Updated Bouncy Castle algorithm instances

- Signature operations are now handled by a single algorithm instance
- All key generation operations except generic EC key generation
  operations are now handled by a single algorithm instance
- Ed25519 and Ed448 key generation have the algorithm set to Ed25519 and
  Ed448 respectively
- For generic EC key generation operations the algorithm is given by the
  corresponding curve (since these could be used for either ECDSA or ECDH)

Author: fegge

java/ql/lib/experimental/quantum/BouncyCastle/AlgorithmInstances.qll

@@ -22,30 +22,11 @@ class EllipticCurveStringLiteralArg extends EllipticCurveAlgorithmValueConsumer
 }
 
 /**
- * An AVC for a signature algorithm where the algorithm is implicitly defined by
- * the constructor.
+ * An AVC representing the block cipher argument passed to an block cipher mode
+ * constructor.
  */
-abstract class SignatureAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer {
-  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() { result = this }
-
-  override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
-}
-
-/**
- * An AVC for a key generation algorithm where the algorithm is implicitly
- * defined by the constructor.
- */
-abstract class KeyGenerationAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer {
-  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() { result = this }
-
-  override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
-}
-
-/**
- * A block cipher argument passed to an block cipher mode constructor.
- */
-class BlockCipherAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Expr {
-  BlockCipherAlgorithmValueConsumer() {
+class BlockCipherAlgorithmArg extends Crypto::AlgorithmValueConsumer instanceof Expr {
+  BlockCipherAlgorithmArg() {
     this = any(BlockCipherModeAlgorithmInstance mode).getBlockCipherArg()
   }
 
@@ -57,14 +38,9 @@ class BlockCipherAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer i
 }
 
 /**
- * An AVC for a block cipher mode implicitly defined by the constructor.
+ * An AVC for an algorithm that is implicitly defined by the instance.
  */
-abstract class BlockCipherModeAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof ClassInstanceExpr
-{
-  BlockCipherModeAlgorithmValueConsumer() {
-    this.getType() instanceof Modes::UnpaddedBlockCipherMode
-  }
-
+abstract class ImplicitAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer {
   override Crypto::AlgorithmInstance getAKnownAlgorithmSource() { result = this }
 
   override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }

java/ql/lib/experimental/quantum/BouncyCastle/AlgorithmValueConsumers.qll

@@ -362,7 +362,7 @@ module EllipticCurveStringLiteralToConsumerFlow {
     predicate isSource(DataFlow::Node src) { src.asExpr() instanceof StringLiteral }
 
     predicate isSink(DataFlow::Node sink) {
-      exists(EllipticCurveAlgorithmValueConsumer consumer | sink = consumer.getInputNode())
+      exists(Crypto::AlgorithmValueConsumer consumer | sink = consumer.getInputNode())
     }
 
     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
@@ -374,7 +374,7 @@ module EllipticCurveStringLiteralToConsumerFlow {
   private module EllipticCurveStringLiteralToAlgorithmValueConsumerFlow =
     DataFlow::Global<EllipticCurveStringLiteralToAlgorithmValueConsumerConfig>;
 
-  EllipticCurveAlgorithmValueConsumer getConsumerFromLiteral(
+  Crypto::AlgorithmValueConsumer getConsumerFromLiteral(
     StringLiteral literal, EllipticCurveStringLiteralToAlgorithmValueConsumerFlow::PathNode src,
     EllipticCurveStringLiteralToAlgorithmValueConsumerFlow::PathNode sink
   ) {

java/ql/lib/experimental/quantum/BouncyCastle/FlowAnalysis.qll

@@ -233,7 +233,7 @@ module Signers {
    * BouncyCastle algorithms are instantiated by calling the constructor of the
    * corresponding class, which also represents the algorithm instance.
    */
-  private class SignerNewCall = SignatureAlgorithmInstance;
+  private class SignerNewCall = ImplicitSignatureClassInstanceExpr;
 
   /**
    * The type is instantiated by a constructor call and initialized by a call to
@@ -389,7 +389,17 @@ module Generators {
    * BouncyCastle algorithms are instantiated by calling the constructor of the
    * corresponding class, which also represents the algorithm instance.
    */
-  private class KeyGeneratorNewCall = KeyGenerationAlgorithmInstance;
+  private class KeyGeneratorNewCall extends ClassInstanceExpr {
+    KeyGeneratorNewCall() { this.getConstructedType() instanceof KeyGenerator }
+
+    // Used for data flow from elliptic curve string literals to the algorithm
+    // instance.
+    DataFlow::Node getParametersInput() { none() }
+
+    // Used for data flow from elliptic curve string literals to the algorithm
+    // instance.
+    DataFlow::Node getEllipticCurveInput() { none() }
+  }
 
   /**
    * A call to a key generator `init()` method.
@@ -414,18 +424,19 @@ module Generators {
 
     KeyGeneratorUseCall() { this = gen.getAUseCall() }
 
-    // Since key generators don't have `update()` methods, this is always false.
+    // This is used to define the `NewToInitToUse` data flow. Since key
+    // generators don't have `update()` methods, this is always false.
     predicate isIntermediate() { none() }
 
     Crypto::KeyArtifactType getKeyType() { result = gen.getKeyType() }
 
     Expr getOutput() { result = this }
   }
 
-  module KeyGeneratorFlow =
+  private module KeyGeneratorFlow =
     NewToInitToUseFlow<KeyGeneratorNewCall, KeyGeneratorInitCall, KeyGeneratorUseCall>;
 
-  module ParametersFlow =
+  private module ParametersFlow =
     ParametersToInitFlow<Params::ParametersInstantiation, KeyGeneratorInitCall>;
 
   /**
@@ -436,8 +447,12 @@ module Generators {
   class KeyGenerationOperationInstance extends Crypto::KeyGenerationOperationInstance instanceof KeyGeneratorUseCall
   {
     override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-      // The algorithm is implicitly defined by the key generator type, which is
-      // determined by the constructor call.
+      // For most Bouncy Castle key generators, the algorithm is implicitly
+      // defined by the type, and so we use the constructor call to represent
+      // the AVC.
+      //
+      // TODO: Avoid using data flow for this and use the operation instance to
+      // represent the AVC and algorithm instance whenever it makes sense.
       result = KeyGeneratorFlow::getNewFromUse(this, _, _)
     }
 
@@ -448,7 +463,14 @@ module Generators {
     override Crypto::KeyArtifactType getOutputKeyType() { result = super.getKeyType() }
 
     override int getKeySizeFixed() {
-      result = KeyGeneratorFlow::getNewFromUse(this, _, _).getKeySizeFixed()
+      // Either the algorithm is a key operation algorithm or an elliptic curve.
+      // For elliptic curve, the key size depends on the curve, so we don't
+      // return anything.
+      result =
+        this.getAnAlgorithmValueConsumer()
+            .getAKnownAlgorithmSource()
+            .(Crypto::KeyOperationAlgorithmInstance)
+            .getKeySizeFixed()
     }
 
     override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
@@ -462,6 +484,25 @@ module Generators {
       )
     }
   }
+
+  /**
+   * A generic elliptic curve key generation operation using `ECKeyPairGenerator`.
+   */
+  class EllipticCurveKeyGenerationOperationInstance extends KeyGenerationOperationInstance instanceof KeyGeneratorUseCall
+  {
+    EllipticCurveKeyGenerationOperationInstance() {
+      super.getQualifier().getType().getName().matches("EC%")
+    }
+
+    // We attempt to resolve the elliptic curve algorithm from the
+    // `KeyGenerationParameters` argument to `init()`.
+    override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+      exists(KeyGeneratorInitCall init |
+        init = KeyGeneratorFlow::getInitFromUse(this, _, _) and
+        result = ParametersFlow::getParametersFromInit(init, _, _).getAnAlgorithmValueConsumer()
+      )
+    }
+  }
 }
 
 module Modes {

java/ql/lib/experimental/quantum/BouncyCastle/OperationInstances.qll

@@ -21,14 +21,14 @@
 /**
  * Test Bouncy Castle's low-level ECDSA API
  */
-public class ECDSAP256SignAndVerify {
+public class ECDSASignAndVerify {
 
     public static void main(String[] args) {
         // Add Bouncy Castle provider
         Security.addProvider(new BouncyCastleProvider());
 
         try {
-            byte[] message = "Hello, ECDSA P-256 signature!".getBytes("UTF-8");
+            byte[] message = "Hello, ECDSA signature!".getBytes("UTF-8");
 
             // Test different key generation methods
             signWithKeyPair(generateKeyPair1(), message);

…stle/signers/ECDSAP256SignAndVerify.java …cyCastle/signers/ECDSASignAndVerify.javajava/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/ECDSAP256SignAndVerify.java renamed to java/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/ECDSASignAndVerify.java java/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/ECDSAP256SignAndVerify.java renamed to java/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/ECDSASignAndVerify.java

@@ -16,7 +16,7 @@
  * low-level API.
  * 
  */
-public class LMSSignature {
+public class LMSSignAndVerify {
     public static void main(String[] args) {
         Security.addProvider(new BouncyCastleProvider());
 
@@ -37,18 +37,15 @@ public static void main(String[] args) {
 
             byte[] message = "Hello, LMS signature!".getBytes("UTF-8");
 
-            LMSSigner signer = new LMSSigner();
-            
             // Sign the message
+            LMSSigner signer = new LMSSigner();
             signer.init(true, privateKey); // true for signing
             byte[] signature = signer.generateSignature(message);
 
             // Verify the signature
-            //
-            // TODO: Using the same signer instance for verification causes both
-            // keys to be reported. This should be handled using dataflow.
-            signer.init(false, publicKey);   
-            boolean verified = signer.verifySignature(message, signature);
+            LMSSigner verifier = new LMSSigner();
+            verifier.init(false, publicKey);   
+            boolean verified = verifier.verifySignature(message, signature);
 
             System.out.println("Signature verified: " + verified);
         } catch (Exception e) {

…m/BouncyCastle/signers/LMSSignature.java …uncyCastle/signers/LMSSignAndVerify.javajava/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/LMSSignature.java renamed to java/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/LMSSignAndVerify.java java/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/LMSSignature.java renamed to java/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/LMSSignAndVerify.java

@@ -1,12 +1,5 @@
-| ECDSAP256SignAndVerify.java:115:27:115:36 | Key | ECDSAP256SignAndVerify.java:57:16:57:49 | Key |
-| ECDSAP256SignAndVerify.java:115:27:115:36 | Key | ECDSAP256SignAndVerify.java:80:16:80:49 | Key |
-| ECDSAP256SignAndVerify.java:115:27:115:36 | Key | ECDSAP256SignAndVerify.java:103:16:103:49 | Key |
-| ECDSAP256SignAndVerify.java:120:30:120:38 | Key | ECDSAP256SignAndVerify.java:57:16:57:49 | Key |
-| ECDSAP256SignAndVerify.java:120:30:120:38 | Key | ECDSAP256SignAndVerify.java:80:16:80:49 | Key |
-| ECDSAP256SignAndVerify.java:120:30:120:38 | Key | ECDSAP256SignAndVerify.java:103:16:103:49 | Key |
-| Ed448SignAndVerify.java:30:31:30:40 | Key | Ed448SignAndVerify.java:21:47:21:80 | Key |
-| Ed448SignAndVerify.java:38:34:38:42 | Key | Ed448SignAndVerify.java:21:47:21:80 | Key |
-| Ed25519SignAndVerify.java:30:31:30:40 | Key | Ed25519SignAndVerify.java:21:47:21:80 | Key |
-| Ed25519SignAndVerify.java:38:34:38:42 | Key | Ed25519SignAndVerify.java:21:47:21:80 | Key |
-| LMSSignature.java:43:31:43:40 | Key | LMSSignature.java:33:47:33:74 | Key |
-| LMSSignature.java:50:32:50:40 | Key | LMSSignature.java:33:47:33:74 | Key |
+| ECDSASignAndVerify.java:57:16:57:49 | Key | secp256r1 |
+| ECDSASignAndVerify.java:80:16:80:49 | Key | secp256k1 |
+| Ed448SignAndVerify.java:21:47:21:80 | Key | Ed448 |
+| Ed25519SignAndVerify.java:21:47:21:80 | Key | Ed25519 |
+| LMSSignAndVerify.java:33:47:33:74 | Key | LMS |

java/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/key_artifacts.expected

@@ -2,4 +2,4 @@ import java
 import experimental.quantum.Language
 
 from Crypto::KeyArtifactNode n
-select n, n.getSourceNode()
+select n, n.getAKnownAlgorithm()

java/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/key_artifacts.ql

@@ -1,6 +1,5 @@
-| ECDSAP256SignAndVerify.java:57:16:57:49 | KeyGeneration | ECDSAP256SignAndVerify.java:57:16:57:49 | Key |
-| ECDSAP256SignAndVerify.java:80:16:80:49 | KeyGeneration | ECDSAP256SignAndVerify.java:80:16:80:49 | Key |
-| ECDSAP256SignAndVerify.java:103:16:103:49 | KeyGeneration | ECDSAP256SignAndVerify.java:103:16:103:49 | Key |
-| Ed448SignAndVerify.java:21:47:21:80 | KeyGeneration | Ed448SignAndVerify.java:21:47:21:80 | Key |
-| Ed25519SignAndVerify.java:21:47:21:80 | KeyGeneration | Ed25519SignAndVerify.java:21:47:21:80 | Key |
-| LMSSignature.java:33:47:33:74 | KeyGeneration | LMSSignature.java:33:47:33:74 | Key |
+| ECDSASignAndVerify.java:57:16:57:49 | KeyGeneration | ECDSASignAndVerify.java:47:28:47:38 | EllipticCurve | ECDSASignAndVerify.java:57:16:57:49 | Key |
+| ECDSASignAndVerify.java:80:16:80:49 | KeyGeneration | ECDSASignAndVerify.java:65:28:65:38 | EllipticCurve | ECDSASignAndVerify.java:80:16:80:49 | Key |
+| Ed448SignAndVerify.java:21:47:21:80 | KeyGeneration | Ed448SignAndVerify.java:19:54:19:80 | KeyOperationAlgorithm | Ed448SignAndVerify.java:21:47:21:80 | Key |
+| Ed25519SignAndVerify.java:21:47:21:80 | KeyGeneration | Ed25519SignAndVerify.java:19:56:19:84 | KeyOperationAlgorithm | Ed25519SignAndVerify.java:21:47:21:80 | Key |
+| LMSSignAndVerify.java:33:47:33:74 | KeyGeneration | LMSSignAndVerify.java:31:46:31:70 | KeyOperationAlgorithm | LMSSignAndVerify.java:33:47:33:74 | Key |

java/ql/test/experimental/library-tests/quantum/BouncyCastle/signers/key_generation_operations.expected

@@ -2,4 +2,4 @@ import java
 import experimental.quantum.Language
 
 from Crypto::KeyGenerationOperationNode n
-select n, n.getOutputKeyArtifact()
+select n, n.getAKnownAlgorithm(), n.getOutputKeyArtifact()