Fix QL-for-QL alerts

Author: nicolaswill

java/ql/lib/experimental/quantum/JCA.qll

@@ -1954,9 +1954,9 @@ module JCAModel {
       result = this
       or
       // Explicit PSS hash from PSSParameterSpec via Signature.setParameter()
-      exists(PSSParameterSpecInstantiation spec |
+      exists(PssParameterSpecInstantiation spec |
         pssSpecForSignatureLiteral(spec, this) and
-        result.(PSSParameterSpecDigestHashAlgorithmInstance).getSpec() = spec
+        result.(PssParameterSpecDigestHashAlgorithmInstance).getSpec() = spec
       )
     }
 
@@ -1965,9 +1965,9 @@ module JCAModel {
       result = this
       or
       // Explicit MGF1 hash from PSSParameterSpec via Signature.setParameter()
-      exists(PSSParameterSpecInstantiation spec |
+      exists(PssParameterSpecInstantiation spec |
         pssSpecForSignatureLiteral(spec, this) and
-        result.(PSSParameterSpecMgf1HashAlgorithmInstance).getSpec() = spec
+        result.(PssParameterSpecMgf1HashAlgorithmInstance).getSpec() = spec
       )
     }
   }
@@ -1976,8 +1976,8 @@ module JCAModel {
    * A PSSParameterSpec instantiation, e.g.,
    * new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1)
    */
-  class PSSParameterSpecInstantiation extends ClassInstanceExpr {
-    PSSParameterSpecInstantiation() {
+  class PssParameterSpecInstantiation extends ClassInstanceExpr {
+    PssParameterSpecInstantiation() {
       this.getConstructedType().hasQualifiedName("java.security.spec", "PSSParameterSpec")
     }
 
@@ -1999,8 +1999,8 @@ module JCAModel {
    * `MGF1ParameterSpec.SHA256`. These fields represent well-known MGF1 hash
    * algorithm configurations.
    */
-  class MGF1ParameterSpecFieldAccess extends FieldAccess {
-    MGF1ParameterSpecFieldAccess() {
+  class Mgf1ParameterSpecFieldAccess extends FieldAccess {
+    Mgf1ParameterSpecFieldAccess() {
       this.getField().getDeclaringType().hasQualifiedName("java.security.spec", "MGF1ParameterSpec") and
       this.getField().isStatic()
     }
@@ -2030,18 +2030,18 @@ module JCAModel {
    *
    * Type resolution delegates to hash_name_to_type_known from Standardization.
    */
-  class PSSParameterSpecDigestHashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof JavaConstant
+  class PssParameterSpecDigestHashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof JavaConstant
   {
-    PSSParameterSpecInstantiation spec;
+    PssParameterSpecInstantiation spec;
 
-    PSSParameterSpecDigestHashAlgorithmInstance() {
+    PssParameterSpecDigestHashAlgorithmInstance() {
       this = spec.getDigestAlgorithmArg() and
       // Only instantiate when the value resolves to a known hash type
       exists(hash_name_to_type_known(super.getValue(), _))
     }
 
     /** Gets the PSSParameterSpec this digest hash belongs to. */
-    PSSParameterSpecInstantiation getSpec() { result = spec }
+    PssParameterSpecInstantiation getSpec() { result = spec }
 
     override string getRawHashAlgorithmName() { result = super.getValue() }
 
@@ -2062,20 +2062,20 @@ module JCAModel {
    * The field name is normalized to a standard hash algorithm name (e.g.,
    * SHA256 -> SHA-256), then type resolution delegates to hash_name_to_type_known.
    */
-  class PSSParameterSpecMgf1HashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof MGF1ParameterSpecFieldAccess
+  class PssParameterSpecMgf1HashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof Mgf1ParameterSpecFieldAccess
   {
-    PSSParameterSpecInstantiation spec;
+    PssParameterSpecInstantiation spec;
     string normalizedName;
 
-    PSSParameterSpecMgf1HashAlgorithmInstance() {
+    PssParameterSpecMgf1HashAlgorithmInstance() {
       this = spec.getMgfSpecArg() and
       normalizedName = super.getHashAlgorithmName() and
       // Only instantiate when the normalized name resolves to a known hash type
       exists(hash_name_to_type_known(normalizedName, _))
     }
 
     /** Gets the PSSParameterSpec this MGF1 hash belongs to. */
-    PSSParameterSpecInstantiation getSpec() { result = spec }
+    PssParameterSpecInstantiation getSpec() { result = spec }
 
     override string getRawHashAlgorithmName() { result = super.getField().getName() }
 
@@ -2219,15 +2219,15 @@ module JCAModel {
   /**
    * Flow from `PSSParameterSpec` instantiation to `Signature.setParameter()` argument.
    */
-  module PSSSpecToSetParameterConfig implements DataFlow::ConfigSig {
-    predicate isSource(DataFlow::Node src) { src.asExpr() instanceof PSSParameterSpecInstantiation }
+  module PssSpecToSetParameterConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node src) { src.asExpr() instanceof PssParameterSpecInstantiation }
 
     predicate isSink(DataFlow::Node sink) {
       exists(SignatureSetParameterCall c | sink.asExpr() = c.getParameterSpecArg())
     }
   }
 
-  module PSSSpecToSetParameterFlow = DataFlow::Global<PSSSpecToSetParameterConfig>;
+  module PssSpecToSetParameterFlow = DataFlow::Global<PssSpecToSetParameterConfig>;
 
   /**
    * Connects a PSSParameterSpec instantiation to the signature PSS padding literal
@@ -2239,7 +2239,7 @@ module JCAModel {
    * 3. The PSSParameterSpec flows to the same setParameter's argument
    */
   private predicate pssSpecForSignatureLiteral(
-    PSSParameterSpecInstantiation spec, SignaturePssPaddingAlgorithmInstance literal
+    PssParameterSpecInstantiation spec, SignaturePssPaddingAlgorithmInstance literal
   ) {
     exists(
       SignatureSetParameterCall setParam, SignatureGetInstanceCall getInstance,
@@ -2249,7 +2249,7 @@ module JCAModel {
       consumer = getInstance.getAlgorithmArg() and
       SignatureToSetParameterFlow::flow(DataFlow::exprNode(getInstance),
         DataFlow::exprNode(setParam.getQualifier())) and
-      PSSSpecToSetParameterFlow::flow(DataFlow::exprNode(spec),
+      PssSpecToSetParameterFlow::flow(DataFlow::exprNode(spec),
         DataFlow::exprNode(setParam.getParameterSpecArg()))
     )
   }

java/ql/src/experimental/quantum/Examples/Demo/InventoryCurves.ql

@@ -12,7 +12,7 @@ import experimental.quantum.Language
 
 from Crypto::EllipticCurveNode c, string detail
 where
-  if exists(string ks | c.properties("KeySize", ks, _))
+  if c.properties("KeySize", _, _)
   then
     exists(string ks |
       c.properties("KeySize", ks, _) and

java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_PS.ql

@@ -13,16 +13,16 @@ import Crypto::KeyOpAlg as KeyOpAlg
 
 from
   Crypto::SignatureOperationNode sigOp, Crypto::KeyOperationAlgorithmNode alg,
-  Crypto::PSSPaddingAlgorithmNode pss, Crypto::HashAlgorithmNode hash, int digestLen
+  Crypto::PssPaddingAlgorithmNode pss, Crypto::HashAlgorithmNode hash, int digestLen
 where
   alg = sigOp.getAKnownAlgorithm() and
   alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
   pss = alg.getPaddingAlgorithm() and
   // Get hash from the PSS padding or from the signature operation
   (
-    hash = pss.getPSSHashAlgorithm()
+    hash = pss.getPssHashAlgorithm()
     or
-    hash = sigOp.getHashAlgorithm() and not exists(pss.getPSSHashAlgorithm())
+    hash = sigOp.getHashAlgorithm() and not exists(pss.getPssHashAlgorithm())
   ) and
   hash.getHashType() = Crypto::SHA2() and
   digestLen = hash.getDigestLength() and

java/ql/src/experimental/quantum/Examples/Demo/ProtocolJWS_RS.ql

@@ -18,7 +18,7 @@ where
   alg = sigOp.getAKnownAlgorithm() and
   alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
   // No PSS padding — implies PKCS#1 v1.5
-  not alg.getPaddingAlgorithm() instanceof Crypto::PSSPaddingAlgorithmNode and
+  not alg.getPaddingAlgorithm() instanceof Crypto::PssPaddingAlgorithmNode and
   // Hash is SHA-2 with standard JWS digest lengths
   hash = sigOp.getHashAlgorithm() and
   hash.getHashType() = Crypto::SHA2() and

java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_OAEP.ql

@@ -11,7 +11,7 @@
 import experimental.quantum.Language
 import Crypto::KeyOpAlg as KeyOpAlg
 
-from Crypto::KeyOperationAlgorithmNode alg, Crypto::OAEPPaddingAlgorithmNode pad
+from Crypto::KeyOperationAlgorithmNode alg, Crypto::OaepPaddingAlgorithmNode pad
 where
   alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
   pad = alg.getPaddingAlgorithm()

java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PKCS1v15.ql

@@ -21,7 +21,7 @@ where
     or
     // RSA signature without PSS — implies PKCS#1 v1.5 (e.g., SHA256withRSA)
     exists(Crypto::SignatureOperationNode sigOp | alg = sigOp.getAKnownAlgorithm()) and
-    not alg.getPaddingAlgorithm() instanceof Crypto::PSSPaddingAlgorithmNode and
+    not alg.getPaddingAlgorithm() instanceof Crypto::PssPaddingAlgorithmNode and
     variant = "implicit PKCS#1 v1.5 (RSA signature without PSS)"
   )
 select alg, "RSA PKCS#1 v1.5 protocol detected: " + variant + "."

java/ql/src/experimental/quantum/Examples/Demo/ProtocolRSA_PSS.ql

@@ -11,7 +11,7 @@
 import experimental.quantum.Language
 import Crypto::KeyOpAlg as KeyOpAlg
 
-from Crypto::KeyOperationAlgorithmNode alg, Crypto::PSSPaddingAlgorithmNode pss
+from Crypto::KeyOperationAlgorithmNode alg, Crypto::PssPaddingAlgorithmNode pss
 where
   alg.getAlgorithmType() = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()) and
   pss = alg.getPaddingAlgorithm()

java/ql/src/experimental/quantum/Examples/Demo/QuantumVulnerablePadding.ql

@@ -14,14 +14,14 @@ from Crypto::PaddingAlgorithmNode pad, string msg
 where
   isQuantumVulnerablePaddingType(pad.getPaddingType()) and
   (
-    pad instanceof Crypto::PSSPaddingAlgorithmNode and
+    pad instanceof Crypto::PssPaddingAlgorithmNode and
     msg = "Quantum-vulnerable PSS padding scheme detected."
     or
-    pad instanceof Crypto::OAEPPaddingAlgorithmNode and
+    pad instanceof Crypto::OaepPaddingAlgorithmNode and
     msg = "Quantum-vulnerable OAEP padding scheme detected."
     or
-    not pad instanceof Crypto::PSSPaddingAlgorithmNode and
-    not pad instanceof Crypto::OAEPPaddingAlgorithmNode and
+    not pad instanceof Crypto::PssPaddingAlgorithmNode and
+    not pad instanceof Crypto::OaepPaddingAlgorithmNode and
     msg = "Quantum-vulnerable padding scheme: " + pad.getPaddingType().toString() + "."
   )
 select pad, msg

shared/quantum/codeql/quantum/experimental/Model.qll

@@ -2155,16 +2155,16 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
     override string getRawAlgorithmName() { result = instance.getRawPaddingAlgorithmName() }
   }
 
-  class OAEPPaddingAlgorithmNode extends PaddingAlgorithmNode {
+  class OaepPaddingAlgorithmNode extends PaddingAlgorithmNode {
     override OaepPaddingAlgorithmInstance instance;
 
-    OAEPPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) }
+    OaepPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) }
 
-    HashAlgorithmNode getOAEPEncodingHashAlgorithm() {
+    HashAlgorithmNode getOaepEncodingHashAlgorithm() {
       result.asElement() = instance.getOaepEncodingHashAlgorithm()
     }
 
-    HashAlgorithmNode getMGF1HashAlgorithm() {
+    HashAlgorithmNode getMgf1HashAlgorithm() {
       result.asElement() = instance.getMgf1HashAlgorithm()
     }
 
@@ -2173,26 +2173,26 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
       or
       // [KNOWN_OR_UNKNOWN]
       edgeName = "MD" and
-      if exists(this.getOAEPEncodingHashAlgorithm())
-      then result = this.getOAEPEncodingHashAlgorithm()
+      if exists(this.getOaepEncodingHashAlgorithm())
+      then result = this.getOaepEncodingHashAlgorithm()
       else result = this
       or
       // [KNOWN_OR_UNKNOWN]
       edgeName = "MGF1Hash" and
-      if exists(this.getMGF1HashAlgorithm())
-      then result = this.getMGF1HashAlgorithm()
+      if exists(this.getMgf1HashAlgorithm())
+      then result = this.getMgf1HashAlgorithm()
       else result = this
     }
   }
 
-  class PSSPaddingAlgorithmNode extends PaddingAlgorithmNode {
+  class PssPaddingAlgorithmNode extends PaddingAlgorithmNode {
     override PssPaddingAlgorithmInstance instance;
 
-    PSSPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) }
+    PssPaddingAlgorithmNode() { this = TPaddingAlgorithm(instance) }
 
-    HashAlgorithmNode getPSSHashAlgorithm() { result.asElement() = instance.getHashAlgorithm() }
+    HashAlgorithmNode getPssHashAlgorithm() { result.asElement() = instance.getHashAlgorithm() }
 
-    HashAlgorithmNode getMGF1HashAlgorithm() {
+    HashAlgorithmNode getMgf1HashAlgorithm() {
       result.asElement() = instance.getMgf1HashAlgorithm()
     }
 
@@ -2201,14 +2201,14 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
       or
       // [KNOWN_OR_UNKNOWN]
       edgeName = "MD" and
-      if exists(this.getPSSHashAlgorithm())
-      then result = this.getPSSHashAlgorithm()
+      if exists(this.getPssHashAlgorithm())
+      then result = this.getPssHashAlgorithm()
       else result = this
       or
       // [KNOWN_OR_UNKNOWN]
       edgeName = "MGF1Hash" and
-      if exists(this.getMGF1HashAlgorithm())
-      then result = this.getMGF1HashAlgorithm()
+      if exists(this.getMgf1HashAlgorithm())
+      then result = this.getMgf1HashAlgorithm()
       else result = this
     }
   }