Misuses not caught with static fields

[enriozuni]

In various CryptoGuard projects in issue #134 that were headless tested, misuses were not caught in the following scenario from the analysis. The cases include a particular scenario where many methods were used to assign field values. I have listed below the projects and the objects from the JCA that were present in these cases.

CryptoGuard projects and their respective cases

Below are cases that were headless tested. They are grouped according to their project name in CryptoGuard and the JCA object involved.

• brokencrypto (Cipher)
  • The following example is BrokenCryptoABICase5

package example.brokencrypto;

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;

public class BrokenCryptoABICase5 {
    public static final String DEFAULT_CRYPTO = "DES/ECB/PKCS5Padding";
    private static char[] CRYPTO;
    private static char[] crypto;
    public void doCrypto() throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException {
        KeyGenerator keyGen = KeyGenerator.getInstance("DES");
        SecretKey key = keyGen.generateKey();
        Cipher cipher = Cipher.getInstance(String.valueOf(crypto));
        cipher.init(Cipher.ENCRYPT_MODE, key);
    }
    private static void go2(){
        CRYPTO = DEFAULT_CRYPTO.toCharArray();
    }
    private static void go3(){
        crypto = CRYPTO;
    }

    public static void main (String [] args) throws NoSuchPaddingException, NoSuchAlgorithmException, InvalidKeyException {
        BrokenCryptoABICase5 bc = new BrokenCryptoABICase5();
        go2();
        go3();
        bc.doCrypto();
    }
}

Findings from the analysis when this case is headless tested are:

in Method: void doCrypto()
		IncompleteOperationError violating CrySL rule for javax.crypto.Cipher (on Object #2b21e883bb899e9f55dccff1bb1aa4bc7b0625183907e1e52896b6889c477e4)
			Operation on object of type javax.crypto.Cipher object not completed. Expected call to javax.crypto.Cipher: void init(int,java.security.cert.Certificate,java.security.SecureRandom), javax.crypto.Cipher: void init(int,java.security.Key), javax.crypto.Cipher: void init(int,java.security.Key,java.security.AlgorithmParameters), javax.crypto.Cipher: void init(int,java.security.Key,java.security.SecureRandom), javax.crypto.Cipher: void init(int,java.security.Key,java.security.spec.AlgorithmParameterSpec), update, javax.crypto.Cipher: void init(int,java.security.Key,java.security.spec.AlgorithmParameterSpec,java.security.SecureRandom), javax.crypto.Cipher: void init(int,java.security.cert.Certificate), javax.crypto.Cipher: void init(int,java.security.Key,java.security.AlgorithmParameters,java.security.SecureRandom), wrap, doFinal
			at statement: virtualinvoke r3.<javax.crypto.Cipher: void init(int,java.security.Key)>(varReplacer25, r2)

		ConstraintError violating CrySL rule for javax.crypto.KeyGenerator (on Object #2a8eb841d92cb688ec3e9b2631b2d3b6000633656fea933823f6f935a18ebb2b)
			First parameter (with value "DES") should be any of {AES, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512}
			at statement: r1 = staticinvoke <javax.crypto.KeyGenerator: javax.crypto.KeyGenerator getInstance(java.lang.String)>(varReplacer26)

As seen, no ConstraintError regarding insecure algorithm used in Cipher is reported. Other similar cases in the same project folder include: BrokenCryptoABICase6, BrokenCryptoABICase7, BrokenCryptoABICase8, BrokenCryptoABICase10.

• brokenhash (MessageDigest)
  Other similar cases in this project folder include:

  • BrokenHashABICase5
  • BrokenHashABICase6
  • BrokenHashABICase7
  • BrokenHashABICase8

• ecbcrypto (Cipher)
  Other similar cases in this project folder include:

  • EcbInSymmCryptoABICase2

• insecureasymmetriccrypto (Cipher)
  Other similar cases in this project folder include:

  • InsecureAsymmetricCipherABICase2

• pbeiteration (PBEParameterSpec)
  Other similar cases in this project folder include:

  • LessThan1000IterationPBEABICase2

• predictablecryptographickey (SecretKeySpec)
  Other similar cases in this project folder include:

  • PredictableCryptographicKeyABICase2

• predictablekeystorepassword (KeyStore)
  Other similar cases in this project folder include:

  • PredictableKeyStorePasswordABICase2

• predictablepbepassword (PBEKeySpec)
  Other similar cases in this project folder include:

  • PredictablePBEPasswordABICase2

• predictableseeds (SecureRandom)
  Other similar cases in this project folder include:

  • PredictableSeedsABICase3
  • PredictableSeedsABICase4

• staticinitializationvector (IvParameterSpec)
  Other similar cases in this project folder include:

  • StaticInitializationVectorABICase2

• staticsalts (PBEParameterSpec)
  Other similar cases in this project folder include:

  • StaticSaltsABICase2

[kruegers]

Closing this as it is a duplicate to #97.