Add model and sample query for constants used in key specs

Author: knewbury01

java/ql/lib/experimental/Quantum/JCA.qll

@@ -532,4 +532,31 @@ module JCAModel {
       this.getMethod().getParameterType(2).hasName("AlgorithmParameterSpec")
     }
   }
+
+  /**
+   * Key Material Concept
+   * any class that implements `java.security.spec.KeySpec`
+   */
+  class KeyMaterialObject extends Class {
+    KeyMaterialObject() {
+      exists(RefType t |
+        this.extendsOrImplements*(t) and
+        t.hasQualifiedName("java.security.spec", "KeySpec")
+      )
+    }
+  }
+
+  /**
+   * KeyMaterial
+   * ie some plain material that gets used to generate a Key
+   */
+  class KeyMaterialInstantiation extends Crypto::KeyMaterialInstance instanceof ClassInstanceExpr {
+    KeyMaterialInstantiation() {
+      this.(ClassInstanceExpr).getConstructedType() instanceof KeyMaterialObject
+    }
+
+    override DataFlow::Node asOutputData() { result.asExpr() = this }
+
+    override DataFlow::Node getInput() { result.asExpr() = this.(ClassInstanceExpr).getArgument(0) }
+  }
 }

java/ql/src/experimental/Quantum/ConstantPassword.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Constant password
+ * @description Using constant passwords is not secure, because potential attackers can easily recover them from the source code.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 6.8
+ * @precision high
+ * @id java/constant-password-new-model
+ * @tags security
+ *       external/cwe/cwe-259
+ */
+
+//this query is a replica of the concept in: https://github.com/github/codeql/blob/main/swift/ql/src/queries/Security/CWE-259/ConstantPassword.ql
+//but uses the **NEW MODELLING**
+import experimental.Quantum.Language
+import semmle.code.java.dataflow.TaintTracking
+
+/**
+ * A constant password is created through either a byte array or string literals.
+ */
+class ConstantPasswordSource extends Expr {
+  ConstantPasswordSource() {
+    this instanceof CharacterLiteral or
+    this instanceof StringLiteral
+  }
+}
+
+module ConstantToKeyDerivationFlow implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof ConstantPasswordSource }
+
+  predicate isSink(DataFlow::Node sink) { any(Crypto::KeyMaterialInstance i).getInput() = sink }
+}
+
+module ConstantToKeyDerivationFlowInit = TaintTracking::Global<ConstantToKeyDerivationFlow>;
+
+from DataFlow::Node source, DataFlow::Node sink
+where ConstantToKeyDerivationFlowInit::flow(source, sink)
+select sink, "Constant password $@ is used.", source, source.toString()

shared/cryptography/codeql/cryptography/Model.qll

@@ -118,6 +118,8 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
 
   abstract class DigestArtifactInstance extends ArtifactLocatableElement { }
 
+  abstract class KeyMaterialInstance extends ArtifactLocatableElement { }
+
   abstract class KeyArtifactInstance extends ArtifactLocatableElement { }
 
   abstract class NonceArtifactInstance extends ArtifactLocatableElement { }
@@ -130,6 +132,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
     // Artifacts (data that is not an operation or algorithm, e.g., a key)
     TDigest(DigestArtifactInstance e) or
     TKey(KeyArtifactInstance e) or
+    TKeyMaterial(KeyMaterialInstance e) or
     TNonce(NonceArtifactInstance e) or
     TRandomNumberGeneration(RandomNumberGenerationInstance e) or
     // Operations (e.g., hashing, encryption)
@@ -1000,4 +1003,23 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
   abstract class KEMAlgorithm extends TKeyEncapsulationAlgorithm, Algorithm {
     final override string getAlgorithmType() { result = "KeyEncapsulationAlgorithm" }
   }
+
+  /**
+   * A Key Material Object
+   */
+  private class KeyMaterialImpl extends Artifact, TKeyMaterial {
+    KeyMaterialInstance instance;
+
+    KeyMaterialImpl() { this = TKeyMaterial(instance) }
+
+    final override string getInternalType() { result = "KeyMaterial" }
+
+    override Location getLocation() { result = instance.getLocation() }
+
+    override DataFlowNode asOutputData() { result = instance.asOutputData() }
+
+    override DataFlowNode getInputData() { result = instance.getInput() }
+  }
+
+  final class KeyMaterial = KeyMaterialImpl;
 }