Add demos and tests for example deployment

Author: nicolaswill

java/ql/src/experimental/quantum/Examples/Demo/AllClassifications.ql

@@ -0,0 +1,119 @@
+/**
+ * @name All cryptographic classifications
+ * @description Reports every cryptographic element classified as quantum-vulnerable, insecure, or secure
+ *              using all predicates in the QuantumCryptoClassification library.
+ * @id java/quantum/examples/demo/all-classifications
+ * @kind problem
+ * @problem.severity warning
+ * @tags quantum
+ *       experimental
+ */
+
+import QuantumCryptoClassification
+
+/**
+ * Gets a short label for logical grouping of each finding category.
+ */
+string categoryLabel(string cat) {
+  cat = "Algorithm" and result = "Algorithm"
+  or
+  cat = "KeyAgreement" and result = "KeyAgreement"
+  or
+  cat = "Curve" and result = "Curve"
+  or
+  cat = "Padding" and result = "Padding"
+  or
+  cat = "Mode" and result = "Mode"
+  or
+  cat = "Hash" and result = "Hash"
+  or
+  cat = "KeySize" and result = "KeySize"
+}
+
+from Crypto::NodeBase node, string category, string classification, string detail
+where
+  // ---- Key-operation algorithms (quantum-vulnerable / insecure / secure) ----
+  exists(Crypto::KeyOperationAlgorithmNode alg |
+    node = alg and
+    category = "Algorithm" and
+    classification = classifyAlgorithmType(alg.getAlgorithmType()) and
+    classification != "other" and
+    detail = alg.getAlgorithmName()
+  )
+  or
+  // ---- Key-agreement algorithms (quantum-vulnerable) ----
+  exists(Crypto::KeyAgreementAlgorithmNode kaAlg |
+    node = kaAlg and
+    category = "KeyAgreement" and
+    classification = classifyKeyAgreementType(kaAlg.getKeyAgreementType()) and
+    classification != "other" and
+    detail = kaAlg.getAlgorithmName()
+  )
+  or
+  // ---- Elliptic curves (quantum-vulnerable) ----
+  exists(Crypto::EllipticCurveNode curve |
+    node = curve and
+    category = "Curve" and
+    isQuantumVulnerableCurveType(curve.getEllipticCurveType()) and
+    classification = "quantum-vulnerable" and
+    detail = curve.getAlgorithmName() + " (" + curve.getEllipticCurveType().toString() + ")"
+  )
+  or
+  // ---- Padding (quantum-vulnerable) ----
+  exists(Crypto::PaddingAlgorithmNode pad |
+    node = pad and
+    category = "Padding" and
+    isQuantumVulnerablePaddingType(pad.getPaddingType()) and
+    classification = "quantum-vulnerable" and
+    detail = pad.getPaddingType().toString()
+  )
+  or
+  // ---- Block modes (insecure) ----
+  exists(Crypto::ModeOfOperationAlgorithmNode mode |
+    node = mode and
+    category = "Mode" and
+    isInsecureModeType(mode.getModeType()) and
+    classification = "insecure" and
+    detail = mode.getModeType().toString()
+  )
+  or
+  // ---- Hash algorithms (insecure / secure) ----
+  exists(Crypto::HashAlgorithmNode hash |
+    node = hash and
+    category = "Hash" and
+    (
+      isInsecureHashType(hash.getHashType()) and
+      classification = "insecure" and
+      detail = hash.getHashType().toString()
+      or
+      isSecureHashType(hash.getHashType()) and
+      classification = "secure" and
+      detail =
+        hash.getHashType().toString() +
+          any(string s |
+            if exists(hash.getDigestLength())
+            then s = " (" + hash.getDigestLength().toString() + "-bit)"
+            else s = ""
+          )
+    )
+  )
+  or
+  // ---- Key sizes with quantum-vulnerable algorithms ----
+  exists(Crypto::KeyCreationOperationNode keygen, Crypto::AlgorithmNode alg, int keySize |
+    node = keygen and
+    category = "KeySize" and
+    classification = "quantum-vulnerable" and
+    alg = keygen.getAKnownAlgorithm() and
+    keygen.getAKeySizeSource().asElement().(Literal).getValue().toInt() = keySize and
+    (
+      exists(Crypto::KeyOperationAlgorithmNode keyAlg |
+        keyAlg = alg and isQuantumVulnerableAlgorithmType(keyAlg.getAlgorithmType())
+      )
+      or
+      exists(Crypto::KeyAgreementAlgorithmNode kaAlg |
+        kaAlg = alg and isQuantumVulnerableKeyAgreementType(kaAlg.getKeyAgreementType())
+      )
+    ) and
+    detail = keySize.toString() + "-bit key for " + alg.getAlgorithmName()
+  )
+select node, "[" + classification + "] " + categoryLabel(category) + ": " + detail

java/ql/src/experimental/quantum/Examples/Demo/InsecureBlockMode.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Insecure block mode
+ * @description Detects use of insecure block cipher modes of operation.
+ * @id java/quantum/examples/demo/insecure-block-mode
+ * @kind problem
+ * @problem.severity error
+ * @tags quantum
+ *       experimental
+ */
+
+import QuantumCryptoClassification
+
+from Crypto::KeyOperationAlgorithmNode alg, Crypto::ModeOfOperationAlgorithmNode mode
+where
+  mode = alg.getModeOfOperation() and
+  isInsecureModeType(mode.getModeType())
+select alg, "Insecure block mode $@ detected.", mode, mode.getModeType().toString()

java/ql/src/experimental/quantum/Examples/Demo/InsecureCipher.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Insecure symmetric cipher
+ * @description Detects use of classically insecure symmetric cipher algorithms.
+ * @id java/quantum/examples/demo/insecure-cipher
+ * @kind problem
+ * @problem.severity error
+ * @tags external/cwe/cwe-327
+ *       quantum
+ *       experimental
+ */
+
+import QuantumCryptoClassification
+
+from Crypto::KeyOperationAlgorithmNode alg, KeyOpAlg::TSymmetricCipherType cipherType
+where
+  alg.getAlgorithmType() = KeyOpAlg::TSymmetricCipher(cipherType) and
+  isInsecureCipherType(cipherType)
+select alg, "Insecure symmetric cipher: " + alg.getAlgorithmName() + "."

java/ql/src/experimental/quantum/Examples/Demo/InsecureHash.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Insecure hash algorithm
+ * @description Detects use of classically insecure hash algorithms.
+ * @id java/quantum/examples/demo/insecure-hash
+ * @kind problem
+ * @problem.severity error
+ * @tags external/cwe/cwe-327
+ *       quantum
+ *       experimental
+ */
+
+import QuantumCryptoClassification
+
+from Crypto::HashAlgorithmNode alg
+where isInsecureHashType(alg.getHashType())
+select alg, "Insecure hash algorithm: " + alg.getHashType().toString() + "."

java/ql/src/experimental/quantum/Examples/Demo/InventoryAlgorithms.ql

@@ -0,0 +1,26 @@
+/**
+ * @name Inventory of cryptographic algorithms
+ * @description Lists all detected key operation algorithms with their security classification.
+ * @id java/quantum/examples/demo/inventory-algorithms
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import QuantumCryptoClassification
+
+from Crypto::AlgorithmNode alg, string name, string classification
+where
+  exists(Crypto::KeyOperationAlgorithmNode keyAlg |
+    keyAlg = alg and
+    name = keyAlg.getAlgorithmName() and
+    classification = classifyAlgorithmType(keyAlg.getAlgorithmType())
+  )
+  or
+  exists(Crypto::KeyAgreementAlgorithmNode kaAlg |
+    kaAlg = alg and
+    name = kaAlg.getAlgorithmName() and
+    classification = classifyKeyAgreementType(kaAlg.getKeyAgreementType())
+  )
+select alg, "Algorithm: " + name + " [" + classification + "]."

java/ql/src/experimental/quantum/Examples/Demo/InventoryCurves.ql

@@ -0,0 +1,27 @@
+/**
+ * @name Inventory of elliptic curves
+ * @description Lists all detected elliptic curve algorithms with their family and key size.
+ * @id java/quantum/examples/demo/inventory-curves
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::EllipticCurveNode c, string detail
+where
+  if exists(string ks | c.properties("KeySize", ks, _))
+  then
+    exists(string ks |
+      c.properties("KeySize", ks, _) and
+      detail =
+        "Elliptic curve: " + c.getAlgorithmName() + " (" + c.getEllipticCurveType().toString() +
+          " family, " + ks + "-bit)."
+    )
+  else
+    detail =
+      "Elliptic curve: " + c.getAlgorithmName() + " (" + c.getEllipticCurveType().toString() +
+        " family)."
+select c, detail

java/ql/src/experimental/quantum/Examples/Demo/InventoryHashes.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Inventory of hash algorithms
+ * @description Lists all detected hash algorithms with their digest length.
+ * @id java/quantum/examples/demo/inventory-hashes
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::HashAlgorithmNode h, string detail
+where
+  if exists(h.getDigestLength())
+  then
+    detail =
+      "Hash algorithm: " + h.getHashType().toString() + " (" + h.getDigestLength().toString() +
+        "-bit digest)."
+  else detail = "Hash algorithm: " + h.getHashType().toString() + "."
+select h, detail

java/ql/src/experimental/quantum/Examples/Demo/InventoryKeySizes.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Inventory of cryptographic key sizes
+ * @description Lists all detected key creation operations with their algorithm and key size.
+ * @id java/quantum/examples/demo/inventory-key-sizes
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::KeyCreationOperationNode keygen, Crypto::AlgorithmNode alg, int keySize
+where
+  alg = keygen.getAKnownAlgorithm() and
+  keygen.getAKeySizeSource().asElement().(Literal).getValue().toInt() = keySize
+select keygen,
+  "Key creation with algorithm $@ using " + keySize.toString() + "-bit key.", alg,
+  alg.getAlgorithmName()

java/ql/src/experimental/quantum/Examples/Demo/InventoryModes.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Inventory of block cipher modes
+ * @description Lists all detected modes of operation for block ciphers.
+ * @id java/quantum/examples/demo/inventory-modes
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::ModeOfOperationAlgorithmNode m
+select m, "Mode of operation: " + m.getModeType().toString() + "."

java/ql/src/experimental/quantum/Examples/Demo/InventoryPadding.ql

@@ -0,0 +1,14 @@
+/**
+ * @name Inventory of padding schemes
+ * @description Lists all detected padding scheme algorithms.
+ * @id java/quantum/examples/demo/inventory-padding
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::PaddingAlgorithmNode pad
+select pad, "Padding scheme: " + pad.getPaddingType().toString() + "."