hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.23.0
codeql/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java
Nora Dimitrijević 288a938814 Java: convert InsufficientKeySize test to .qlref
2025-06-24 16:42:02 +02:00

257 lines
13 KiB
Java
Raw Permalink Blame History

import javax.crypto.KeyGenerator;
import java.security.KeyPairGenerator;
import java.security.AlgorithmParameterGenerator;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.RSAKeyGenParameterSpec;
import java.security.spec.DSAGenParameterSpec;
import javax.crypto.spec.DHGenParameterSpec;
public class InsufficientKeySizeTest {
public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
/* AES (Symmetric): minimum recommended key size is 128 */
{
/* Test with keysize as int */
KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
keyGen1.init(64); // $ Alert
KeyGenerator keyGen2 = KeyGenerator.getInstance("AES");
keyGen2.init(128); // Safe: Key size is no less than 128
/* Test with local variable as keysize */
final int size1 = 64; // $ Source// compile-time constant
int size2 = 64; // $ Source// not a compile-time constant
KeyGenerator keyGen3 = KeyGenerator.getInstance("AES");
keyGen3.init(size1); // $ Alert
KeyGenerator keyGen4 = KeyGenerator.getInstance("AES");
keyGen4.init(size2); // $ Alert
/* Test variables passed to another method */
KeyGenerator keyGen5 = KeyGenerator.getInstance("AES"); // MISSING: test KeyGenerator variable as argument
testSymmetricVariable(size2, keyGen5); // test with variable as key size
testSymmetricInt(64); // $ Source // test with int literal as key size
/* Test with variable as algo name argument in `getInstance` method. */
final String algoName1 = "AES"; // compile-time constant
KeyGenerator keyGen6 = KeyGenerator.getInstance(algoName1);
keyGen6.init(64); // $ Alert
String algoName2 = "AES"; // not a compile-time constant
KeyGenerator keyGen7 = KeyGenerator.getInstance(algoName2);
keyGen7.init(64); // $ MISSING: hasInsufficientKeySize
}
// RSA (Asymmetric): minimum recommended key size is 2048
{
/* Test with keysize as int */
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA");
keyPairGen1.initialize(1024); // $ Alert
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("RSA");
keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048
/* Test spec */
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("RSA");
RSAKeyGenParameterSpec rsaSpec = new RSAKeyGenParameterSpec(1024, null); // $ Alert
keyPairGen3.initialize(rsaSpec);
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("RSA");
keyPairGen4.initialize(new RSAKeyGenParameterSpec(1024, null)); // $ Alert
/* Test with local variable as keysize */
final int size1 = 1024; // $ Source // compile-time constant
int size2 = 1024; // $ Source // not a compile-time constant
KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("RSA");
keyPairGen5.initialize(size1); // $ Alert
KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("RSA");
keyPairGen6.initialize(size2); // $ Alert
/* Test variables passed to another method */
KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("RSA"); // MISSING: test KeyGenerator variable as argument
testAsymmetricNonEcVariable(size2, keyPairGen7); // test with variable as key size
testAsymmetricNonEcInt(1024); // $ Source // test with int literal as key size
/* Test getting key size as return value of another method */
KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("RSA");
keyPairGen8.initialize(getRSAKeySize()); // $ Alert
/* Test with variable as algo name argument in `getInstance` method. */
final String algoName1 = "RSA"; // compile-time constant
KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance(algoName1);
keyPairGen9.initialize(1024); // $ Alert
String algoName2 = "RSA"; // not a compile-time constant
KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance(algoName2);
keyPairGen10.initialize(1024); // $ MISSING: hasInsufficientKeySize
}
// DSA (Asymmetric): minimum recommended key size is 2048
{
/* Test with keysize as int */
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("DSA");
keyPairGen1.initialize(1024); // $ Alert
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA");
keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048
/* Test spec */
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DSA");
DSAGenParameterSpec dsaSpec = new DSAGenParameterSpec(1024, 0); // $ Alert
keyPairGen3.initialize(dsaSpec);
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DSA");
keyPairGen4.initialize(new DSAGenParameterSpec(1024, 0)); // $ Alert
/* Test `AlgorithmParameterGenerator` */
AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DSA");
paramGen.init(1024); // $ Alert
/* Test with variable as algo name argument in `getInstance` method. */
final String algoName1 = "DSA"; // compile-time constant
AlgorithmParameterGenerator paramGen1 = AlgorithmParameterGenerator.getInstance(algoName1);
paramGen1.init(1024); // $ Alert
String algoName2 = "DSA"; // not a compile-time constant
AlgorithmParameterGenerator paramGen2 = AlgorithmParameterGenerator.getInstance(algoName2);
paramGen2.init(1024); // $ MISSING: hasInsufficientKeySize
}
// DH (Asymmetric): minimum recommended key size is 2048
{
/* Test with keysize as int */
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("dh");
keyPairGen1.initialize(1024); // $ Alert
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DH");
keyPairGen2.initialize(2048); // Safe: Key size is no less than 2048
/* Test spec */
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH");
DHGenParameterSpec dhSpec = new DHGenParameterSpec(1024, 0); // $ Alert
keyPairGen3.initialize(dhSpec);
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DH");
keyPairGen4.initialize(new DHGenParameterSpec(1024, 0)); // $ Alert
/* Test `AlgorithmParameterGenerator` */
AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DH");
paramGen.init(1024); // $ Alert
}
// EC (Asymmetric): minimum recommended key size is 256
{
/* Test with keysize as int */
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("EC");
keyPairGen1.initialize(128); // $ Alert
/* Test with keysize as curve name in spec */
KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1"); // $ Alert
keyPairGen2.initialize(ecSpec1);
KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("EC");
keyPairGen3.initialize(new ECGenParameterSpec("secp112r1")); // $ Alert
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec2 = new ECGenParameterSpec("secp256r1"); // Safe: Key size is no less than 256
keyPairGen4.initialize(ecSpec2);
KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec3 = new ECGenParameterSpec("X9.62 prime192v2"); // $ Alert
keyPairGen5.initialize(ecSpec3);
KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec4 = new ECGenParameterSpec("X9.62 c2tnb191v3"); // $ Alert
keyPairGen6.initialize(ecSpec4);
KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec5 = new ECGenParameterSpec("sect163k1"); // $ Alert
keyPairGen7.initialize(ecSpec5);
KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec6 = new ECGenParameterSpec("X9.62 c2tnb359v1"); // Safe: Key size is no less than 256
keyPairGen8.initialize(ecSpec6);
KeyPairGenerator keyPairGen9 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec7 = new ECGenParameterSpec("prime192v2"); // $ Alert
keyPairGen9.initialize(ecSpec7);
KeyPairGenerator keyPairGen10 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec8 = new ECGenParameterSpec("prime256v1"); // Safe: Key size is no less than 256
keyPairGen10.initialize(ecSpec8);
KeyPairGenerator keyPairGen14 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec9 = new ECGenParameterSpec("c2tnb191v1"); // $ Alert
keyPairGen14.initialize(ecSpec9);
KeyPairGenerator keyPairGen15 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec10 = new ECGenParameterSpec("c2tnb431r1");
keyPairGen15.initialize(ecSpec10); // Safe: Key size is no less than 256
/* Test variables passed to another method */
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ Alert
testAsymmetricEcSpecVariable(ecSpec); // test spec as an argument
int size = 128; // $ Source
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC"); // MISSING: test KeyGenerator variable as argument
testAsymmetricEcIntVariable(size, keyPairGen); // test with variable as key size
testAsymmetricEcIntLiteral(128); // $ Source // test with int literal as key size
/* Test with variable as curve name argument in `ECGenParameterSpec` constructor. */
final String curveName1 = "secp112r1"; // $ Source // compile-time constant
KeyPairGenerator keyPairGen16 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec11 = new ECGenParameterSpec(curveName1); // $ Alert
keyPairGen16.initialize(ecSpec11);
String curveName2 = "secp112r1"; // $ Source // not a compile-time constant
KeyPairGenerator keyPairGen17 = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec ecSpec12 = new ECGenParameterSpec(curveName2); // $ Alert
keyPairGen17.initialize(ecSpec12);
}
}
public static void testSymmetricVariable(int keySize, KeyGenerator kg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(keySize); // $ Alert
kg.init(64); // $ MISSING: hasInsufficientKeySize
}
public static void testSymmetricInt(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(keySize); // $ Alert
}
public static void testAsymmetricNonEcVariable(int keySize, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(keySize); // $ Alert
kpg.initialize(1024); // $ MISSING: hasInsufficientKeySize
}
public static void testAsymmetricNonEcInt(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(keySize); // $ Alert
}
public static void testAsymmetricEcSpecVariable(ECGenParameterSpec spec) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
keyPairGen.initialize(spec); // sink is above where `spec` variable is initialized
}
public static void testAsymmetricEcIntVariable(int keySize, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
keyPairGen.initialize(keySize); // $ Alert
kpg.initialize(128); // $ MISSING: hasInsufficientKeySize
}
public static void testAsymmetricEcIntLiteral(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
keyPairGen.initialize(keySize); // $ Alert
}
public int getRSAKeySize(){ return 1024; } // $ Source
}
Reference in New Issue View Git Blame Copy Permalink