sonar-cryptography icon indicating copy to clipboard operation
sonar-cryptography copied to clipboard
Published 1 month ago verified publisher icon cbomkit

Precise capture of parameter sets in BouncyCastle

Open hugoqnc opened this issue 1 year ago • 0 comments

Some BouncyCastle rules do not capture all available information, in particular static fields defining the parameter sets of certain algorithms. This would for example distinguish the use of kyber512, kyber768 or kyber1024. Capturing this information is not very difficult but it is a long task given how many classes are used for this in BouncyCastle.

Encapsulated Secrets

Check BcEncapsulatedSecretExtractor and BcEncapsulatedSecretGenerator: for most KEM classes, we only capture them withAnyParameters(). This should be changed to capture the precise content of each constructor. Most of them have for argument a class of AsymmetricKeyParameter (46 different classes to detect). These classes do not contain the information directly, instead they usually have a CipherParameters argument. Some of them are already supported, but for these KEM classes, we need support for the classes in the subinterface KEMParameters (9 classes to detect).

Digests

We have a similar scenario with BcDigests, where we could be more precise for some constructor if we add detection rules for additional parameter classes. For example for Ascon, we should add support for AsconParameters.

hugoqnc avatar Sep 19 '24 09:09 hugoqnc