Password Based Encryption model (#135)

* PBE model + JCA update Signed-off-by: Hugo Queinnec <[email protected]> * BcPbeMapper Signed-off-by: Hugo Queinnec <[email protected]> * fix JCA tests Signed-off-by: Hugo Queinnec <[email protected]> * ECIES-KEM Signed-off-by: Hugo Queinnec <[email protected]> * chnage PBE mapping for jca Signed-off-by: Nicklas Körtge <[email protected]> * chnage PBE mapping for jca Signed-off-by: Nicklas Körtge <[email protected]> * update PBE and PKDF naming, update HMAC in jca, fix tests Signed-off-by: Nicklas Körtge <[email protected]> --------- Signed-off-by: Hugo Queinnec <[email protected]> Signed-off-by: Nicklas Körtge <[email protected]> Co-authored-by: Nicklas Körtge <[email protected]>
IBM · Sep 5, 2024 · e8bc9f9 · e8bc9f9
1 parent ebcb614
commit e8bc9f9
Show file tree

Hide file tree

Showing 20 changed files with 397 additions and 146 deletions.
diff --git a/...st/java/com/ibm/plugin/rules/detection/bc/encapsulatedsecret/BcECIESKEMExtractorTest.java b/...st/java/com/ibm/plugin/rules/detection/bc/encapsulatedsecret/BcECIESKEMExtractorTest.java
@@ -112,7 +112,7 @@ public void asserts(
         assertThat(keyEncapsulationMechanismNode.getKind())
                 .isEqualTo(KeyEncapsulationMechanism.class);
         assertThat(keyEncapsulationMechanismNode.getChildren()).hasSize(2);
-        assertThat(keyEncapsulationMechanismNode.asString()).isEqualTo("ECIES");
+        assertThat(keyEncapsulationMechanismNode.asString()).isEqualTo("ECIES-KEM");
 
         // KeyLength under KeyEncapsulationMechanism
         INode keyLengthNode = keyEncapsulationMechanismNode.getChildren().get(KeyLength.class);

diff --git a/...st/java/com/ibm/plugin/rules/detection/bc/encapsulatedsecret/BcECIESKEMGeneratorTest.java b/...st/java/com/ibm/plugin/rules/detection/bc/encapsulatedsecret/BcECIESKEMGeneratorTest.java
@@ -112,7 +112,7 @@ public void asserts(
         assertThat(keyEncapsulationMechanismNode.getKind())
                 .isEqualTo(KeyEncapsulationMechanism.class);
         assertThat(keyEncapsulationMechanismNode.getChildren()).hasSize(2);
-        assertThat(keyEncapsulationMechanismNode.asString()).isEqualTo("ECIES");
+        assertThat(keyEncapsulationMechanismNode.asString()).isEqualTo("ECIES-KEM");
 
         // KeyLength under KeyEncapsulationMechanism
         INode keyLengthNode = keyEncapsulationMechanismNode.getChildren().get(KeyLength.class);

diff --git a/java/src/test/java/com/ibm/plugin/rules/detection/jca/keyspec/JcaPBEKeySpecTest.java b/java/src/test/java/com/ibm/plugin/rules/detection/jca/keyspec/JcaPBEKeySpecTest.java
@@ -29,14 +29,17 @@
 import com.ibm.engine.model.SaltSize;
 import com.ibm.engine.model.context.KeyContext;
 import com.ibm.engine.model.context.SecretKeyContext;
+import com.ibm.mapper.model.BlockSize;
+import com.ibm.mapper.model.DigestSize;
 import com.ibm.mapper.model.INode;
 import com.ibm.mapper.model.KeyLength;
 import com.ibm.mapper.model.Mac;
-import com.ibm.mapper.model.Oid;
+import com.ibm.mapper.model.MessageDigest;
 import com.ibm.mapper.model.PasswordBasedKeyDerivationFunction;
 import com.ibm.mapper.model.PasswordLength;
 import com.ibm.mapper.model.SaltLength;
 import com.ibm.mapper.model.SecretKey;
+import com.ibm.mapper.model.functionality.Digest;
 import com.ibm.mapper.model.functionality.KeyGeneration;
 import com.ibm.mapper.model.functionality.Tag;
 import com.ibm.plugin.TestBase;
@@ -98,7 +101,6 @@ public void asserts(
         /*
          * Translation
          */
-
         assertThat(nodes).hasSize(1);
 
         // SecretKey
@@ -107,18 +109,51 @@ public void asserts(
         assertThat(secretKeyNode.getChildren()).hasSize(4);
         assertThat(secretKeyNode.asString()).isEqualTo("PBKDF2");
 
+        // KeyLength under SecretKey
+        INode keyLengthNode = secretKeyNode.getChildren().get(KeyLength.class);
+        assertThat(keyLengthNode).isNotNull();
+        assertThat(keyLengthNode.getChildren()).isEmpty();
+        assertThat(keyLengthNode.asString()).isEqualTo("1024");
+
         // PasswordBasedKeyDerivationFunction under SecretKey
         INode passwordBasedKeyDerivationFunctionNode =
                 secretKeyNode.getChildren().get(PasswordBasedKeyDerivationFunction.class);
         assertThat(passwordBasedKeyDerivationFunctionNode).isNotNull();
-        assertThat(passwordBasedKeyDerivationFunctionNode.getChildren()).hasSize(3);
-        assertThat(passwordBasedKeyDerivationFunctionNode.asString()).isEqualTo("PBKDF2-SHA1");
+        assertThat(passwordBasedKeyDerivationFunctionNode.getChildren()).hasSize(2);
+        assertThat(passwordBasedKeyDerivationFunctionNode.asString()).isEqualTo("PBKDF2-HMAC-SHA1");
 
         // Mac under PasswordBasedKeyDerivationFunction under SecretKey
         INode macNode = passwordBasedKeyDerivationFunctionNode.getChildren().get(Mac.class);
         assertThat(macNode).isNotNull();
-        assertThat(macNode.getChildren()).hasSize(1);
-        assertThat(macNode.asString()).isEqualTo("SHA1");
+        assertThat(macNode.getChildren()).hasSize(2);
+        assertThat(macNode.asString()).isEqualTo("HMAC-SHA1");
+
+        // MessageDigest under Mac under PasswordBasedKeyDerivationFunction under SecretKey
+        INode messageDigestNode = macNode.getChildren().get(MessageDigest.class);
+        assertThat(messageDigestNode).isNotNull();
+        assertThat(messageDigestNode.getChildren()).hasSize(3);
+        assertThat(messageDigestNode.asString()).isEqualTo("SHA1");
+
+        // BlockSize under MessageDigest under Mac under PasswordBasedKeyDerivationFunction under
+        // SecretKey
+        INode blockSizeNode = messageDigestNode.getChildren().get(BlockSize.class);
+        assertThat(blockSizeNode).isNotNull();
+        assertThat(blockSizeNode.getChildren()).isEmpty();
+        assertThat(blockSizeNode.asString()).isEqualTo("512");
+
+        // DigestSize under MessageDigest under Mac under PasswordBasedKeyDerivationFunction under
+        // SecretKey
+        INode digestSizeNode = messageDigestNode.getChildren().get(DigestSize.class);
+        assertThat(digestSizeNode).isNotNull();
+        assertThat(digestSizeNode.getChildren()).isEmpty();
+        assertThat(digestSizeNode.asString()).isEqualTo("160");
+
+        // Digest under MessageDigest under Mac under PasswordBasedKeyDerivationFunction under
+        // SecretKey
+        INode digestNode = messageDigestNode.getChildren().get(Digest.class);
+        assertThat(digestNode).isNotNull();
+        assertThat(digestNode.getChildren()).isEmpty();
+        assertThat(digestNode.asString()).isEqualTo("DIGEST");
 
         // Tag under Mac under PasswordBasedKeyDerivationFunction under SecretKey
         INode tagNode = macNode.getChildren().get(Tag.class);
@@ -133,18 +168,6 @@ public void asserts(
         assertThat(keyGenerationNode.getChildren()).isEmpty();
         assertThat(keyGenerationNode.asString()).isEqualTo("KEYGENERATION");
 
-        // Oid under PasswordBasedKeyDerivationFunction under SecretKey
-        INode oidNode = passwordBasedKeyDerivationFunctionNode.getChildren().get(Oid.class);
-        assertThat(oidNode).isNotNull();
-        assertThat(oidNode.getChildren()).isEmpty();
-        assertThat(oidNode.asString()).isEqualTo("1.2.840.113549.1.5.12");
-
-        // KeyLength under SecretKey
-        INode keyLengthNode = secretKeyNode.getChildren().get(KeyLength.class);
-        assertThat(keyLengthNode).isNotNull();
-        assertThat(keyLengthNode.getChildren()).isEmpty();
-        assertThat(keyLengthNode.asString()).isEqualTo("1024");
-
         // PasswordLength under SecretKey
         INode passwordLengthNode = secretKeyNode.getChildren().get(PasswordLength.class);
         assertThat(passwordLengthNode).isNotNull();

diff --git a/java/src/test/java/com/ibm/plugin/rules/detection/jca/mac/JcaMacGetInstanceTest.java b/java/src/test/java/com/ibm/plugin/rules/detection/jca/mac/JcaMacGetInstanceTest.java
@@ -29,7 +29,9 @@
 import com.ibm.mapper.model.DigestSize;
 import com.ibm.mapper.model.INode;
 import com.ibm.mapper.model.Mac;
+import com.ibm.mapper.model.MessageDigest;
 import com.ibm.mapper.model.Oid;
+import com.ibm.mapper.model.functionality.Digest;
 import com.ibm.mapper.model.functionality.Tag;
 import com.ibm.plugin.TestBase;
 import java.util.List;
@@ -74,29 +76,41 @@ public void asserts(
         // Mac
         INode macNode = nodes.get(0);
         assertThat(macNode.getKind()).isEqualTo(Mac.class);
-        assertThat(macNode.getChildren()).hasSize(4);
-        assertThat(macNode.asString()).isEqualTo("SHA3-384");
+        assertThat(macNode.getChildren()).hasSize(2);
+        assertThat(macNode.asString()).isEqualTo("HMAC-SHA3-384");
 
-        // BlockSize under Mac
-        INode blockSizeNode = macNode.getChildren().get(BlockSize.class);
+        // Tag under Mac
+        INode tagNode = macNode.getChildren().get(Tag.class);
+        assertThat(tagNode).isNotNull();
+        assertThat(tagNode.getChildren()).isEmpty();
+        assertThat(tagNode.asString()).isEqualTo("TAG");
+
+        // MessageDigest under Mac
+        INode messageDigestNode = macNode.getChildren().get(MessageDigest.class);
+        assertThat(messageDigestNode).isNotNull();
+        assertThat(messageDigestNode.getChildren()).hasSize(4);
+        assertThat(messageDigestNode.asString()).isEqualTo("SHA3-384");
+
+        // BlockSize under MessageDigest under Mac
+        INode blockSizeNode = messageDigestNode.getChildren().get(BlockSize.class);
         assertThat(blockSizeNode).isNotNull();
         assertThat(blockSizeNode.getChildren()).isEmpty();
         assertThat(blockSizeNode.asString()).isEqualTo("832");
 
-        // Oid under Mac
-        INode oidNode = macNode.getChildren().get(Oid.class);
+        // Oid under MessageDigest under Mac
+        INode oidNode = messageDigestNode.getChildren().get(Oid.class);
         assertThat(oidNode).isNotNull();
         assertThat(oidNode.getChildren()).isEmpty();
         assertThat(oidNode.asString()).isEqualTo("2.16.840.1.101.3.4.2.9");
 
-        // Digest under Mac
-        INode digestNode = macNode.getChildren().get(Tag.class);
+        // Digest under MessageDigest under Mac
+        INode digestNode = messageDigestNode.getChildren().get(Digest.class);
         assertThat(digestNode).isNotNull();
         assertThat(digestNode.getChildren()).isEmpty();
-        assertThat(digestNode.asString()).isEqualTo("TAG");
+        assertThat(digestNode.asString()).isEqualTo("DIGEST");
 
-        // DigestSize under Mac
-        INode digestSizeNode = macNode.getChildren().get(DigestSize.class);
+        // DigestSize under MessageDigest under Mac
+        INode digestSizeNode = messageDigestNode.getChildren().get(DigestSize.class);
         assertThat(digestSizeNode).isNotNull();
         assertThat(digestSizeNode.getChildren()).isEmpty();
         assertThat(digestSizeNode.asString()).isEqualTo("384");

diff --git a/mapper/src/main/java/com/ibm/mapper/mapper/bc/BcPbeMapper.java b/mapper/src/main/java/com/ibm/mapper/mapper/bc/BcPbeMapper.java
@@ -0,0 +1,63 @@
+/*
+ * SonarQube Cryptography Plugin
+ * Copyright (C) 2024 IBM
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.ibm.mapper.mapper.bc;
+
+import com.ibm.mapper.mapper.IMapper;
+import com.ibm.mapper.model.Algorithm;
+import com.ibm.mapper.model.INode;
+import com.ibm.mapper.model.PBES1;
+import com.ibm.mapper.model.PBES2;
+import com.ibm.mapper.model.PKCS12PBE;
+import com.ibm.mapper.model.PasswordBasedEncryption;
+import com.ibm.mapper.model.Unknown;
+import com.ibm.mapper.utils.DetectionLocation;
+import java.util.Optional;
+import javax.annotation.Nonnull;
+import javax.annotation.Nullable;
+
+public class BcPbeMapper implements IMapper {
+
+    @Override
+    @Nonnull
+    public Optional<? extends INode> parse(
+            @Nullable String str, @Nonnull DetectionLocation detectionLocation) {
+        if (str == null) {
+            return Optional.empty();
+        }
+        return map(str, detectionLocation);
+    }
+
+    @Nonnull
+    private Optional<? extends INode> map(
+            @Nonnull String pbeString, @Nonnull DetectionLocation detectionLocation) {
+        return switch (pbeString) {
+            case "OpenSSLPBEParametersGenerator" -> Optional.of(new PBES1(detectionLocation));
+            case "PKCS12ParametersGenerator" -> Optional.of(new PKCS12PBE(detectionLocation));
+            case "PKCS5S1ParametersGenerator" -> Optional.of(new PBES1(detectionLocation));
+            case "PKCS5S2ParametersGenerator" -> Optional.of(new PBES2(detectionLocation));
+            default -> {
+                final Algorithm algorithm =
+                        new Algorithm(pbeString, PasswordBasedEncryption.class, detectionLocation);
+                algorithm.put(new Unknown(detectionLocation));
+                yield Optional.of(algorithm);
+            }
+        };
+    }
+}
diff --git a/mapper/src/main/java/com/ibm/mapper/mapper/jca/JcaAlgorithmMapper.java b/mapper/src/main/java/com/ibm/mapper/mapper/jca/JcaAlgorithmMapper.java
@@ -22,7 +22,6 @@
 import com.ibm.mapper.mapper.IMapper;
 import com.ibm.mapper.model.Algorithm;
 import com.ibm.mapper.model.INode;
-import com.ibm.mapper.model.PasswordBasedEncryption;
 import com.ibm.mapper.model.PublicKeyEncryption;
 import com.ibm.mapper.model.Unknown;
 import com.ibm.mapper.model.algorithms.DH;
@@ -65,7 +64,6 @@ public Optional<? extends INode> parse(
         }
 
         return switch (str.toUpperCase().trim()) {
-            case "PBE", "PBES2" -> Optional.of(new PasswordBasedEncryption(detectionLocation));
             case "DH", "DIFFIEHELLMAN" -> Optional.of(new DH(detectionLocation));
             case "RSA" -> Optional.of(new RSA(detectionLocation));
             case "EC" ->

diff --git a/mapper/src/main/java/com/ibm/mapper/mapper/jca/JcaCipherMapper.java b/mapper/src/main/java/com/ibm/mapper/mapper/jca/JcaCipherMapper.java
@@ -21,6 +21,7 @@
 
 import com.ibm.mapper.mapper.IMapper;
 import com.ibm.mapper.model.Algorithm;
+import com.ibm.mapper.model.IAlgorithm;
 import com.ibm.mapper.model.Mode;
 import com.ibm.mapper.model.Padding;
 import com.ibm.mapper.model.PasswordBasedEncryption;
@@ -44,7 +45,7 @@ public final class JcaCipherMapper implements IMapper {
 
     @Nonnull
     @Override
-    public Optional<? extends Algorithm> parse(
+    public Optional<? extends IAlgorithm> parse(
             @Nullable final String str, @Nonnull DetectionLocation detectionLocation) {
         if (str == null) {
             return Optional.empty();

diff --git a/mapper/src/main/java/com/ibm/mapper/mapper/jca/JcaMacMapper.java b/mapper/src/main/java/com/ibm/mapper/mapper/jca/JcaMacMapper.java
@@ -20,9 +20,9 @@
 package com.ibm.mapper.mapper.jca;
 
 import com.ibm.mapper.mapper.IMapper;
-import com.ibm.mapper.model.Algorithm;
-import com.ibm.mapper.model.Mac;
+import com.ibm.mapper.model.IAlgorithm;
 import com.ibm.mapper.model.PasswordBasedEncryption;
+import com.ibm.mapper.model.algorithms.HMAC;
 import com.ibm.mapper.model.algorithms.MD2;
 import com.ibm.mapper.model.algorithms.MD5;
 import com.ibm.mapper.model.algorithms.SHA;
@@ -37,7 +37,7 @@ public class JcaMacMapper implements IMapper {
 
     @Nonnull
     @Override
-    public Optional<? extends Algorithm> parse(
+    public Optional<? extends IAlgorithm> parse(
             @Nullable final String str, @Nonnull DetectionLocation detectionLocation) {
         if (str == null) {
             return Optional.empty();
@@ -58,39 +58,33 @@ public Optional<? extends Algorithm> parse(
         final String messageDigestStr =
                 str.substring(str.toLowerCase().trim().indexOf("Hmac".toLowerCase()) + 4);
 
-        return switch (messageDigestStr.toUpperCase().trim()) {
-            case "MD2" -> Optional.of(new MD2(Mac.class, detectionLocation));
-            case "MD5" -> Optional.of(new MD5(Mac.class, detectionLocation));
-            case "SHA", "SHA1", "SHA-1" -> Optional.of(new SHA(Mac.class, detectionLocation));
-            case "SHA-224", "SHA224" ->
-                    Optional.of(new SHA2(Mac.class, new SHA2(224, detectionLocation)));
-            case "SHA-256", "SHA256" ->
-                    Optional.of(new SHA2(Mac.class, new SHA2(256, detectionLocation)));
-            case "SHA-384", "SHA384" ->
-                    Optional.of(new SHA2(Mac.class, new SHA2(384, detectionLocation)));
-            case "SHA-512", "SHA512" ->
-                    Optional.of(new SHA2(Mac.class, new SHA2(512, detectionLocation)));
-            case "SHA-512/224", "SHA512/224" ->
-                    Optional.of(
-                            new SHA2(
-                                    Mac.class,
-                                    new SHA2(
-                                            224,
-                                            new SHA2(512, detectionLocation),
-                                            detectionLocation)));
-            case "SHA-512/256", "SHA512/256" ->
-                    Optional.of(
-                            new SHA2(
-                                    Mac.class,
-                                    new SHA2(
-                                            256,
-                                            new SHA2(512, detectionLocation),
-                                            detectionLocation)));
-            case "SHA3-224" -> Optional.of(new SHA3(Mac.class, new SHA3(224, detectionLocation)));
-            case "SHA3-256" -> Optional.of(new SHA3(Mac.class, new SHA3(256, detectionLocation)));
-            case "SHA3-384" -> Optional.of(new SHA3(Mac.class, new SHA3(384, detectionLocation)));
-            case "SHA3-512" -> Optional.of(new SHA3(Mac.class, new SHA3(512, detectionLocation)));
-            default -> Optional.empty();
-        };
+        return Optional.of(messageDigestStr.toUpperCase().trim())
+                .map(
+                        s ->
+                                switch (s) {
+                                    case "MD2" -> new MD2(detectionLocation);
+                                    case "MD5" -> new MD5(detectionLocation);
+                                    case "SHA", "SHA1", "SHA-1" -> new SHA(detectionLocation);
+                                    case "SHA-224", "SHA224" -> new SHA2(224, detectionLocation);
+                                    case "SHA-256", "SHA256" -> new SHA2(256, detectionLocation);
+                                    case "SHA-384", "SHA384" -> new SHA2(384, detectionLocation);
+                                    case "SHA-512", "SHA512" -> new SHA2(512, detectionLocation);
+                                    case "SHA-512/224", "SHA512/224" ->
+                                            new SHA2(
+                                                    224,
+                                                    new SHA2(512, detectionLocation),
+                                                    detectionLocation);
+                                    case "SHA-512/256", "SHA512/256" ->
+                                            new SHA2(
+                                                    256,
+                                                    new SHA2(512, detectionLocation),
+                                                    detectionLocation);
+                                    case "SHA3-224" -> new SHA3(224, detectionLocation);
+                                    case "SHA3-256" -> new SHA3(256, detectionLocation);
+                                    case "SHA3-384" -> new SHA3(384, detectionLocation);
+                                    case "SHA3-512" -> new SHA3(512, detectionLocation);
+                                    default -> null;
+                                })
+                .map(HMAC::new);
     }
 }
diff --git a/mapper/src/main/java/com/ibm/mapper/mapper/jca/JcaPBKDFMapper.java b/mapper/src/main/java/com/ibm/mapper/mapper/jca/JcaPBKDFMapper.java
@@ -20,7 +20,7 @@
 package com.ibm.mapper.mapper.jca;
 
 import com.ibm.mapper.mapper.IMapper;
-import com.ibm.mapper.model.Algorithm;
+import com.ibm.mapper.model.IAlgorithm;
 import com.ibm.mapper.model.Mac;
 import com.ibm.mapper.model.PasswordBasedKeyDerivationFunction;
 import com.ibm.mapper.model.algorithms.PBKDF2;
@@ -48,7 +48,7 @@ public Optional<PasswordBasedKeyDerivationFunction> parse(
         String prf = str.substring(algoStartIndex);
 
         final JcaMacMapper jcaMacMapper = new JcaMacMapper();
-        final Optional<? extends Algorithm> macOptional =
+        final Optional<? extends IAlgorithm> macOptional =
                 jcaMacMapper.parse(prf, detectionLocation);
         if (macOptional.isPresent() && macOptional.get() instanceof Mac hmac) {
             return macOptional.map(mac -> new PBKDF2(hmac));