hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
e2a8d58e0233784a4a97b1af9eb96f86dd738eaf
codeql/java/ql/test/experimental/library-tests/quantum/jca/Encryption1.java
REDMOND\brodes abeb3141b1 Crypto: Formatting test cases, more removal of non-ascii
2025-10-06 10:46:09 -04:00

183 lines
7.7 KiB
Java
Raw Blame History

package com.example.crypto.algorithms;
//import org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.security.*;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
/**
* This class demonstrates several encryption schemes along with SAST/CBOM
* classification notes.
*
* Methods include:
*
* 1. simpleAESEncryption: Uses AES in GCM mode.
* - CBOM: AES-GCM is classified as secure (Parent: AEAD).
* - SAST: Secure symmetric encryption pattern; safe when used properly.
*
* 2. insecureAESWithECB: Uses AES in ECB mode.
* - CBOM: AES-ECB is classified as insecure (Parent: SymmetricEncryption).
* - SAST: Insecure encryption pattern; flagged as vulnerable due to lack of IV
* and predictable structure.
*
* 3. rsaOaepEncryption / rsaOaepDecryption: Use RSA with OAEP padding.
* - CBOM: RSA-OAEP is classified as secure for public-key encryption (Parent:
* Hybrid Cryptosystem).
* - SAST: Secure for small payloads/key encapsulation; must only encrypt small
* data blocks.
*
* 4. rsaKemEncryption: Demonstrates a key encapsulation mechanism (KEM) using
* RSA-OAEP.
* - CBOM: RSA-KEM is recognized as secure (Parent: RSA-OAEP based KEM).
* - SAST: Secure when used to encapsulate symmetric keys in a hybrid system.
*
* 5. hybridEncryption: Combines RSA-OAEP for key encapsulation with AES-GCM for
* data encryption.
* - CBOM: Hybrid encryption (Parent: RSA-OAEP + AES-GCM) is classified as
* secure.
* - SAST: Secure hybrid encryption pattern; recommended for large data
* encryption.
*/
public class Encryption1 {
// static {
// Security.addProvider(new BouncyCastleProvider());
// }
/**
* Simple AES-GCM encryption.
*
* SAST/CBOM Notes:
* - Algorithm: AES/GCM/NoPadding with a 256-bit key.
* - Parent Classification: AEAD (Authenticated Encryption with Associated
* Data).
* - SAST: Considered safe when properly implemented (uses IV and tag).
*/
public void simpleAESEncryption() throws Exception {
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256); // 256-bit AES key.
SecretKey key = keyGen.generateKey();
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
byte[] iv = new byte[12]; // 12-byte IV recommended for GCM.
new SecureRandom().nextBytes(iv);
GCMParameterSpec gcmSpec = new GCMParameterSpec(128, iv); // 128-bit authentication tag.
cipher.init(Cipher.ENCRYPT_MODE, key, gcmSpec);
byte[] encryptedData = cipher.doFinal("Sensitive Data".getBytes());
System.out.println("AES-GCM Encrypted Data: " + Base64.getEncoder().encodeToString(encryptedData));
}
/**
* Insecure AES encryption using ECB mode.
*
* SAST/CBOM Notes:
* - Algorithm: AES/ECB/NoPadding with a 256-bit key.
* - Parent Classification: SymmetricEncryption (ECB mode is inherently
* insecure).
* - SAST: Flagged as vulnerable; ECB mode does not use an IV and reveals data
* patterns.
*/
public void insecureAESWithECB() throws Exception {
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256); // 256-bit AES key.
SecretKey key = keyGen.generateKey();
// AES/ECB mode is insecure due to the deterministic nature of the block cipher
// without an IV.
Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] encryptedData = cipher.doFinal("Sensitive Data".getBytes());
System.out.println("AES-ECB Encrypted Data (Insecure): " + Base64.getEncoder().encodeToString(encryptedData));
}
/**
* RSA encryption using OAEP with SHA-256 and MGF1 padding.
*
* SAST/CBOM Notes:
* - Algorithm: RSA/ECB/OAEPWithSHA-256AndMGF1Padding.
* - Parent Classification: Hybrid Cryptosystem. RSA-OAEP is commonly used in
* hybrid schemes.
* - SAST: Secure for encrypting small payloads or for key encapsulation;
* caution when encrypting large data.
*/
public void rsaOaepEncryption(PublicKey publicKey, String data) throws Exception {
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
cipher.init(Cipher.ENCRYPT_MODE, publicKey);
byte[] encryptedData = cipher.doFinal(data.getBytes());
System.out.println("RSA-OAEP Encrypted Data: " + Base64.getEncoder().encodeToString(encryptedData));
}
/**
* RSA decryption using OAEP with SHA-256 and MGF1 padding.
*
* SAST/CBOM Notes:
* - Algorithm: RSA/ECB/OAEPWithSHA-256AndMGF1Padding.
* - Parent Classification: Hybrid Cryptosystem.
* - SAST: Secure when used with the correct corresponding private key.
*/
public void rsaOaepDecryption(PrivateKey privateKey, byte[] encryptedData) throws Exception {
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
cipher.init(Cipher.DECRYPT_MODE, privateKey);
byte[] decryptedData = cipher.doFinal(encryptedData);
System.out.println("Decrypted RSA-OAEP Data: " + new String(decryptedData));
}
/**
* RSA-KEM encryption: encapsulates an AES key using RSA-OAEP.
*
* SAST/CBOM Notes:
* - Algorithm: RSA-OAEP used as a Key Encapsulation Mechanism (KEM) for an AES
* key.
* - Parent Classification: RSA-OAEP based KEM.
* - SAST: Recognized as a secure key encapsulation pattern; used as part of
* hybrid encryption schemes.
*/
public void rsaKemEncryption(PublicKey rsaPublicKey) throws Exception {
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256); // 256-bit AES key.
SecretKey aesKey = keyGen.generateKey();
Cipher rsaCipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
rsaCipher.init(Cipher.ENCRYPT_MODE, rsaPublicKey);
byte[] encryptedAesKey = rsaCipher.doFinal(aesKey.getEncoded());
System.out.println("RSA-KEM Encrypted AES Key: " + Base64.getEncoder().encodeToString(encryptedAesKey));
}
/**
* Hybrid encryption: combines RSA-OAEP for key encapsulation with AES-GCM for
* data encryption.
*
* SAST/CBOM Notes:
* - Algorithms: RSA-OAEP (for encrypting the AES key) and AES-GCM (for
* encrypting the data).
* - Parent Classification: Hybrid Cryptosystem (RSA-OAEP + AES-GCM).
* - SAST: This pattern is considered secure when implemented correctly;
* recommended for large data encryption.
*/
public void hybridEncryption(PublicKey rsaPublicKey, String data) throws Exception {
// Generate a 256-bit AES key for symmetric encryption.
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256);
SecretKey aesKey = keyGen.generateKey();
// Encrypt the AES key using RSA-OAEP.
Cipher rsaCipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
rsaCipher.init(Cipher.ENCRYPT_MODE, rsaPublicKey);
byte[] encryptedAesKey = rsaCipher.doFinal(aesKey.getEncoded());
// Encrypt the actual data using AES-GCM.
Cipher aesCipher = Cipher.getInstance("AES/GCM/NoPadding");
byte[] iv = new byte[12]; // 12-byte IV recommended for GCM.
new SecureRandom().nextBytes(iv);
GCMParameterSpec gcmSpec = new GCMParameterSpec(128, iv);
aesCipher.init(Cipher.ENCRYPT_MODE, aesKey, gcmSpec);
byte[] encryptedData = aesCipher.doFinal(data.getBytes());
System.out.println(
"Hybrid Encryption - Encrypted AES Key: " + Base64.getEncoder().encodeToString(encryptedAesKey));
System.out.println("Hybrid Encryption - Encrypted Data: " + Base64.getEncoder().encodeToString(encryptedData));
}
}
Reference in New Issue View Git Blame Copy Permalink