Crypto: Formatting test cases, more removal of non-ascii

Author: bdrodes

java/ql/test/experimental/library-tests/quantum/jca/AesWrapAndPBEWith.java

@@ -1,7 +1,6 @@
 package com.example.crypto.algorithms;
 
 //import org.bouncycastle.jce.provider.BouncyCastleProvider;
-
 import java.security.*;
 import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
@@ -20,29 +19,23 @@
  *
  * This file includes:
  *
- * 1. AESWrap Examples:
- * - secureAESWrap(): Uses a randomly generated wrapping key.
- * - insecureAESWrap(): Uses a fixed, hard-coded wrapping key.
+ * 1. AESWrap Examples: - secureAESWrap(): Uses a randomly generated wrapping
+ * key. - insecureAESWrap(): Uses a fixed, hard-coded wrapping key.
  *
- * 2. PBEWith Examples:
- * - insecurePBEExample(): Uses the legacy PBEWithMD5AndDES.
- * - securePBEExample(): Uses PBKDF2WithHmacSHA256.
- * - additionalPBEExample(): Uses PBEWithSHA256And128BitAES-CBC-BC.
- * - additionalPBEExample2(): Uses PBEWithSHA1And128BitAES-CBC-BC.
+ * 2. PBEWith Examples: - insecurePBEExample(): Uses the legacy
+ * PBEWithMD5AndDES. - securePBEExample(): Uses PBKDF2WithHmacSHA256. -
+ * additionalPBEExample(): Uses PBEWithSHA256And128BitAES-CBC-BC. -
+ * additionalPBEExample2(): Uses PBEWithSHA1And128BitAES-CBC-BC.
  *
- * 3. Dynamic PBE Encryption:
- * - dynamicPBEEncryption(): Chooses the PBE transformation based on a
- * configuration string.
+ * 3. Dynamic PBE Encryption: - dynamicPBEEncryption(): Chooses the PBE
+ * transformation based on a configuration string.
  *
- * Best Practices:
- * - Use secure random keys and salts.
- * - Avoid legacy algorithms like PBEWithMD5AndDES.
- * - Prefer modern KDFs (PBKDF2WithHmacSHA256) and secure provider-specific PBE
- * transformations.
+ * Best Practices: - Use secure random keys and salts. - Avoid legacy algorithms
+ * like PBEWithMD5AndDES. - Prefer modern KDFs (PBKDF2WithHmacSHA256) and secure
+ * provider-specific PBE transformations.
  *
- * SAST/CBOM Notes:
- * - Insecure examples (PBEWithMD5AndDES, fixed keys) should be flagged.
- * - Secure examples use random salt, high iteration counts, and strong
+ * SAST/CBOM Notes: - Insecure examples (PBEWithMD5AndDES, fixed keys) should be
+ * flagged. - Secure examples use random salt, high iteration counts, and strong
  * algorithms.
  */
 public class AesWrapAndPBEWith {
@@ -51,14 +44,12 @@ public class AesWrapAndPBEWith {
     //     // Register BouncyCastle as a provider.
     //     Security.addProvider(new BouncyCastleProvider());
     // }
-
     // ===========================
     // 1. AESWrap Examples
     // ===========================
-
     /**
-     * Secure AES key wrapping.
-     * Generates a random 256-bit wrapping key to wrap a target AES key.
+     * Secure AES key wrapping. Generates a random 256-bit wrapping key to wrap
+     * a target AES key.
      *
      * @return The wrapped key (Base64-encoded).
      * @throws Exception if an error occurs.
@@ -79,8 +70,7 @@ public String secureAESWrap() throws Exception {
     }
 
     /**
-     * Insecure AES key wrapping.
-     * Uses a fixed (hard-coded) wrapping key.
+     * Insecure AES key wrapping. Uses a fixed (hard-coded) wrapping key.
      *
      * @return The wrapped key (Base64-encoded).
      * @throws Exception if an error occurs.
@@ -104,7 +94,6 @@ public String insecureAESWrap() throws Exception {
     // ===========================
     // 2. PBEWith Examples
     // ===========================
-
     /**
      * Insecure PBE example using PBEWithMD5AndDES.
      *
@@ -141,7 +130,7 @@ public String securePBEExample(String password) throws Exception {
     /**
      * Additional PBE example using PBEWithSHA256And128BitAES-CBC-BC.
      *
-     * @param password  The input password.
+     * @param password The input password.
      * @param plaintext The plaintext to encrypt.
      * @return The IV concatenated with ciphertext (Base64-encoded).
      * @throws Exception if key derivation or encryption fails.
@@ -165,11 +154,10 @@ public String additionalPBEExample(String password, String plaintext) throws Exc
     }
 
     /**
-     * Additional PBE example using PBEWithSHA1And128BitAES-CBC-BC.
-     * This is less preferred than PBKDF2WithHmacSHA256 but demonstrates another
-     * variant.
+     * Additional PBE example using PBEWithSHA1And128BitAES-CBC-BC. This is less
+     * preferred than PBKDF2WithHmacSHA256 but demonstrates another variant.
      *
-     * @param password  The input password.
+     * @param password The input password.
      * @param plaintext The plaintext to encrypt.
      * @return The IV concatenated with ciphertext (Base64-encoded).
      * @throws Exception if key derivation or encryption fails.
@@ -195,18 +183,16 @@ public String additionalPBEExample2(String password, String plaintext) throws Ex
     // ===========================
     // 3. Dynamic PBE Encryption
     // ===========================
-
     /**
      * Dynamically selects a PBE transformation based on a configuration string.
      *
-     * Acceptable values:
-     * - "PBKDF2": Uses PBKDF2WithHmacSHA256.
-     * - "SHA256AES": Uses PBEWithSHA256And128BitAES-CBC-BC.
-     * - "SHA1AES": Uses PBEWithSHA1And128BitAES-CBC-BC.
-     * - Otherwise, falls back to insecure PBEWithMD5AndDES.
+     * Acceptable values: - "PBKDF2": Uses PBKDF2WithHmacSHA256. - "SHA256AES":
+     * Uses PBEWithSHA256And128BitAES-CBC-BC. - "SHA1AES": Uses
+     * PBEWithSHA1And128BitAES-CBC-BC. - Otherwise, falls back to insecure
+     * PBEWithMD5AndDES.
      *
-     * @param config    The configuration string.
-     * @param password  The input password.
+     * @param config The configuration string.
+     * @param password The input password.
      * @param plaintext The plaintext to encrypt.
      * @return The Base64-encoded encrypted output.
      * @throws Exception if an error occurs.
@@ -227,7 +213,6 @@ public String dynamicPBEEncryption(String config, String password, String plaint
     // ===========================
     // Helper Methods
     // ===========================
-
     /**
      * Concatenates two byte arrays.
      */

java/ql/test/experimental/library-tests/quantum/jca/AsymmetricEncryptionMacHybridCryptosystem.java

@@ -2,60 +2,52 @@
 
 // import org.bouncycastle.jce.provider.BouncyCastleProvider;
 // import org.bouncycastle.pqc.jcajce.provider.BouncyCastlePQCProvider;
-
+import java.security.*;
+import java.security.spec.ECGenParameterSpec;
+import java.util.Arrays;
+import java.util.Base64;
 import javax.crypto.Cipher;
 import javax.crypto.KeyAgreement;
 import javax.crypto.KeyGenerator;
 import javax.crypto.Mac;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
-import java.security.*;
-import java.security.spec.ECGenParameterSpec;
-import java.util.Arrays;
-import java.util.Base64;
 
 /**
- * AsymmetricEncryptionMacHybridCryptosystem demonstrates hybrid
- * cryptosystems that combine asymmetric encryption with a MAC.
+ * AsymmetricEncryptionMacHybridCryptosystem demonstrates hybrid cryptosystems
+ * that combine asymmetric encryption with a MAC.
  *
- * Flows:
- * 1. RSA-OAEP + HMAC:
- * - Secure Flow: Uses 2048-bit RSA-OAEP (with SHA256andMGF1Padding) to
- * encapsulate a freshly generated AES key;
- * then encrypts using AES-GCM with a random nonce and computes HMAC-SHA256 over
- * the ciphertext.
- * - Insecure Flow: Uses 1024-bit RSA (RSA/ECB/PKCS1Padding), AES-GCM with a
- * fixed IV, and HMAC-SHA1.
+ * Flows: 1. RSA-OAEP + HMAC: - Secure Flow: Uses 2048-bit RSA-OAEP (with
+ * SHA256andMGF1Padding) to encapsulate a freshly generated AES key; then
+ * encrypts using AES-GCM with a random nonce and computes HMAC-SHA256 over the
+ * ciphertext. - Insecure Flow: Uses 1024-bit RSA (RSA/ECB/PKCS1Padding),
+ * AES-GCM with a fixed IV, and HMAC-SHA1.
  *
- * 2. ECIES + HMAC:
- * - Secure Flow: Uses ephemeral ECDH key pairs (secp256r1); derives a shared
- * secret and applies a simple KDF (SHA-256)
- * to derive a 128-bit AES key; then uses AES-GCM with a random nonce and
- * computes HMAC-SHA256.
- * - Insecure Flow: Reuses a static EC key pair, directly truncates the shared
- * secret without a proper KDF,
- * uses a fixed IV, and computes HMAC-SHA1.
+ * 2. ECIES + HMAC: - Secure Flow: Uses ephemeral ECDH key pairs (secp256r1);
+ * derives a shared secret and applies a simple KDF (SHA-256) to derive a
+ * 128-bit AES key; then uses AES-GCM with a random nonce and computes
+ * HMAC-SHA256. - Insecure Flow: Reuses a static EC key pair, directly truncates
+ * the shared secret without a proper KDF, uses a fixed IV, and computes
+ * HMAC-SHA1.
  *
- * 3. Dynamic Hybrid Selection:
- * - Chooses between flows based on a configuration string.
+ * 3. Dynamic Hybrid Selection: - Chooses between flows based on a configuration
+ * string.
  *
- * SAST/CBOM Notes:
- * - Secure flows use proper ephemeral key generation, secure key sizes, KDF
- * usage, and random nonces/IVs.
- * - Insecure flows (static key reuse, fixed nonces, weak key sizes, raw shared
- * secret truncation, and deprecated algorithms)
- * should be flagged.
+ * SAST/CBOM Notes: - Secure flows use proper ephemeral key generation, secure
+ * key sizes, KDF usage, and random nonces/IVs. - Insecure flows (static key
+ * reuse, fixed nonces, weak key sizes, raw shared secret truncation, and
+ * deprecated algorithms) should be flagged.
  */
 public class AsymmetricEncryptionMacHybridCryptosystem {
 
     // static {
     //     Security.addProvider(new BouncyCastleProvider());
     //     Security.addProvider(new BouncyCastlePQCProvider());
     // }
-
     // ---------- Result Class ----------
     public static class HybridResult {
+
         private final byte[] encapsulatedKey;
         private final byte[] ciphertext;
         private final byte[] mac;
@@ -79,14 +71,13 @@ public byte[] getMac() {
         }
 
         public String toBase64String() {
-            return "EncapsulatedKey: " + Base64.getEncoder().encodeToString(encapsulatedKey) +
-                    "\nCiphertext: " + Base64.getEncoder().encodeToString(ciphertext) +
-                    "\nMAC: " + Base64.getEncoder().encodeToString(mac);
+            return "EncapsulatedKey: " + Base64.getEncoder().encodeToString(encapsulatedKey)
+                    + "\nCiphertext: " + Base64.getEncoder().encodeToString(ciphertext)
+                    + "\nMAC: " + Base64.getEncoder().encodeToString(mac);
         }
     }
 
     // ---------- Helper Methods ----------
-
     /**
      * Generates an ephemeral ECDH key pair on secp256r1.
      */
@@ -107,10 +98,10 @@ public KeyPair generateX25519KeyPair() throws Exception {
 
     /**
      * Derives a shared secret using the provided key agreement algorithm.
-     * 
+     *
      * @param privateKey The private key.
-     * @param publicKey  The corresponding public key.
-     * @param algorithm  The key agreement algorithm (e.g., "ECDH" or "X25519").
+     * @param publicKey The corresponding public key.
+     * @param algorithm The key agreement algorithm (e.g., "ECDH" or "X25519").
      * @return The shared secret.
      */
     public byte[] deriveSharedSecret(PrivateKey privateKey, PublicKey publicKey, String algorithm) throws Exception {
@@ -123,8 +114,8 @@ public byte[] deriveSharedSecret(PrivateKey privateKey, PublicKey publicKey, Str
     /**
      * A simple KDF that hashes the input with SHA-256 and returns the first
      * numBytes.
-     * 
-     * @param input    The input byte array.
+     *
+     * @param input The input byte array.
      * @param numBytes The desired number of output bytes.
      * @return The derived key material.
      */
@@ -147,7 +138,6 @@ public byte[] concatenate(byte[] a, byte[] b) {
     // =====================================================
     // 1. RSA-OAEP + HMAC Hybrid Cryptosystem
     // =====================================================
-
     /**
      * Generates a secure 2048-bit RSA key pair.
      */
@@ -216,7 +206,6 @@ public HybridResult insecureRSAHybridEncryption(byte[] plaintext) throws Excepti
     // =====================================================
     // 2. ECIES + HMAC Hybrid Cryptosystem
     // =====================================================
-
     /**
      * Secure hybrid encryption using ECIES (via ECDH) + HMAC-SHA256.
      */
@@ -268,16 +257,15 @@ public HybridResult insecureECIESHybridEncryption(byte[] plaintext) throws Excep
     // =====================================================
     // 3. Dynamic Hybrid Selection
     // =====================================================
-
     /**
      * Dynamically selects a hybrid encryption flow based on configuration.
      * SAST: Dynamic selection introduces risk if insecure defaults are chosen.
      *
-     * @param config    The configuration string ("secureRSA", "insecureRSA",
-     *                  "secureECIES", "insecureECIES").
+     * @param config The configuration string ("secureRSA", "insecureRSA",
+     * "secureECIES", "insecureECIES").
      * @param plaintext The plaintext to encrypt.
      * @return A Base64-encoded string representation of the hybrid encryption
-     *         result.
+     * result.
      * @throws Exception if an error occurs.
      */
     public String dynamicHybridEncryption(String config, byte[] plaintext) throws Exception {
@@ -300,10 +288,8 @@ public String dynamicHybridEncryption(String config, byte[] plaintext) throws Ex
     // =====================================================
     // 4. Helper Methods for HMAC and Symmetric Encryption
     // =====================================================
-
     /**
-     * Secure HMAC using HMAC-SHA256.
-     * SAST: HMAC-SHA256 is secure.
+     * Secure HMAC using HMAC-SHA256. SAST: HMAC-SHA256 is secure.
      */
     public byte[] secureHMACSHA256(String message, byte[] key) throws Exception {
         Mac mac = Mac.getInstance("HmacSHA256", "BC");
@@ -313,8 +299,8 @@ public byte[] secureHMACSHA256(String message, byte[] key) throws Exception {
     }
 
     /**
-     * Insecure HMAC using HMAC-SHA1.
-     * SAST: HMAC-SHA1 is deprecated and insecure.
+     * Insecure HMAC using HMAC-SHA1. SAST: HMAC-SHA1 is deprecated and
+     * insecure.
      */
     public byte[] insecureHMACSHA1(String message, byte[] key) throws Exception {
         Mac mac = Mac.getInstance("HmacSHA1", "BC");
@@ -326,10 +312,9 @@ public byte[] insecureHMACSHA1(String message, byte[] key) throws Exception {
     // =====================================================
     // 5. Helper Methods for Key/Nonce Generation
     // =====================================================
-
     /**
-     * Generates a secure 256-bit AES key.
-     * SAST: Uses SecureRandom for key generation.
+     * Generates a secure 256-bit AES key. SAST: Uses SecureRandom for key
+     * generation.
      */
     public SecretKey generateAESKey() throws Exception {
         KeyGenerator kg = KeyGenerator.getInstance("AES");

java/ql/test/experimental/library-tests/quantum/jca/ChainedEncryptionTest.java

@@ -1,24 +1,19 @@
 package com.example.crypto.algorithms;
 
 // import org.bouncycastle.jce.provider.BouncyCastleProvider;
-
 import java.security.*;
-
+import java.util.Arrays;
 import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
 import javax.crypto.spec.IvParameterSpec;
 
-import java.util.Arrays;
-import java.util.Base64;
-
 public class ChainedEncryptionTest {
 
     // static {
     //     Security.addProvider(new BouncyCastleProvider());
     // }
-
     // Encrypts using AES-GCM. Returns IV concatenated with ciphertext.
     public static byte[] encryptAESGCM(SecretKey key, byte[] plaintext) throws Exception {
         Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
@@ -68,10 +63,10 @@ private static byte[] concat(byte[] a, byte[] b) {
     }
 
     /**
-     * Performs chained encryption and decryption in one function.
-     * First, plaintext is encrypted with AES-GCM (inner layer),
-     * then that ciphertext is encrypted with ChaCha20-Poly1305 (outer layer).
-     * The decryption process reverses these steps.
+     * Performs chained encryption and decryption in one function. First,
+     * plaintext is encrypted with AES-GCM (inner layer), then that ciphertext
+     * is encrypted with ChaCha20-Poly1305 (outer layer). The decryption process
+     * reverses these steps.
      *
      * @param plaintext The input plaintext.
      * @return The decrypted plaintext as a String.
@@ -148,4 +143,4 @@ public static void main(String[] args) throws Exception {
         System.out.println("Decrypted: " + new String(decryptedPlaintext));
     }
 
-}
+}