Skip to content

Commit 4df0fbc

Browse files
Jami CogswellJami Cogswell
Jami Cogswell
authored and
Jami Cogswell
committed
update tests
1 parent dc8b62b commit 4df0fbc

File tree

2 files changed

+32
-40
lines changed

2 files changed

+32
-40
lines changed

java/ql/lib/semmle/code/java/security/Encryption.qll

Lines changed: 3 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -325,19 +325,13 @@ class JavaxCryptoSecretKey extends JavaxCryptoAlgoSpec {
325325

326326
class JavaxCryptoKeyGenerator extends JavaxCryptoAlgoSpec {
327327
JavaxCryptoKeyGenerator() {
328-
exists(Constructor c | c.getAReference() = this | c.getDeclaringType() instanceof KeyGenerator)
329-
or
330328
exists(Method m | m.getAReference() = this |
331329
m.getDeclaringType() instanceof KeyGenerator and
332330
m.getName() = "getInstance"
333331
)
334332
}
335333

336-
override Expr getAlgoSpec() {
337-
exists(Call c | c = this |
338-
if c.getNumArgument() = 3 then result = c.getArgument(2) else result = c.getArgument(0)
339-
)
340-
}
334+
override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
341335
}
342336

343337
class JavaxCryptoKeyAgreement extends JavaxCryptoAlgoSpec {
@@ -392,17 +386,13 @@ class JavaSecuritySignature extends JavaSecurityAlgoSpec {
392386
/** An instance of a `java.security.KeyPairGenerator`. */
393387
class JavaSecurityKeyPairGenerator extends JavaSecurityAlgoSpec {
394388
JavaSecurityKeyPairGenerator() {
395-
exists(Constructor c | c.getAReference() = this |
396-
c.getDeclaringType() instanceof KeyPairGenerator
397-
)
398-
or
399389
exists(Method m | m.getAReference() = this |
400390
m.getDeclaringType() instanceof KeyPairGenerator and
401391
m.getName() = "getInstance"
402392
)
403393
}
404394

405-
override Expr getAlgoSpec() { result = this.(Call).getArgument(0) }
395+
override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
406396
}
407397

408398
/** The Java class `java.security.AlgorithmParameterGenerator`. */
@@ -423,21 +413,13 @@ class AlgoParamGeneratorInitMethod extends Method {
423413
/** An instance of a `java.security.AlgorithmParameterGenerator`. */
424414
class JavaSecurityAlgoParamGenerator extends JavaSecurityAlgoSpec {
425415
JavaSecurityAlgoParamGenerator() {
426-
exists(Constructor c | c.getAReference() = this |
427-
c.getDeclaringType() instanceof AlgorithmParameterGenerator
428-
)
429-
or
430416
exists(Method m | m.getAReference() = this |
431417
m.getDeclaringType() instanceof AlgorithmParameterGenerator and
432418
m.getName() = "getInstance"
433419
)
434420
}
435421

436-
override Expr getAlgoSpec() {
437-
exists(Call c | c = this |
438-
if c.getNumArgument() = 3 then result = c.getArgument(2) else result = c.getArgument(0)
439-
)
440-
}
422+
override Expr getAlgoSpec() { result = this.(MethodAccess).getArgument(0) }
441423
}
442424

443425
/** The Java interface `java.security.spec.AlgorithmParameterSpec` */

java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.java

Lines changed: 29 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
import javax.crypto.KeyGenerator;
22
import java.security.KeyPairGenerator;
3+
import java.security.AlgorithmParameterGenerator;
34

45
import java.security.spec.ECGenParameterSpec;
56
import java.security.spec.RSAKeyGenParameterSpec;
@@ -30,8 +31,8 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java
3031
keyGen4.init(size2); // $ hasInsufficientKeySize
3132

3233
/* Test variables passed to another method */
33-
KeyGenerator keyGen = KeyGenerator.getInstance("AES"); // MISSING: test KeyGenerator variable as argument
34-
testSymmetricVariable(size2, keyGen); // test with variable as key size
34+
KeyGenerator keyGen5 = KeyGenerator.getInstance("AES"); // MISSING: test KeyGenerator variable as argument
35+
testSymmetricVariable(size2, keyGen5); // test with variable as key size
3536
testSymmetricInt(64); // test with int literal as key size
3637
}
3738

@@ -62,9 +63,13 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java
6263
keyPairGen6.initialize(size2); // $ hasInsufficientKeySize
6364

6465
/* Test variables passed to another method */
65-
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); // MISSING: test KeyGenerator variable as argument
66-
testAsymmetricNonEcVariable(size2, keyPairGen); // test with variable as key size
66+
KeyPairGenerator keyPairGen7 = KeyPairGenerator.getInstance("RSA"); // MISSING: test KeyGenerator variable as argument
67+
testAsymmetricNonEcVariable(size2, keyPairGen7); // test with variable as key size
6768
testAsymmetricNonEcInt(1024); // test with int literal as key size
69+
70+
/* Test getting key size as return value of another method */
71+
KeyPairGenerator keyPairGen8 = KeyPairGenerator.getInstance("RSA");
72+
keyPairGen8.initialize(getRSAKeySize()); // $ hasInsufficientKeySize
6873
}
6974

7075
// DSA (Asymmetric): minimum recommended key size is 2048
@@ -82,6 +87,10 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java
8287

8388
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DSA");
8489
keyPairGen4.initialize(new DSAGenParameterSpec(1024, 0)); // $ hasInsufficientKeySize
90+
91+
/* Test `AlgorithmParameterGenerator` */
92+
AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DSA");
93+
paramGen.init(1024); // $ hasInsufficientKeySize
8594
}
8695

8796
// DH (Asymmetric): minimum recommended key size is 2048
@@ -99,6 +108,10 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java
99108

100109
KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("DH");
101110
keyPairGen4.initialize(new DHGenParameterSpec(1024, 0)); // $ hasInsufficientKeySize
111+
112+
/* Test `AlgorithmParameterGenerator` */
113+
AlgorithmParameterGenerator paramGen = AlgorithmParameterGenerator.getInstance("DH");
114+
paramGen.init(1024); // $ hasInsufficientKeySize
102115
}
103116

104117
// EC (Asymmetric): minimum recommended key size is 256
@@ -153,8 +166,11 @@ public void keySizeTesting() throws java.security.NoSuchAlgorithmException, java
153166

154167
/* Test variables passed to another method */
155168
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize
169+
testAsymmetricEcSpecVariable(ecSpec); // test spec as an argument
170+
int size = 128;
156171
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC"); // MISSING: test KeyGenerator variable as argument
157-
testAsymmetricEC(ecSpec, keyPairGen); // test spec as an argument
172+
testAsymmetricEcIntVariable(size, keyPairGen); // test with variable as key size
173+
testAsymmetricEcIntLiteral(128); // test with int literal as key size
158174
}
159175
}
160176

@@ -180,27 +196,21 @@ public static void testAsymmetricNonEcInt(int keySize) throws java.security.NoSu
180196
keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
181197
}
182198

183-
public static void testAsymmetricEcVariable(ECGenParameterSpec spec, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
199+
public static void testAsymmetricEcSpecVariable(ECGenParameterSpec spec) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
184200
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
185201
keyPairGen.initialize(spec); // sink is above where `spec` variable is initialized
186-
187-
ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // $ hasInsufficientKeySize
188-
kpg.initialize(ecSpec); // MISSING: test KeyGenerator variable as argument
189202
}
190203

191-
public static void testAsymmetricEcInt(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
204+
public static void testAsymmetricEcIntVariable(int keySize, KeyPairGenerator kpg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
192205
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
193206
keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
207+
kpg.initialize(128); // $ MISSING: hasInsufficientKeySize
194208
}
195209

196-
// public static void testVariable(int keySize, KeyGenerator kg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
197-
// KeyGenerator keyGen = KeyGenerator.getInstance("AES");
198-
// keyGen.init(keySize); // $ hasInsufficientKeySize
199-
200-
// // BAD: Key size is less than 2048
201-
// kg.init(64); // $ MISSING: hasInsufficientKeySize
202-
// }
210+
public static void testAsymmetricEcIntLiteral(int keySize) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
211+
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("EC");
212+
keyPairGen.initialize(keySize); // $ hasInsufficientKeySize
213+
}
203214

204-
// public static void testInt(int keySize, KeyGenerator kg) throws java.security.NoSuchAlgorithmException, java.security.InvalidAlgorithmParameterException {
205-
// }
215+
public int getRSAKeySize(){ return 1024; }
206216
}

0 commit comments

Comments
 (0)