Crypto: Updating weak asymmetric key gen to include key exchange.

2025-12-16 16:53:25 +01:00 · 2025-10-10 15:32:39 -04:00
parent d68f3cff8b
commit e76ced1513
2 changed files with 3 additions and 1 deletions
--- a/java/ql/src/experimental/quantum/Examples/WeakAsymmetricKeyGenSize.ql
+++ b/java/ql/src/experimental/quantum/Examples/WeakAsymmetricKeyGenSize.ql
@@ -17,6 +17,7 @@ where
  key.getCreatingOperation().getAKeySizeSource().asElement().(Literal).getValue().toInt() = keySize and
  alg = key.getAKnownAlgorithm() and // NOTE: if algorithm is not known (doesn't bind) we need a separate query
  not alg instanceof Crypto::EllipticCurveNode and // Elliptic curve sizes are handled separately and are more tied directly to the algorithm
+  alg instanceof Crypto::AsymmetricAlgorithmNode and
  keySize < 2048
 select key, "Use of weak asymmetric key size (" + keySize.toString() + " bits) for algorithm $@",
  alg, alg.getAlgorithmName()
--- a/shared/quantum/codeql/quantum/experimental/Model.qll
+++ b/shared/quantum/codeql/quantum/experimental/Model.qll
@@ -1467,7 +1467,8 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
  class AsymmetricAlgorithmNode extends TKeyCreationCandidateAlgorithm instanceof AlgorithmNode {
    AsymmetricAlgorithmNode() {
      this instanceof EllipticCurveNode or
-      this.(KeyOperationAlgorithmNode).isAsymmetric()
+      this.(KeyOperationAlgorithmNode).isAsymmetric() or
+      this instanceof KeyAgreementAlgorithmNode
    }

    string toString() { result = super.toString() }