Added initial support for BouncyCastle signers

Author: fegge

java/ql/lib/experimental/quantum/BouncyCastle.qll

@@ -0,0 +1,164 @@
+
+import java
+
+/**
+ * Models for the signature algorithms defined by the `org.bouncycastle.crypto.signers` package.
+ * 
+ */
+module Signers {
+  import Language
+  import BouncyCastle.FlowAnalysis
+  import BouncyCastle.AlgorithmInstances
+
+  abstract class SignatureAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer { }
+
+  /**
+   * A model of the `Signer` class in Bouncy Castle.
+   */
+  class Signer extends RefType {
+    Signer() {
+      this.getPackage().getName() = "org.bouncycastle.crypto.signers" and
+      this.getName().matches("%Signer")
+    }
+
+    MethodCall getAnInitCall() {
+      result = this.getAMethodCall("init")
+    }
+
+    MethodCall getAUseCall() {
+      result = this.getAMethodCall(["update", "generateSignature", "verifySignature"])
+    }
+    
+    MethodCall getAMethodCall(string name) {
+      result.getCallee().hasQualifiedName("org.bouncycastle.crypto.signers", this.getName(), name)
+    }
+  }
+
+  /**
+   * BouncyCastle algorithms are instantiated by calling the constructor of the
+   * corresponding class. The algorithm is implicitly defined by the constructor
+   * call.
+   */
+  class NewCall extends SignatureAlgorithmValueConsumer instanceof ClassInstanceExpr {
+    NewCall() {
+      this.getConstructedType() instanceof Signer
+    }
+
+    override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+      result = getSignatureAlgorithmInstanceFromType(super.getConstructedType())
+    }
+  
+    // TODO: Since the algorithm is implicitly defined by the constructor, should
+    // the input node be `this`?
+    override Crypto::ConsumerInputDataFlowNode getInputNode() { 
+      result.asExpr() = this
+    }
+  }
+
+  /**
+   * The type is instantiated by a constructor call and initialized by a call to
+   * `init()` which takes two arguments. The first argument is a flag indicating
+   * whether the operation is signing data or verifying a signature, and the
+   * second is the key to use. 
+   */
+  class InitCall extends MethodCall {
+    InitCall() {
+      this = any(Signer signer).getAnInitCall() 
+    }
+
+    Expr getForSigningArg() { result = this.getArgument(0) }
+
+    Expr getKeyArg() { result = this.getArgument(1) }
+
+    Crypto::KeyOperationAlgorithmInstance getAlgorithm() {
+      result = getSignatureAlgorithmInstanceFromType(this.getReceiverType())
+    }
+
+    Crypto::KeyOperationSubtype getKeyOperationSubtype() {
+      (
+        this.getForSigningArg().(BooleanLiteral).getBooleanValue() = true and
+        result = Crypto::TSignMode()
+      ) or (
+        this.getForSigningArg().(BooleanLiteral).getBooleanValue() = false and
+        result = Crypto::TVerifyMode()
+      ) or (
+        result = Crypto::TUnknownKeyOperationMode()
+      )
+    }
+  }
+
+  /**
+   * The `update()` method is used to pass message data to the signer, and the
+   * `generateSignature()` or `verifySignature()` methods are used to produce or
+   * verify the signature, respectively.
+   */
+  class UseCall extends MethodCall {
+    UseCall() {
+      this = any(Signer signer).getAUseCall()
+    }
+
+    predicate isIntermediate() {
+      this.getCallee().getName() = "update"
+    }
+
+    Expr getInput() { result = this.getArgument(0) }
+
+    Expr getOutput() {
+      result = this
+    }
+  }
+
+  /**
+   * Instantiate the flow analysis module for the `Signer` class.
+   */
+  module FlowAnalysis = NewToInitToUseFlowAnalysis<NewCall, InitCall, UseCall>;
+
+  UseCall getIntermediateUse(UseCall use) {
+    result = FlowAnalysis::getAnIntermediateUseFromFinalUse(use, _, _)
+  }
+
+  /**
+   * A signing operation instance is a call to either `update()`, `generateSignature()`,
+   * or `verifySignature()` on a `Signer` instance.
+   */
+  class SignatureOperationInstance extends Crypto::KeyOperationInstance instanceof UseCall {
+    
+    override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+      result = FlowAnalysis::getInstantiationFromInit(this.getInitCall(), _, _)
+    }
+    override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
+      if FlowAnalysis::hasInit(this)
+      then result = this.getInitCall().getKeyOperationSubtype()
+      else result = Crypto::TUnknownKeyOperationMode()
+    }
+
+    override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
+      result.asExpr() = this.getInitCall().getKeyArg()
+    }
+
+    override Crypto::ConsumerInputDataFlowNode getNonceConsumer() { none() }
+
+    override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
+      result.asExpr() = this.getAnUpdateCall().getInput()
+    }
+
+    override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
+      this.getKeyOperationSubtype() = Crypto::TSignMode() and
+      not super.isIntermediate() and
+      result.asExpr() = super.getOutput()
+    }
+
+    InitCall getInitCall() {
+      result = FlowAnalysis::getInitFromUse(this, _, _)
+    }
+
+    UseCall getAnUpdateCall() {
+      (
+        super.isIntermediate() and result = this
+      ) or (
+        result = FlowAnalysis::getAnIntermediateUseFromFinalUse(this, _, _)
+      )
+    }
+  }
+}
+

java/ql/lib/experimental/quantum/BouncyCastle/AlgorithmInstances.qll

@@ -0,0 +1,10 @@
+import java
+import experimental.quantum.Language
+import AlgorithmInstances.SignatureAlgorithmInstances
+
+SignatureAlgorithmInstance getSignatureAlgorithmInstanceFromType(Type t) {
+  t.getName() = "Ed25519Signer" and result instanceof Ed25519AlgorithmInstance
+  or
+  t.getName() = "Ed448Signer" and result instanceof Ed448AlgorithmInstance
+}
+

java/ql/lib/experimental/quantum/BouncyCastle/AlgorithmInstances/SignatureAlgorithmInstances.qll

@@ -0,0 +1,44 @@
+import java
+import experimental.quantum.Language
+
+abstract class SignatureAlgorithmInstance extends Crypto::KeyOperationAlgorithmInstance {
+
+  // TODO: Could potentially be used to model signature modes like Ed25519ph and Ed25519ctx.
+  override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() { none() }
+
+  override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { none() }
+  
+  override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() { none() }
+}
+
+class Ed25519AlgorithmInstance extends SignatureAlgorithmInstance instanceof ClassInstanceExpr {
+  Ed25519AlgorithmInstance() {
+    this.getConstructedType().hasQualifiedName("org.bouncycastle.crypto.signers", "Ed25519Signer")
+  }
+
+  override string getRawAlgorithmName() { result = "Ed25519" }
+
+  override Crypto::KeyOpAlg::Algorithm getAlgorithmType() { 
+    result = Crypto::KeyOpAlg::TSignature(Crypto::KeyOpAlg::Ed25519()) 
+  }
+
+  // TODO: May be redundant.
+  override string getKeySizeFixed() { result = "256" }
+}
+
+class Ed448AlgorithmInstance extends SignatureAlgorithmInstance instanceof ClassInstanceExpr {
+  Ed448AlgorithmInstance() {
+    this.getConstructedType().hasQualifiedName("org.bouncycastle.crypto.signers", "Ed448Signer")
+  }
+
+  override string getRawAlgorithmName() { result = "Ed448" }
+
+  override Crypto::KeyOpAlg::Algorithm getAlgorithmType() { 
+    result = Crypto::KeyOpAlg::TSignature(Crypto::KeyOpAlg::Ed448()) 
+  }
+
+  // TODO: May be redundant.
+  override string getKeySizeFixed() { result = "448" }
+}
+
+

java/ql/lib/experimental/quantum/BouncyCastle/FlowAnalysis.qll

@@ -0,0 +1,166 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+
+/**
+ * A signature for the `getInstance()` method calls used in JCA, or direct
+ * constructor calls used in BouncyCastle.
+ */
+signature class NewCallSig instanceof Call;
+
+signature class InitCallSig instanceof MethodCall;
+
+signature class UseCallSig instanceof MethodCall {
+  /**
+   * Holds if the use is not a final use, such as an `update()` call before `doFinal()`
+   */
+  predicate isIntermediate();
+}
+
+/**
+ * An generic analysis module for analyzing the `getInstance()` to `initialize()` 
+ * to `doOperation()` pattern in the JCA, and similar patterns in other libraries.
+ *
+ * For example:
+ * ```
+ * kpg = KeyPairGenerator.getInstance();
+ * kpg.initialize(...);
+ * kpg.generate(...);
+ * ```
+ */
+module NewToInitToUseFlowAnalysis<NewCallSig GetInstance, InitCallSig Init, UseCallSig Use>
+{
+  newtype TFlowState =
+    TUninitialized() or
+    TInitialized(Init call) or
+    TIntermediateUse(Use call)
+
+  abstract class InitFlowState extends TFlowState {
+    string toString() {
+      this = TUninitialized() and result = "Uninitialized"
+      or
+      this = TInitialized(_) and result = "Initialized"
+      // TODO: add intermediate use
+    }
+  }
+
+  class UninitializedFlowState extends InitFlowState, TUninitialized { }
+
+  class InitializedFlowState extends InitFlowState, TInitialized {
+    Init call;
+    DataFlow::Node node1;
+    DataFlow::Node node2;
+
+    InitializedFlowState() {
+      this = TInitialized(call) and
+      node2.asExpr() = call.(MethodCall).getQualifier() and
+      DataFlow::localFlowStep(node1, node2) and
+      node1 != node2
+    }
+
+    Init getInitCall() { result = call }
+
+    DataFlow::Node getFstNode() { result = node1 }
+
+    DataFlow::Node getSndNode() { result = node2 }
+  }
+
+  class IntermediateUseState extends InitFlowState, TIntermediateUse {
+    Use call;
+    DataFlow::Node node1;
+    DataFlow::Node node2;
+
+    IntermediateUseState() {
+      this = TIntermediateUse(call) and
+      call.isIntermediate() and
+      node1.asExpr() = call.(MethodCall).getQualifier() and
+      node2 = node1
+    }
+
+    Use getUseCall() { result = call }
+
+    DataFlow::Node getFstNode() { result = node1 }
+
+    DataFlow::Node getSndNode() { result = node2 }
+  }
+
+  module GetInstanceToInitToUseConfig implements DataFlow::StateConfigSig {
+    class FlowState = InitFlowState;
+
+    predicate isSource(DataFlow::Node src, FlowState state) {
+      state instanceof UninitializedFlowState and
+      src.asExpr() instanceof GetInstance
+      or
+      src = state.(InitializedFlowState).getSndNode()
+      or
+      src = state.(IntermediateUseState).getSndNode()
+    }
+
+    // TODO: document this, but this is intentional (avoid cross products?)
+    predicate isSink(DataFlow::Node sink, FlowState state) { none() }
+
+    predicate isSink(DataFlow::Node sink) {
+      exists(Init c | c.(MethodCall).getQualifier() = sink.asExpr())
+      or
+      exists(Use c | not c.isIntermediate() and c.(MethodCall).getQualifier() = sink.asExpr())
+    }
+
+    predicate isAdditionalFlowStep(
+      DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
+    ) {
+      state1 = state1 and
+      (
+        node1 = state2.(InitializedFlowState).getFstNode() and
+        node2 = state2.(InitializedFlowState).getSndNode()
+        or
+        node1 = state2.(IntermediateUseState).getFstNode() and
+        node2 = state2.(IntermediateUseState).getSndNode()
+      )
+    }
+
+    predicate isBarrier(DataFlow::Node node, FlowState state) {
+      exists(Init call | node.asExpr() = call.(MethodCall).getQualifier() |
+        state instanceof UninitializedFlowState
+        or
+        state.(InitializedFlowState).getInitCall() != call
+      )
+    }
+  }
+
+  module GetInstanceToInitToUseFlow = DataFlow::GlobalWithState<GetInstanceToInitToUseConfig>;
+
+  GetInstance getInstantiationFromUse(
+    Use use, GetInstanceToInitToUseFlow::PathNode src, GetInstanceToInitToUseFlow::PathNode sink
+  ) {
+    src.getNode().asExpr() = result and
+    sink.getNode().asExpr() = use.(MethodCall).getQualifier() and
+    GetInstanceToInitToUseFlow::flowPath(src, sink)
+  }
+
+  GetInstance getInstantiationFromInit(
+    Init init, GetInstanceToInitToUseFlow::PathNode src, GetInstanceToInitToUseFlow::PathNode sink
+  ) {
+    src.getNode().asExpr() = result and
+    sink.getNode().asExpr() = init.(MethodCall).getQualifier() and
+    GetInstanceToInitToUseFlow::flowPath(src, sink)
+  }
+
+  Init getInitFromUse(
+    Use use, GetInstanceToInitToUseFlow::PathNode src, GetInstanceToInitToUseFlow::PathNode sink
+  ) {
+    src.getNode().asExpr() = result.(MethodCall).getQualifier() and
+    sink.getNode().asExpr() = use.(MethodCall).getQualifier() and
+    GetInstanceToInitToUseFlow::flowPath(src, sink)
+  }
+
+  predicate hasInit(Use use) { exists(getInitFromUse(use, _, _)) }
+
+  Use getAnIntermediateUseFromFinalUse(
+    Use final, GetInstanceToInitToUseFlow::PathNode src, GetInstanceToInitToUseFlow::PathNode sink
+  ) {
+    not final.isIntermediate() and
+    result.isIntermediate() and
+    src.getNode().asExpr() = result.(MethodCall).getQualifier() and
+    sink.getNode().asExpr() = final.(MethodCall).getQualifier() and
+    GetInstanceToInitToUseFlow::flowPath(src, sink)
+  }
+}

java/ql/lib/experimental/quantum/Language.qll

@@ -216,3 +216,4 @@ module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
 
 // Import library-specific modeling
 import JCA
+import BouncyCastle