Skip to content

Quantum: Support for BouncyCastle signature algorithms and block cipher modes #19568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open

Quantum: Support for BouncyCastle signature algorithms and block cipher modes #19568

wants to merge 27 commits into from

Conversation

fegge
Copy link
Contributor

@fegge fegge commented May 23, 2025

To be reviewed by @nicolaswill.

@fegge fegge requested a review from a team as a code owner May 23, 2025 09:59
@github-actions github-actions bot added the Java label May 23, 2025
@fegge fegge marked this pull request as draft May 23, 2025 10:11
@fegge fegge force-pushed the fegge/bouncycastle branch 2 times, most recently from 8d2ec44 to 5884c71 Compare May 29, 2025 11:21
@fegge fegge marked this pull request as ready for review May 30, 2025 08:36
@fegge fegge requested a review from a team as a code owner May 30, 2025 08:36
@fegge fegge marked this pull request as draft May 30, 2025 08:41
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 2, 2025
View reviewed changes
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@nicolaswill nicolaswill marked this pull request as ready for review June 2, 2025 15:05
@nicolaswill nicolaswill requested review from nicolaswill and removed request for a team June 2, 2025 15:06
nicolaswill
nicolaswill requested changes Jun 2, 2025
View reviewed changes
Copy link
Contributor

@nicolaswill nicolaswill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The BouncyCastle stubs need a copy of the license file:
https://github.com/bcgit/bc-java/blob/main/LICENSE.md

Aside from that, please resolve the QL for QL Code Scanning alerts (with the exception of class naming to match camelCase or PascalCase for acronyms... we can do that later).

I have not yet reviewed all of the modeling.

@fegge fegge force-pushed the fegge/bouncycastle branch from a365ff4 to 6c71893 Compare June 3, 2025 14:01
nicolaswill
nicolaswill previously approved these changes Jun 3, 2025
View reviewed changes
Copy link
Contributor

@nicolaswill nicolaswill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

aibaars
aibaars reviewed Jun 3, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 4, 2025
View reviewed changes
aibaars
aibaars reviewed Jun 5, 2025
View reviewed changes
fegge added 10 commits June 12, 2025 13:44
@fegge
Added initial support for BouncyCastle signers
43e5e40
@fegge
Removed unused getIntermediateUse function
c588d11
@fegge
Multiple bug fixes in BouncyCastle signature model
e9c6c33
@fegge
Added support for BouncyCastle key generation algorithms
d8cdd3c 
This commit adds the `KeyGenerationOperationInstance` and
`KeyGenerationAlgorithmInstance` types to the BouncyCastle model.

It also adds data flow support from key pairs to the corresponding
public and private components.
@fegge
Refactored algorithm instances
45416d2 
This commit also adds associated elliptic curves to the key generation
and key nodes.
@fegge
Updated returned key sizes to be integers
9c602f8
@fegge
Added stubs for BouncyCastle EdDSA signature algorithms and key gener…
4aecf8b 
…ators
@fegge
Added unit tests for BouncyCastle EdDSA signatures and key generators
d7f1c70
@fegge
Added support for BouncyCast ECDSA
fca90b3 
This commit adds support for ECDSA. This includes tracking the
instantiated curve parameters using data flow.

It also adds SignatureArtifactInstance and SignatureOperationInstance
types to the shared model.
@fegge
Added signature input nodes to signature verify operation nodes
efd3266
fegge and others added 15 commits June 12, 2025 13:44
@fegge
Updated signature operations test query
b57bf9a
@fegge
Created additional stubs for ECDSA
4a34a5c
@fegge
Added EllipticCurveConsumingAlgorithmInstance to Model.qll
f17bc7e 
This commit adds EllipticCurveConsumingAlgorithmInstance to the shared
model, allowing us to model and graph elliptic curve algorithms.
@fegge
Added documentation for the isConsumedEllipticCurve workaround
0406d5c
@fegge
Added support for EllipticCurveConsumingAlgorithm
8b06c32
@fegge
Added LMS and ML-DSA names to Model.qll
653ef24
@fegge
Updated BouncyCastle tests and corresponding stubs
eb89ee1
@fegge
Added BouncyCastle license file to stubs
b64fdc0
@fegge
Added support for HSS
3840e93
@fegge
Fixed merge conflict resolution issues
1a445b2
@fegge
Fixed QL for QL findings
99b4cb1
@fegge @aibaars
Removed duplicate condition in Model.qll
2eecda3 
Co-authored-by: Arthur Baars <[email protected]>
@fegge
Added support for block cipher modes
192bb7f
@fegge
Fixed argument to block cipher mode method being tagged as input
f97be14
@fegge
Added test cases for Bouncy Castle block cipher modes
7969bdf 
This commit also reorganizes the Bouncy Castle test cases into separate
sub-directories for signature and cipher modes.
@fegge fegge force-pushed the fegge/bouncycastle branch from 6c68be5 to 7969bdf Compare June 12, 2025 11:45
@fegge fegge changed the title Quantum: Initial support for BouncyCastle signature algorithms Quantum: Support for BouncyCastle signature algorithms and block cipher modes Jun 12, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 12, 2025
View reviewed changes
java/ql/lib/experimental/quantum/BouncyCastle/OperationInstances.qll

override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
// The key operation sub-type is determined by the `encrypting` argument to `init()`.
exists(this.getInitCall()) and

Check warning

Code scanning / CodeQL

Superfluous 'exists' conjunct. Warning

This conjunct is superfluous as the existence is implied by
this conjunct
Loading
.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aibaars aibaars aibaars left review comments

@nicolaswill nicolaswill nicolaswill left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fegge @aibaars @nicolaswill