Skip to content

Commit a9449cc

Browse files
MarkLee131MarkLee131
committed
Add EC to secure algorithm whitelist for Java CWE-327 query
1 parent a8b52ac commit a9449cc

File tree

3 files changed

+42
-1
lines changed

3 files changed

+42
-1
lines changed

java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`) as potentially insecure. These are modern, secure algorithms recommended by NIST SP 800-57 and other standards bodies. Previously, these algorithms were not included in the secure algorithm whitelist, causing false positives when using standard Java cryptographic APIs such as `KeyPairGenerator.getInstance("EC")`.

java/ql/lib/semmle/code/java/security/Encryption.qll

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -259,7 +259,11 @@ string getASecureAlgorithmName() {
259259
result =
260260
[
261261
"RSA", "SHA-?(256|384|512)", "CCM", "GCM", "AES(?![^a-zA-Z](ECB|CBC/PKCS[57]Padding))",
262-
"Blowfish", "ECIES", "SHA3-(256|384|512)"
262+
"Blowfish", "ECIES", "SHA3-(256|384|512)",
263+
// Elliptic Curve algorithms: EC (key generation), ECDSA (signatures), ECDH (key agreement),
264+
// EdDSA/Ed25519/Ed448 (Edwards-curve signatures), XDH/X25519/X448 (key agreement).
265+
// These are modern, secure algorithms recommended by NIST and other standards bodies.
266+
"EC", "ECDSA", "ECDH", "EdDSA", "Ed25519", "Ed448", "XDH", "X25519", "X448"
263267
]
264268
}
265269

java/ql/test/query-tests/security/CWE-327/semmle/tests/Test.java

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,39 @@ public void test() {
4646
cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
4747

4848
byte[] encrypted = cipher.doFinal(input.getBytes("UTF-8"));
49+
50+
KeyPairGenerator keyPairGenerator;
51+
52+
// GOOD: EC is a secure algorithm for key pair generation
53+
keyPairGenerator = KeyPairGenerator.getInstance("EC");
54+
55+
// GOOD: ECDSA is a secure algorithm for digital signatures
56+
Signature ecdsaSig = Signature.getInstance("ECDSA");
57+
58+
// GOOD: ECDH is a secure algorithm for key agreement
59+
KeyAgreement ecdhKa = KeyAgreement.getInstance("ECDH");
60+
61+
// GOOD: EdDSA is a secure algorithm (Edwards-curve Digital Signature Algorithm)
62+
keyPairGenerator = KeyPairGenerator.getInstance("EdDSA");
63+
64+
// GOOD: Ed25519 is a secure algorithm
65+
keyPairGenerator = KeyPairGenerator.getInstance("Ed25519");
66+
67+
// GOOD: Ed448 is a secure algorithm
68+
keyPairGenerator = KeyPairGenerator.getInstance("Ed448");
69+
70+
// GOOD: XDH is a secure algorithm for key agreement
71+
keyPairGenerator = KeyPairGenerator.getInstance("XDH");
72+
73+
// GOOD: X25519 is a secure algorithm for key agreement
74+
keyPairGenerator = KeyPairGenerator.getInstance("X25519");
75+
76+
// GOOD: X448 is a secure algorithm for key agreement
77+
keyPairGenerator = KeyPairGenerator.getInstance("X448");
78+
79+
// GOOD: SHA256withECDSA is a secure signature algorithm
80+
Signature sha256Ecdsa = Signature.getInstance("SHA256withECDSA");
81+
4982
} catch (Exception e) {
5083
// fail
5184
}

0 commit comments

Comments
 (0)