Skip to content

Commit c0871de

Browse files
authored
Merge pull request #22077 from geoffw0/javainline
Java: Address testFailures in inline expectations tests
2 parents be39051 + 897d169 commit c0871de

9 files changed

Lines changed: 11 additions & 34 deletions

File tree

java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptThenMac.expected

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,3 @@ nodes
2929
| BadMacUse.java:146:48:146:57 | ciphertext : byte[] | semmle.label | ciphertext : byte[] |
3030
| BadMacUse.java:152:42:152:51 | ciphertext | semmle.label | ciphertext |
3131
subpaths
32-
testFailures
33-
| BadMacUse.java:50:56:50:66 | // $ Source | Missing result: Source |
34-
| BadMacUse.java:63:118:63:128 | // $ Source | Missing result: Source |
35-
| BadMacUse.java:92:31:92:35 | bytes : byte[] | Unexpected result: Source |
36-
| BadMacUse.java:146:95:146:105 | // $ Source | Missing result: Source |

java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderDecryptToMac.expected

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,3 @@ nodes
3030
| BadMacUse.java:118:83:118:84 | iv : byte[] | semmle.label | iv : byte[] |
3131
| BadMacUse.java:124:42:124:51 | ciphertext | semmle.label | ciphertext |
3232
subpaths
33-
testFailures
34-
| BadMacUse.java:63:118:63:128 | // $ Source | Missing result: Source |
35-
| BadMacUse.java:92:16:92:36 | doFinal(...) : byte[] | Unexpected result: Source |
36-
| BadMacUse.java:124:42:124:51 | ciphertext | Unexpected result: Alert |
37-
| BadMacUse.java:146:95:146:105 | // $ Source | Missing result: Source |

java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacOrderMacOnEncryptPlaintext.expected

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,3 @@ nodes
4444
| BadMacUse.java:146:48:146:57 | ciphertext : byte[] [[]] : Object | semmle.label | ciphertext : byte[] [[]] : Object |
4545
| BadMacUse.java:152:42:152:51 | ciphertext | semmle.label | ciphertext |
4646
subpaths
47-
testFailures
48-
| BadMacUse.java:50:56:50:66 | // $ Source | Missing result: Source |
49-
| BadMacUse.java:139:79:139:90 | input : byte[] | Unexpected result: Source |
50-
| BadMacUse.java:146:95:146:105 | // $ Source | Missing result: Source |
51-
| BadMacUse.java:152:42:152:51 | ciphertext | Unexpected result: Alert |

java/ql/test/experimental/query-tests/quantum/examples/BadMacUse/BadMacUse.java

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ public void BadDecryptThenMacOnPlaintextVerify(byte[] encryptionKeyBytes, byte[]
4747
SecretKey encryptionKey = new SecretKeySpec(encryptionKeyBytes, "AES");
4848
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
4949
cipher.init(Cipher.DECRYPT_MODE, encryptionKey, new SecureRandom());
50-
byte[] plaintext = cipher.doFinal(ciphertext); // $ Source
50+
byte[] plaintext = cipher.doFinal(ciphertext); // $ Source[java/quantum/examples/bad-mac-order-decrypt-to-mac]
5151

5252
// Now verify MAC (too late)
5353
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
@@ -60,7 +60,7 @@ public void BadDecryptThenMacOnPlaintextVerify(byte[] encryptionKeyBytes, byte[]
6060
}
6161
}
6262

63-
public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] plaintext) throws Exception {// $ Source
63+
public void BadMacOnPlaintext(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] plaintext) throws Exception {// $ Source[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac]
6464
// Create keys directly from provided byte arrays
6565
SecretKey encryptionKey = new SecretKeySpec(encryptionKeyBytes, "AES");
6666
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
@@ -89,7 +89,7 @@ public byte[] cipherOperationWrapper(byte[] bytes, byte[] encryptionKeyBytes, by
8989

9090
IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
9191
cipher.init(mode, secretKeySpec, ivParameterSpec);
92-
return cipher.doFinal(bytes);
92+
return cipher.doFinal(bytes); // $ Source[java/quantum/examples/bad-mac-order-decrypt-then-mac] Source[java/quantum/examples/bad-mac-order-decrypt-to-mac]
9393
}
9494

9595
/**
@@ -121,7 +121,7 @@ public byte[] falsePositiveDecryptToMac(byte[] encryptionKeyBytes, byte[] macKey
121121
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
122122
Mac mac = Mac.getInstance("HmacSHA256");
123123
mac.init(macKey);
124-
byte[] computedMac = mac.doFinal(ciphertext); // False Positive
124+
byte[] computedMac = mac.doFinal(ciphertext); // $ SPURIOUS: Alert[java/quantum/examples/bad-mac-order-decrypt-to-mac]
125125

126126
// Concatenate ciphertext and MAC
127127
byte[] output = new byte[ciphertext.length + computedMac.length];
@@ -136,20 +136,20 @@ public byte[] falsePositiveDecryptToMac(byte[] encryptionKeyBytes, byte[] macKey
136136
* The function decrypts THEN computes the MAC on the plaintext.
137137
* It should have the MAC computed on the ciphertext first.
138138
*/
139-
public void decryptThenMac(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] input) throws Exception {
139+
public void decryptThenMac(byte[] encryptionKeyBytes, byte[] macKeyBytes, byte[] input) throws Exception { // $ SPURIOUS: Source[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac]
140140
// Split input into ciphertext and MAC
141141
int macLength = 32; // HMAC-SHA256 output length
142142
byte[] ciphertext = Arrays.copyOfRange(input, 0, input.length - macLength);
143143
byte[] receivedMac = Arrays.copyOfRange(input, input.length - macLength, input.length);
144144

145145
// Decrypt first (unsafe)
146-
byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]); // $ Source
146+
byte[] plaintext = decryptUsingWrapper(ciphertext, encryptionKeyBytes, new byte[16]);
147147

148148
// Now verify MAC (too late)
149149
SecretKey macKey = new SecretKeySpec(macKeyBytes, "HmacSHA256");
150150
Mac mac = Mac.getInstance("HmacSHA256");
151151
mac.init(macKey);
152-
byte[] computedMac = mac.doFinal(ciphertext); // $ Alert[java/quantum/examples/bad-mac-order-decrypt-then-mac], False positive for Plaintext reuse
152+
byte[] computedMac = mac.doFinal(ciphertext); // $ Alert[java/quantum/examples/bad-mac-order-decrypt-then-mac] SPURIOUS: Alert[java/quantum/examples/bad-mac-order-encrypt-plaintext-also-in-mac]
153153

154154
if (!MessageDigest.isEqual(receivedMac, computedMac)) {
155155
throw new SecurityException("MAC verification failed");

java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.expected

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -126,5 +126,3 @@ nodes
126126
| InsecureIVorNonceSource.java:202:54:202:55 | iv : byte[] | semmle.label | iv : byte[] |
127127
| InsecureIVorNonceSource.java:206:51:206:56 | ivSpec | semmle.label | ivSpec |
128128
subpaths
129-
testFailures
130-
| InsecureIVorNonceSource.java:42:21:42:21 | 1 : Number | Unexpected result: Source |

java/ql/test/experimental/query-tests/quantum/examples/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ public byte[] encryptWithZeroStaticIvByteArray(byte[] key, byte[] plaintext) thr
3939
public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
4040
byte[] iv = new byte[16];
4141
for (byte i = 0; i < iv.length; i++) {
42-
iv[i] = 1;
42+
iv[i] = 1; // $ Source[java/quantum/examples/insecure-iv-or-nonce]
4343
}
4444

4545
IvParameterSpec ivSpec = new IvParameterSpec(iv);

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/Test.java

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,11 +40,11 @@ public void pbkdf2LowIteration(String password) throws Exception {
4040
* SAST/CBOM: - Parent: PBKDF2. - Iteration count is only 10, which is far
4141
* below acceptable security standards. - Flagged as insecure.
4242
*/
43-
public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $ Source
43+
public void pbkdf2LowIteration(String password, int iterationCount) throws Exception { // $ Source[java/quantum/examples/unknown-kdf-iteration-count]
4444
byte[] salt = generateSalt(16);
45-
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256); // $ Alert[java/quantum/examples/unknown-kdf-iteration-count]
45+
PBEKeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterationCount, 256);
4646
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
47-
byte[] key = factory.generateSecret(spec).getEncoded();
47+
byte[] key = factory.generateSecret(spec).getEncoded(); // $ Alert[java/quantum/examples/unknown-kdf-iteration-count]
4848
}
4949

5050
/**
Original file line numberDiff line numberDiff line change
@@ -1,5 +1 @@
1-
#select
21
| Test.java:47:22:47:49 | KeyDerivation | Key derivation operation with unknown iteration: $@ | Test.java:43:53:43:70 | iterationCount | iterationCount |
3-
testFailures
4-
| Test.java:45:94:45:154 | // $ Alert[java/quantum/examples/unknown-kdf-iteration-count] | Missing result: Alert[java/quantum/examples/unknown-kdf-iteration-count] |
5-
| Test.java:47:22:47:49 | Key derivation operation with unknown iteration: $@ | Unexpected result: Alert |

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownKDFIterationCount/WeakKDFIterationCount.expected

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,5 +12,3 @@ nodes
1212
| Test.java:58:30:58:38 | 1_000_000 : Number | semmle.label | 1_000_000 : Number |
1313
| Test.java:59:72:59:85 | iterationCount | semmle.label | iterationCount |
1414
subpaths
15-
testFailures
16-
| Test.java:43:92:43:102 | // $ Source | Missing result: Source |

0 commit comments

Comments
 (0)