Add RSA without OEAP query and qhelp

joefarebrother · joefarebrother · commit 41bdd6d4cc1a · 2022-08-17T10:35:46.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll
@@ -0,0 +1,15 @@
+/** Definitions for the RSE without OAEP query */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+
+/** Holds if `ma` is a call to `Cipher.getInstance` which initialises an RSA cipher without using OAEP padding. */
+predicate rsaWithoutOaepCall(MethodAccess ma) {
+  ma.getMethod().hasQualifiedName("javax.crypto", "Cipher", "getInstance") and
+  exists(CompileTimeConstantExpr specExpr, string spec |
+    specExpr.getStringValue() = spec and
+    DataFlow::localExprFlow(specExpr, ma.getArgument(0)) and
+    spec.matches("RSA/%") and
+    not spec.matches("%OAEP%")
+  )
+}
diff --git a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java
@@ -0,0 +1,7 @@
+// BAD: No padding scheme is used
+Cipher rsa = Cipher.getInstance("RSA/ECB/NoPadding")
+...
+
+//GOOD: OAEP padding is used
+Cipher rsa = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding")
+...
diff --git a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp
@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Cryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP scheme (Optimal Asymmetric Encryption Padding) should used with RSA encryption.
+    Using no padding or an outdated padding scheme such as PKCS1 can weaken the encryption by making it vulnerable to a padding oracle attack.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>Use the OAEP scheme when using RSA encryption.</p>
+  </recommendation>
+
+  <example>
+    <p>In the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.</p>
+    <sample src="RsaWithoutOaep.java" />
+  </example>
+
+  <references>
+    <li>
+      <a href="https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations">Mobile Security Testing Guide</a>.
+    </li>
+    <li>
+      <a href="https://robertheaton.com/2013/07/29/padding-oracle-attack/">The Padding Oracle Attack</a>.
+    </li>
+  </references>
+</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Use of RSA algorithm without OAEP
+ * @description Using RSA encryption without OAEP padding can lead to a padding oracle attack, weakening the encryption.
+ * @kind problem
+ * @problem.severity warning
+ * @precision high
+ * @id java/rsa-without-oaep
+ * @tags security
+ *       external/cwe/cwe-780
+ */
+
+import java
+import semmle.code.java.security.RsaWithoutOaepQuery
+
+from MethodAccess ma
+where rsaWithoutOaepCall(ma)
+select ma, "This instance of RSA does not use OAEP padding."
