Misuses caught in analysis where a map is used for storing values

[enriozuni]

In various CryptoGuard projects in issue #134 that were headless tested, misuses were not caught in the following scenario from the analysis. The cases include a particular scenario where a value is stored in a map and is later used as parameter in objects from JCA. I have listed below the projects and the objects from the JCA that were present in these cases.

CryptoGuard projects and their respective cases

Below are cases that were headless tested. They are grouped according to their project name in CryptoGuard and the JCA object involved.

• pbeiteration (PBEParameterSpec)
  • The following example is LessThan1000IterationPBEABHCase1

    
    package example.pbeiteration;

import javax.crypto.spec.PBEParameterSpec; import java.security.SecureRandom; import java.util.HashMap; import java.util.Map;

public class LessThan1000IterationPBEABHCase1 { public static void main(){ LessThan1000IterationPBEABHCase1 lt = new LessThan1000IterationPBEABHCase1(); lt.key2(); } public void key2(){ String name = "abcdef"; Map<String,Integer> hm = new HashMap<String, Integer>(); hm.put("aaa", new Integer(1020)); hm.put("bbb", new Integer(20));

    int iteration = hm.get("bbb");

    SecureRandom random = new SecureRandom();
    PBEParameterSpec pbeParamSpec = null;
    byte[] salt = new byte[32];
    random.nextBytes(salt);
    //int count = 20;
    pbeParamSpec = new PBEParameterSpec(salt, iteration);
}

}

No ConstraintError for iteration size being less 10000 is reported in PBEParameterSpec.

* __predictableseeds__  _(SecureRandom)_
Other similar cases in this project folder include:
  * [PredictableSeedsABHCase2](https://github.com/CryptoGuardOSS/cryptoapi-bench/blob/master/src/main/java/org/cryptoapi/bench/predictableseeds/PredictableSeedsABHCase2.java)
  * [PredictableSeedsABHCase4](https://github.com/CryptoGuardOSS/cryptoapi-bench/blob/master/src/main/java/org/cryptoapi/bench/predictableseeds/PredictableSeedsABHCase4.java)

* __predictablecryptographickey__  _(SecretKeySpec)_
Other similar cases in this project folder include the case when misuse is caught by the analysis, but not because the analysis understands that a map is used. So the fix for this issue need to take into account also these types of cases. The case is [PredictableCryptographicKeyABHCase2](https://github.com/CryptoGuardOSS/cryptoapi-bench/blob/master/src/main/java/org/cryptoapi/bench/predictablecryptographickey/PredictableCryptographicKeyABHCase2.java)
```java
package example.predictablecryptographickey;

import javax.crypto.spec.SecretKeySpec;
import java.io.UnsupportedEncodingException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;

public class PredictableCryptographicKeyABHCase2 {
    public static void main(String [] args) throws UnsupportedEncodingException {

        Map<String,String> hm = new HashMap<String, String>();
        hm.put("aaa", "afix");
        hm.put("bbb", "bfix");
        hm.put("ccc", "cfix");
        hm.put("ddd", "dfix");

        String key = hm.get("aaa");

        byte [] keyBytes = key.getBytes();
        keyBytes = Arrays.copyOf(keyBytes,16);
        SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES");
    }
}

• predictablepbepassword (PBEKeySpec) Other similar cases as above in this project folder include:

  • PredictablePBEPasswordABHCase2

• staticinitializationvector (IvParameterSpec) Other similar cases as above in this project folder include:

  • StaticInitializationVectorABHCase2

• staticsalts (PBEParameterSpec) Other similar cases in this project folder include:

  • StaticSaltsABHCase1

[johspaeth]

We currently do not model maps, lists etc. hence the analysis does not detect the flow.