Crypto: Add BouncyCastle signatures and block cipher modes #20575
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds the `KeyGenerationOperationInstance` and `KeyGenerationAlgorithmInstance` types to the BouncyCastle model. It also adds data flow support from key pairs to the corresponding public and private components.
This commit also adds associated elliptic curves to the key generation and key nodes.
This commit adds support for ECDSA. This includes tracking the instantiated curve parameters using data flow. It also adds SignatureArtifactInstance and SignatureOperationInstance types to the shared model.
This commit adds EllipticCurveConsumingAlgorithmInstance to the shared model, allowing us to model and graph elliptic curve algorithms.
Co-authored-by: Arthur Baars <aibaars@github.com>
This commit also reorganizes the Bouncy Castle test cases into separate sub-directories for signature and cipher modes.
- Signature operations are now handled by a single algorithm instance - All key generation operations except generic EC key generation operations are now handled by a single algorithm instance - Ed25519 and Ed448 key generation have the algorithm set to Ed25519 and Ed448 respectively - For generic EC key generation operations the algorithm is given by the corresponding curve (since these could be used for either ECDSA or ECDH)
There was a problem hiding this comment.
Pull Request Overview
This pull request adds comprehensive BouncyCastle cryptographic library support to the quantum framework, implementing signature algorithms, block cipher modes, and elliptic curve operations. The changes extend the modeling capabilities to cover BouncyCastle's low-level API patterns including signatures (ECDSA, Ed25519, Ed448, LMS), block cipher modes (CBC, GCM), and key generation.
- Adds a new BouncyCastle module with operation instances, algorithm instances, and flow analysis for signature algorithms and block cipher modes
- Extends the quantum model with elliptic curve consuming algorithms and signature algorithms including LMS, HSS, and MLDSA
- Implements comprehensive test suites demonstrating the analysis of BouncyCastle's low-level APIs for signatures and block cipher modes
Reviewed Changes
Copilot reviewed 71 out of 71 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| shared/quantum/codeql/quantum/experimental/Model.qll | Adds elliptic curve consuming algorithms and new signature types |
| java/ql/lib/experimental/quantum/Language.qll | Integrates BouncyCastle module into quantum framework |
| java/ql/lib/experimental/quantum/BouncyCastle/ | New module implementing BouncyCastle-specific operation instances, algorithm instances, and flow analysis |
| java/ql/test/stubs/bcprov-lts8on-2.73.7/ | Comprehensive test stubs for BouncyCastle library classes |
| java/ql/test/experimental/library-tests/quantum/BouncyCastle/ | Test cases validating signature algorithms and block cipher modes |
Comment on lines
819
to
820
| * Gets the consumer of the signature that is being verified in case of a | ||
| * verification operation. |
There was a problem hiding this comment.
Duplicate documentation comment - the same description is repeated twice. Remove the duplicate lines.
Suggested change
| * Gets the consumer of the signature that is being verified in case of a | |
| * verification operation. |
Copilot uses AI. Check for mistakes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request is a copy of the #19568 branch created to make changes to those contributions.