Merge pull request #395 from panoob/develop

schlichtig · web-flow · commit 5acb393eb5da · 2024-07-02T18:01:00.000+02:00
fix wrong arrayLocal in extractSootArray for HardcodedError
diff --git a/CryptoAnalysis/src/test/java/tests/headless/StaticAnalysisDemoTest.java b/CryptoAnalysis/src/test/java/tests/headless/StaticAnalysisDemoTest.java
@@ -144,6 +144,22 @@ public void predicateInstanceOfExample() {
 		scanner.run();
 		assertErrors(scanner.getErrorCollection());
 	}
+
+	@Test
+	public void hardCodedExample() {
+		String mavenProjectPath = new File("../CryptoAnalysisTargets/HardcodedTestExamples/").getAbsolutePath();
+		MavenProject mavenProject = createAndCompile(mavenProjectPath);
+		HeadlessCryptoScanner scanner = createScanner(mavenProject);
+
+		setErrorsCount("<TruePositive: byte[] getKey(char[],byte[],int,int)>", HardCodedError.class, 1);
+		setErrorsCount("<TruePositive: byte[] getKey(char[],byte[],int,int)>", RequiredPredicateError.class, 2);
+
+		setErrorsCount("<TrueNegative: byte[] getKey(char[],byte[],int,int)>", HardCodedError.class, 0);
+		setErrorsCount("<TrueNegative: byte[] getKey(char[],byte[],int,int)>", RequiredPredicateError.class, 0);
+
+		scanner.run();
+		assertErrors(scanner.getErrorCollection());
+	}
 	
 	@Test
 	public void sslExample() {
diff --git a/CryptoAnalysisTargets/HardcodedTestExamples/pom.xml b/CryptoAnalysisTargets/HardcodedTestExamples/pom.xml
@@ -0,0 +1,21 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>example</groupId>
+  <artifactId>PBEKeySpec-TP</artifactId>
+  <packaging>jar</packaging>
+  <version>0.0.1-SNAPSHOT</version>
+  <name>PBEKeySpec-TP</name>
+  <build>
+    <plugins>
+      <plugin>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <version>3.8.0</version>
+        <configuration>
+          <source>1.8</source>
+          <target>1.8</target>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/CryptoAnalysisTargets/HardcodedTestExamples/src/main/java/example/TrueNegative.java b/CryptoAnalysisTargets/HardcodedTestExamples/src/main/java/example/TrueNegative.java
@@ -0,0 +1,36 @@
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import java.security.SecureRandom;
+
+public class TrueNegative {
+
+    public void trueNegative() {
+        byte[] pass = new byte[256];
+        byte[] salt = new byte[256];
+
+        SecureRandom secureRandom = new SecureRandom();
+        secureRandom.nextBytes(salt);
+        secureRandom.nextBytes(pass);
+
+        // convert byte array to char array
+        char[] passwd = new char[pass.length];
+        for(int i=0; i < pass.length; i++){
+            passwd[i] = (char) (pass[i]&0xff);
+        }
+
+        byte[] key = getKey(passwd, salt, 10000, 256);
+    }
+
+    public static byte[] getKey(char[] pass, byte[] salt, int iterations, int size) {
+        // generate a key via a PBEKeySpec
+        try{
+            PBEKeySpec spec = new PBEKeySpec(pass, salt, iterations, size);
+            SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
+            byte[] key = skf.generateSecret(spec).getEncoded();
+            spec.clearPassword();
+            return key;
+        } catch (Exception e) {
+        }
+        return null;
+    }
+}
diff --git a/CryptoAnalysisTargets/HardcodedTestExamples/src/main/java/example/TruePositive.java b/CryptoAnalysisTargets/HardcodedTestExamples/src/main/java/example/TruePositive.java
@@ -0,0 +1,29 @@
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import java.security.SecureRandom;
+
+public class TruePositive {
+
+    public void truePositive() {
+        char[] passwd = {'t','h','i','s'};
+        byte[] salt = new byte[256];
+
+        SecureRandom secureRandom = new SecureRandom();
+        secureRandom.nextBytes(salt);
+
+        byte[] key = getKey(passwd, salt, 10000, 256);
+    }
+
+    public static byte[] getKey(char[] pass, byte[] salt, int iterations, int size) {
+        // generate a key via a PBEKeySpec
+        try{
+            PBEKeySpec spec = new PBEKeySpec(pass, salt, iterations, size);
+            SecretKeyFactory skf = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
+            byte[] key = skf.generateSecret(spec).getEncoded();
+            spec.clearPassword();
+            return key;
+        } catch (Exception e) {
+        }
+        return null;
+    }
+}
