Skip to content

Crypto: Add Java Cryptographic Analysis Queries #20605

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 58 commits into
base: main
Choose a base branch
from
+2,193 −395
Open

Crypto: Add Java Cryptographic Analysis Queries #20605

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
58 commits
Select commit Hold shift + click to select a range
c5cf0ff
added java cryptographic check queries
unprovable Oct 1, 2025
f38ab45
removed all @security.severity ratings to keep the main impartial
unprovable Oct 1, 2025
bba541c
Merge remote-tracking branch 'upstream/java-crypto-check' into santan…
bdrodes Oct 8, 2025
cf88e3f
Crypto: Standardize naming where use of "family" and "type" have been…
bdrodes Oct 8, 2025
1b1b333
Crypto: Modify suggested queries per misc. side conversations on stan…
bdrodes Oct 8, 2025
143be8c
Crypto: Remove redundant queries.
bdrodes Oct 8, 2025
bd34b6c
Crypto: Removing JCA model of random, need to reassess this as this i…
bdrodes Oct 8, 2025
83ff70b
Crypto: Adding tests for insecure iv or nonce. Updating generic liter…
bdrodes Oct 8, 2025
8e10e19
Crypto: Adding query for unknown IV initialization.
bdrodes Oct 8, 2025
75b5a9f
Crypto: Update general regression test results to account for removal…
bdrodes Oct 8, 2025
11e8139
Crypto: Updated default flows to use taint tracking (this is needed t…
bdrodes Oct 8, 2025
7a57496
Crypto: Missing test update.
bdrodes Oct 8, 2025
f524de4
Crypto: Updating insecure iv/nonce to consider if an operation is kno…
bdrodes Oct 8, 2025
fdba3ac
Crypto: Fix QL-for-QL alert and auto-format
nicolaswill Oct 9, 2025
c6cc4ff
Crypto: Minor fixes to WeakBlockModes, WeakHash to consider SHA3 ok, …
bdrodes Oct 9, 2025
3dedda4
Merge branch 'santander-java-crypto-check' of https://github.com/bdro…
bdrodes Oct 9, 2025
deb4373
Crypto: Minor fixes to WeakSymmetricCipher, change to a singular name…
bdrodes Oct 9, 2025
fba8087
Crypto: Example query reorg - moving queries of this PR into 'example…
bdrodes Oct 9, 2025
758759a
Crypto: Reused nonce query updates and test updates to address false …
bdrodes Oct 10, 2025
3667365
Crypto: Weak asymmetric key gen size fixes and test.
bdrodes Oct 10, 2025
ffd191d
Crypto: missing new endpoint to get the creating operation for a key …
bdrodes Oct 10, 2025
d68f3cf
Crypto: InsecureIVorNonceSource now ignored null to avoid being too n…
bdrodes Oct 10, 2025
e76ced1
Crypto: Updating weak asymmetric key gen to include key exchange.
bdrodes Oct 10, 2025
08abdb8
Crypto: Adding a "javaConstant" concept to handle config files.
bdrodes Oct 13, 2025
4b241d7
Crypto: adding initial weak hash query overhaul and tests, but no exp…
bdrodes Oct 13, 2025
bd068c2
Crypto: Updating expected file for weak asymmetric key gen size.
bdrodes Oct 13, 2025
76128ed
Crypto: Update InsecureIVorNonce to be a path problem.
bdrodes Oct 13, 2025
7847e92
Crypto: Update KDF iteration and count to be path problems
bdrodes Oct 13, 2025
8b5a423
Crypto: Convert ReusedNonce.ql into a path problem.
bdrodes Oct 13, 2025
7e8acd7
Crypto: Update WeakAsymmetricKeyGenSize to a path problem.
bdrodes Oct 13, 2025
55bbcee
Crypto: Make WeakAsymmetricKeyGenSize a path problem.
bdrodes Oct 13, 2025
ee08385
Crytpo: Update JCA keyagreement to type conversion, XDH is a type of …
bdrodes Oct 15, 2025
bf9a249
Crypto: Experimental queries for mac ordering
bdrodes Oct 15, 2025
c7be23e
Crypto: Remove all precision tags from all experimental queries. Prec…
bdrodes Oct 15, 2025
631e482
Crytpo: when key encapsulation or cipher operations have multiple mod…
bdrodes Oct 15, 2025
c6174fb
Crypto: remove precision tag
bdrodes Oct 15, 2025
9a6aac1
Crypto: To get unreferenced parameters as general sources for Java, I…
bdrodes Oct 15, 2025
15e266d
Crypto: Tweaks to bad crypto ordering queries.
bdrodes Oct 15, 2025
25599e9
crypto: Update JCA model macs to take into consideration update calls…
bdrodes Oct 15, 2025
4860034
Crypto: Weak Hash test cases update and expected file.
bdrodes Oct 16, 2025
d2598d4
Crypto: Updating weak hash tests
bdrodes Oct 16, 2025
79ccef3
Crypto: Initial sketch for unknown hash, the model needs to recognize…
bdrodes Oct 16, 2025
a64a24d
Crypto: Comment in Language.qll
bdrodes Oct 16, 2025
3f36b09
Crypto: Rename tests for weak asymmetric key gen size.
bdrodes Oct 16, 2025
b9b0037
Crypto: Comment todo for observed missing modeled case. Tests for wea…
bdrodes Oct 16, 2025
700f34e
Crypto: Bad Mac use tests, and fix for BadMacOrderMacOnEncryptPlainte…
bdrodes Oct 16, 2025
5923e5c
Crypto: Bad expected files in last push.
bdrodes Oct 16, 2025
ef6f022
Crypto: Addressing FPs in BadMacOrderMacOnEncryptPlaintext
bdrodes Oct 16, 2025
ff7840d
Crypto: removing precision tags on experimental queries.
bdrodes Oct 17, 2025
628bab9
Crypto: Modify BadMacOrderMacOnEncryptPlaintext to be a path query th…
bdrodes Oct 17, 2025
e127341
Crypto: WeakKDFKeySize tests.
bdrodes Oct 17, 2025
f480d90
Crypto: Add missing block mode JCA Models, add block mode unit tests
bdrodes Oct 17, 2025
b4ecb91
Crypto: Add missing cipher algorithms to JCA. Update node tests to ac…
bdrodes Oct 17, 2025
1b205d8
Removing WeakRSA, this is redundant with weak asymmetric key size.
bdrodes Oct 17, 2025
b06e053
Crypto: altering all query IDs in examples to have "examples" in the …
bdrodes Oct 17, 2025
540daa6
Crypto: weak symmetric cipher tests.
bdrodes Oct 17, 2025
c01c060
Crypto: more ID renaming to include "examples", fix singleton issues …
bdrodes Oct 17, 2025
2b683c2
Merge branch 'main' into santander-java-crypto-check
bdrodes Oct 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ...ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
result = this.(Call).getTarget().getName()
}

override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
override Crypto::EllipticCurveType getEllipticCurveType() {
if
Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
_)
Expand Down
2 changes: 1 addition & 1 deletion cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ class KnownOpenSslHashConstantAlgorithmInstance extends OpenSslAlgorithmInstance

override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }

override Crypto::THashType getHashFamily() {
override Crypto::THashType getHashType() {
knownOpenSslConstantToHashFamilyType(this, result)
or
not knownOpenSslConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
Expand Down
Loading
Loading