSSParameterSpec this digest hash belongs to. */ - PSSParameterSpecInstantiation getSpec() { result = spec } + PssParameterSpecInstantiation getSpec() { result = spec } override string getRawHashAlgorithmName() { result = super.getValue() } @@ -2062,12 +2062,12 @@ module JCAModel { * The field name is normalized to a standard hash algorithm name (e.g., * SHA256 -> SHA-256), then type resolution delegates to hash_name_to_type_known. */ - class PSSParameterSpecMgf1HashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof MGF1ParameterSpecFieldAccess + class PssParameterSpecMgf1HashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof Mgf1ParameterSpecFieldAccess { - PSSParameterSpecInstantiation spec; + PssParameterSpecInstantiation spec; string normalizedName; - PSSParameterSpecMgf1HashAlgorithmInstance() { + PssParameterSpecMgf1HashAlgorithmInstance() { this = spec.getMgfSpecArg() and normalizedName = super.getHashAlgorithmName() and // Only instantiate when the normalized name resolves to a known hash type @@ -2075,7 +2075,7 @@ module JCAModel { } /** Gets the PSSParameterSpec this MGF1 hash belongs to. */ - PSSParameterSpecInstantiation getSpec() { result = spec } + PssParameterSpecInstantiation getSpec() { result = spec } override string getRawHashAlgorithmName() { result = super.getField().getName() } @@ -2219,15 +2219,15 @@ module JCAModel { /** * Flow from `PSSParameterSpec` instantiation to `Signature.setParameter()` argument. */ - module PSSSpecToSetParameterConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node src) { src.asExpr() instanceof PSSParameterSpecInstantiation } + module PssSpecToSetParameterConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node src) { src.asExpr() instanceof PssParameterSpecInstantiation } predicate isSink(DataFlow::Node sink) { exists(SignatureSetParameterCall c | sink.asExpr() = c.getParameterSpecArg()) } } - module PSSSpecToSetParameterFlow = DataFlow::Global; + module PssSpecToSetParameterFlow = DataFlow::Global; /** * Connects a PSSParameterSpec instantiation to the signature PSS padding literal @@ -2239,7 +2239,7 @@ module JCAModel { * 3. The PSSParameterSpec flows to the same setParameter's argument */ private predicate pssSpecForSignatureLiteral( - PSSParameterSpecInstantiation spec, SignaturePssPaddingAlgorithmInstance literal + PssParameterSpecInstantiation spec, SignaturePssPaddingAlgorithmInstance literal ) { exists( SignatureSetParameterCall setParam, SignatureGetInstanceCall getInstance, @@ -2249,7 +2249,7 @@ module JCAModel { consumer = getInstance.getAlgorithmArg() and SignatureToSetParameterFlow::flow(DataFlow::exprNode(getInstance), DataFlow::exprNode(setParam.getQualifier())) and - PSSSpecToSetParameterFlow::flow(DataFlow::exprNode(spec), + PssSpecToSetParameterFlow::flow(DataFlow::exprNode(spec), DataFlow::exprNode(setParam.getParameterSpecArg())) ) } diff --git a/java/ql/src/experimental/quantum/Examples/Demo/InventoryCurves.ql b/java/ql/src/experimental/quantum/Examples/Demo/InventoryCurves.ql index e2952f93437..35e93fef6ef 100644 --- a/java/ql/src/experimental/quantum/Examples/Demo/InventoryCurves.ql +++ b/java/ql/src/experimental/quantum/Examples/Demo/InventoryCurves.ql @@ -12,7 +12,7 @@ import experimental.quantum.Language from Crypto::EllipticCurveNode c, string detail where - if exists(string ks | c.properties("KeySize", ks, _)) + if c.properties("KeySize", _, _) then exists(string ks | c.properties("KeySize", ks, _) and diff --git a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_PS.ql b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_PS.ql index f0a3061cd0b..d87fee86282 100644 --- a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_PS.ql +++ b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_PS.ql @@ -13,16 +13,16 @@ import Crypto::KeyOpAlg as KeyOpAlg from Crypto::SignatureOperationNode sigOp, Crypto::KeyOperationAlgorithmNode alg, - Crypto::PSSPaddingAlgorithmNode pss, Crypto::HashAlgorithmNode hash, int digestLen + Crypto::PssPaddingAlgorithmNode pss, Crypto::HashAlgorithmNode hash, int digestLen where alg = sigOp.getAKnownAlgorithm() and alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and pss = alg.getPaddingAlgorithm() and // Get hash from the PSS padding or from the signature operation ( - hash = pss.getPSSHashAlgorithm() + hash = pss.getPssHashAlgorithm() or - hash = sigOp.getHashAlgorithm() and not exists(pss.getPSSHashAlgorithm()) + hash = sigOp.getHashAlgorithm() and not exists(pss.getPssHashAlgorithm()) ) and hash.getHashType() = Crypto::SHA2() and digestLen = hash.getDigestLength() and diff --git a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_RS.ql b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_RS.ql index e918b976db6..c8519296008 100644 --- a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_RS.ql +++ b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_RS.ql @@ -18,7 +18,7 @@ where alg = sigOp.getAKnownAlgorithm() and alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and // No PSS padding — implies PKCS#1 v1.5 - not alg.getPaddingAlgorithm() instanceof Crypto::PSSPaddingAlgorithmNode and + not alg.getPaddingAlgorithm() instanceof Crypto::PssPaddingAlgorithmNode and // Hash is SHA-2 with standard JWS digest lengths hash = sigOp.getHashAlgorithm() and hash.getHashType() = Crypto::SHA2() and diff --git a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_OAEP.ql b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_OAEP.ql index 0c55a0b22b6..c5cfbb76c04 100644 --- a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_OAEP.ql +++ b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_OAEP.ql @@ -11,7 +11,7 @@ import experimental.quantum.Language import Crypto::KeyOpAlg as KeyOpAlg -from Crypto::KeyOperationAlgorithmNode alg, Crypto::OAEPPaddingAlgorithmNode pad +from Crypto::KeyOperationAlgorithmNode alg, Crypto::OaepPaddingAlgorithmNode pad where alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and pad = alg.getPaddingAlgorithm() diff --git a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PKCS1v15.ql b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PKCS1v15.ql index 6b9d7a01c32..b3a17b152b4 100644 --- a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PKCS1v15.ql +++ b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PKCS1v15.ql @@ -21,7 +21,7 @@ where or // RSA signature without PSS — implies PKCS#1 v1.5 (e.g., SHA256withRSA) exists(Crypto::SignatureOperationNode sigOp | alg = sigOp.getAKnownAlgorithm()) and - not alg.getPaddingAlgorithm() instanceof Crypto::PSSPaddingAlgorithmNode and + not alg.getPaddingAlgorithm() instanceof Crypto::PssPaddingAlgorithmNode and variant = "implicit PKCS#1 v1.5 (RSA signature without PSS)" ) select alg, "RSA PKCS#1 v1.5 protocol detected: " + variant + "." diff --git a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PSS.ql b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PSS.ql index 932198d9ed5..6c1f97a9247 100644 --- a/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PSS.ql +++ b/java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PSS.ql @@ -11,7 +11,7 @@ import experimental.quantum.Language import Crypto::KeyOpAlg as KeyOpAlg -from Crypto::KeyOperationAlgorithmNode alg, Crypto::PSSPaddingAlgorithmNode pss +from Crypto::KeyOperationAlgorithmNode alg, Crypto::PssPaddingAlgorithmNode pss where alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and pss = alg.getPaddingAlgorithm() diff --git a/java/ql/src/experimental/quantum/Examples/Demo/QuantumVulnerablePadding.ql b/java/ql/src/experimental/quantum/Examples/Demo/QuantumVulnerablePadding.ql index 49b49aa0072..cf998470c30 100644 --- a/java/ql/src/experimental/quantum/Examples/Demo/QuantumVulnerablePadding.ql +++ b/java/ql/src/experimental/quantum/Examples/Demo/QuantumVulnerablePadding.ql @@ -14,14 +14,14 @@ from Crypto::PaddingAlgorithmNode pad, string msg where isQuantumVulnerablePaddingType(pad.getPaddingType()) and ( - pad instanceof Crypto::PSSPaddingAlgorithmNode and + pad instanceof Crypto::PssPaddingAlgorithmNode and msg = "Quantum-vulnerable PSS padding scheme detected." or - pad instanceof Crypto::OAEPPaddingAlgorithmNode and + pad instanceof Crypto::OaepPaddingAlgorithmNode and msg = "Quantum-vulnerable OAEP padding scheme detected." or - not pad instanceof Crypto::PSSPaddingAlgorithmNode and - not pad instanceof Crypto::OAEPPaddingAlgorithmNode and + not pad instanceof Crypto::PssPaddingAlgorithmNode and + not pad instanceof Crypto::OaepPaddingAlgorithmNode and msg = "Quantum-vulnerable padding scheme: " + pad.getPaddingType().toString() + "." ) select pad, msg diff --git a/shared/quantum/codeql/quantum/experimental/Model.qll b/shared/quantum/codeql/quantum/experimental/Model.qll index 7b83d132c1a..753ef814db0 100644 --- a/shared/quantum/codeql/quantum/experimental/Model.qll +++ b/shared/quantum/codeql/quantum/experimental/Model.qll @@ -2155,16 +2155,16 @@ module CryptographyBase Input> { override string getRawAlgorithmName() { result = instance.getRawPaddingAlgorithmName() } } - class OAEPPaddingAlgorithmNode extends PaddingAlgorithmNode { + class OaepPaddingAlgorithmNode extends PaddingAlgorithmNode { override OaepPaddingAlgorithmInstance instance; - OAEPPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) } + OaepPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) } - HashAlgorithmNode getOAEPEncodingHashAlgorithm() { + HashAlgorithmNode getOaepEncodingHashAlgorithm() { result.asElement() = instance.getOaepEncodingHashAlgorithm() } - HashAlgorithmNode getMGF1HashAlgorithm() { + HashAlgorithmNode getMgf1HashAlgorithm() { result.asElement() = instance.getMgf1HashAlgorithm() } @@ -2173,26 +2173,26 @@ module CryptographyBase Input> { or // [KNOWN_OR_UNKNOWN] edgeName = "MD" and - if exists(this.getOAEPEncodingHashAlgorithm()) - then result = this.getOAEPEncodingHashAlgorithm() + if exists(this.getOaepEncodingHashAlgorithm()) + then result = this.getOaepEncodingHashAlgorithm() else result = this or // [KNOWN_OR_UNKNOWN] edgeName = "MGF1Hash" and - if exists(this.getMGF1HashAlgorithm()) - then result = this.getMGF1HashAlgorithm() + if exists(this.getMgf1HashAlgorithm()) + then result = this.getMgf1HashAlgorithm() else result = this } } - class PSSPaddingAlgorithmNode extends PaddingAlgorithmNode { + class PssPaddingAlgorithmNode extends PaddingAlgorithmNode { override PssPaddingAlgorithmInstance instance; - PSSPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) } + PssPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) } - HashAlgorithmNode getPSSHashAlgorithm() { result.asElement() = instance.getHashAlgorithm() } + HashAlgorithmNode getPssHashAlgorithm() { result.asElement() = instance.getHashAlgorithm() } - HashAlgorithmNode getMGF1HashAlgorithm() { + HashAlgorithmNode getMgf1HashAlgorithm() { result.asElement() = instance.getMgf1HashAlgorithm() } @@ -2201,14 +2201,14 @@ module CryptographyBase Input> { or // [KNOWN_OR_UNKNOWN] edgeName = "MD" and - if exists(this.getPSSHashAlgorithm()) - then result = this.getPSSHashAlgorithm() + if exists(this.getPssHashAlgorithm()) + then result = this.getPssHashAlgorithm() else result = this or // [KNOWN_OR_UNKNOWN] edgeName = "MGF1Hash" and - if exists(this.getMGF1HashAlgorithm()) - then result = this.getMGF1HashAlgorithm() + if exists(this.getMgf1HashAlgorithm()) + then result = this.getMgf1HashAlgorithm() else result = this } }