Crypto: WeakKDFKeySize tests.

Author: bdrodes

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/Test.java

@@ -0,0 +1,42 @@
+import java.security.SecureRandom;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+
+public class Test {
+
+    public static byte[] generateSalt(int length) {
+        SecureRandom random = new SecureRandom();
+        byte[] salt = new byte[length];
+        random.nextBytes(salt);
+        return salt;
+    }
+
+    /**
+     * PBKDF2 derivation with a weak key size.
+     *
+     * SAST/CBOM: - Parent: PBKDF2. - Key size is only 64 bits, which is far below acceptable security standards.
+     * - Flagged as insecure.
+     */
+    public void pbkdf2WeakKeySize(String password) throws Exception {
+        byte[] salt = generateSalt(16);
+        int iterationCount = 100_000;
+        int keySize = 64; // $Source
+        PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize); // $Alert[java/quantum/weak-kdf-key-size]
+        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
+        byte[] key = factory.generateSecret(spec).getEncoded();
+    }
+
+    /**
+     * PBKDF2 derivation with a secure key size.
+     *
+     * SAST/CBOM: - Parent: PBKDF2. - Key size is 256 bits, which meets modern security standards.
+     */
+    public void pbkdf2SecureKeySize(String password) throws Exception {
+        byte[] salt = generateSalt(16);
+        int iterationCount = 100_000;
+        int keySize = 256;
+        PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, keySize);
+        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
+        byte[] key = factory.generateSecret(spec).getEncoded();
+    }
+}

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/WeakKDFKeySize.expected

@@ -0,0 +1,11 @@
+#select
+| Test.java:24:88:24:94 | keySize | Test.java:23:23:23:24 | 64 : Number | Test.java:24:88:24:94 | keySize | Key derivation operation configures output key length below 256: $@ | Test.java:23:23:23:24 | 64 | 64 |
+edges
+| Test.java:23:23:23:24 | 64 : Number | Test.java:24:88:24:94 | keySize | provenance |  |
+| Test.java:37:23:37:25 | 256 : Number | Test.java:38:88:38:94 | keySize | provenance |  |
+nodes
+| Test.java:23:23:23:24 | 64 : Number | semmle.label | 64 : Number |
+| Test.java:24:88:24:94 | keySize | semmle.label | keySize |
+| Test.java:37:23:37:25 | 256 : Number | semmle.label | 256 : Number |
+| Test.java:38:88:38:94 | keySize | semmle.label | keySize |
+subpaths

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFKeySize/WeakKDFKeySize.qlref

@@ -0,0 +1,4 @@
+query: experimental/quantum/Examples/WeakKDFKeySize.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql