Fetaure/fix python tests (#129)

* update mac tests

Signed-off-by: Nicklas Körtge <[email protected]>

* update padding tests

Signed-off-by: Nicklas Körtge <[email protected]>

* update cipher tests

Signed-off-by: Nicklas Körtge <[email protected]>

* fix python detection tests

Signed-off-by: Nicklas Körtge <[email protected]>

* fix python tetss

Signed-off-by: Nicklas Körtge <[email protected]>

---------

Signed-off-by: Nicklas Körtge <[email protected]>

python/src/main/java/com/ibm/plugin/rules/detection/mac/PycaMAC.java

@@ -64,12 +64,6 @@ private PycaMAC() {
                     .inBundle(() -> "Pyca")
                     .withoutDependingDetectionRules();
 
-    // Here, the hash is simply detected with a `AlgorithmFactory()`, and then the check of
-    // whether it is an acceptable value is done in the translation. I should probably do it like
-    // this in RSA/DSA/EC. Challenge: they also can use a `Preshashed` containing a hash. In this
-    // case, one should create two duplicate rules (one capturing an immediate hash with
-    // `AlgorithmFactory()`)
-    // and the other a `Prehashed`.
     private static final IDetectionRule<Tree> NEW_POLY1305 =
             new DetectionRuleBuilder<Tree>()
                     .createDetectionRule()

python/src/main/java/com/ibm/plugin/rules/detection/padding/PycaPadding.java

@@ -21,7 +21,6 @@
 
 import com.ibm.engine.model.Size;
 import com.ibm.engine.model.context.CipherContext;
-import com.ibm.engine.model.factory.AlgorithmFactory;
 import com.ibm.engine.model.factory.BlockSizeFactory;
 import com.ibm.engine.model.factory.ValueActionFactory;
 import com.ibm.engine.rule.IDetectionRule;
@@ -57,6 +56,7 @@ private PycaPadding() {
                             .shouldBeDetectedAs(new ValueActionFactory<>(padding))
                             .withMethodParameter("int")
                             .shouldBeDetectedAs(new BlockSizeFactory<>(Size.UnitType.BIT))
+                            .asChildOfParameterWithId(0)
                             .buildForContext(new CipherContext(Map.of("kind", "padding")))
                             .inBundle(() -> "Pyca")
                             .withoutDependingDetectionRules());
@@ -74,7 +74,8 @@ private PycaPadding() {
                                         "cryptography.hazmat.primitives.ciphers.algorithms."
                                                 + cipherAlgorithm
                                                 + ".block_size")
-                                .shouldBeDetectedAs(new AlgorithmFactory<>(cipherAlgorithm))
+                                .shouldBeDetectedAs(new BlockSizeFactory<>(Size.UnitType.BIT))
+                                .asChildOfParameterWithId(0)
                                 .buildForContext(new CipherContext(Map.of("kind", "padding")))
                                 .inBundle(() -> "Pyca")
                                 .withoutDependingDetectionRules());

python/src/main/java/com/ibm/plugin/rules/detection/symmetric/PycaCipher.java

@@ -23,6 +23,7 @@
 import com.ibm.engine.model.context.CipherContext;
 import com.ibm.engine.model.factory.AlgorithmFactory;
 import com.ibm.engine.model.factory.CipherActionFactory;
+import com.ibm.engine.model.factory.ModeFactory;
 import com.ibm.engine.rule.IDetectionRule;
 import com.ibm.engine.rule.builder.DetectionRuleBuilder;
 import com.ibm.plugin.rules.detection.padding.PycaPadding;
@@ -95,10 +96,9 @@ private PycaCipher() {
                     .withMethodParameter("cryptography.hazmat.primitives.ciphers.algorithms.*")
                     .shouldBeDetectedAs(new AlgorithmFactory<>())
                     .addDependingDetectionRules(followingNewCipherRules())
-                    // TODO: If it is written as `algorithms.AES(os.urandom(32))`, we can obtain the
-                    //  key size
                     .withMethodParameter("cryptography.hazmat.primitives.ciphers.modes.*")
-                    .shouldBeDetectedAs(new AlgorithmFactory<>())
+                    .shouldBeDetectedAs(new ModeFactory<>())
+                    .asChildOfParameterWithId(0)
                     .buildForContext(new CipherContext())
                     .inBundle(() -> "Pyca")
                     .withoutDependingDetectionRules();

python/src/main/java/com/ibm/plugin/translation/translator/contexts/PycaCipherContextTranslator.java

@@ -22,6 +22,7 @@
 import com.ibm.engine.model.CipherAction;
 import com.ibm.engine.model.IValue;
 import com.ibm.engine.model.KeySize;
+import com.ibm.engine.model.Mode;
 import com.ibm.engine.model.ValueAction;
 import com.ibm.engine.model.context.DetectionContext;
 import com.ibm.engine.model.context.IDetectionContext;
@@ -32,14 +33,21 @@
 import com.ibm.mapper.model.INode;
 import com.ibm.mapper.model.KeyLength;
 import com.ibm.mapper.model.algorithms.AES;
+import com.ibm.mapper.model.algorithms.AESWrap;
 import com.ibm.mapper.model.functionality.Decrypt;
 import com.ibm.mapper.model.functionality.Encapsulate;
 import com.ibm.mapper.model.functionality.Encrypt;
+import com.ibm.mapper.model.mode.CBC;
 import com.ibm.mapper.model.mode.CCM;
+import com.ibm.mapper.model.mode.CFB;
+import com.ibm.mapper.model.mode.CTR;
+import com.ibm.mapper.model.mode.ECB;
 import com.ibm.mapper.model.mode.GCM;
 import com.ibm.mapper.model.mode.GCMSIV;
 import com.ibm.mapper.model.mode.OCB;
+import com.ibm.mapper.model.mode.OFB;
 import com.ibm.mapper.model.mode.SIV;
+import com.ibm.mapper.model.mode.XTS;
 import com.ibm.mapper.model.padding.ANSIX923;
 import com.ibm.mapper.model.padding.OAEP;
 import com.ibm.mapper.model.padding.PKCS7;
@@ -86,11 +94,37 @@ public final class PycaCipherContextTranslator implements IContextTranslation<Tr
                 case "OAEP" -> Optional.of(new OAEP(detectionLocation));
                 default -> Optional.empty();
             };
-        } else if (value instanceof CipherAction<Tree> cipherAction) {
+        } else if (value instanceof Mode<Tree> mode) {
+            return switch (mode.asString().toUpperCase().trim()) {
+                case "CBC" -> Optional.of(new CBC(detectionLocation));
+                case "CTR" -> Optional.of(new CTR(detectionLocation));
+                case "OFB" -> Optional.of(new OFB(detectionLocation));
+                case "CFB" -> Optional.of(new CFB(detectionLocation));
+                case "CFB8" -> Optional.of(new CFB(8, detectionLocation));
+                case "GCM" -> Optional.of(new GCM(detectionLocation));
+                case "XTS" -> Optional.of(new XTS(detectionLocation));
+                case "ECB" -> Optional.of(new ECB(detectionLocation));
+                default -> Optional.empty();
+            };
+        } else if (value instanceof CipherAction<Tree> cipherAction
+                && detectionContext instanceof DetectionContext context) {
             return switch (cipherAction.getAction()) {
                 case DECRYPT -> Optional.of(new Decrypt(detectionLocation));
                 case ENCRYPT -> Optional.of(new Encrypt(detectionLocation));
-                case WRAP -> Optional.of(new Encapsulate(detectionLocation));
+                case WRAP ->
+                        context.get("algorithm")
+                                .map(
+                                        str ->
+                                                switch (str.toUpperCase().trim()) {
+                                                    case "AES" ->
+                                                            new AESWrap(128, detectionLocation);
+                                                    default -> null;
+                                                })
+                                .map(
+                                        algo -> {
+                                            algo.put(new Encapsulate(detectionLocation));
+                                            return algo;
+                                        });
                 default -> Optional.empty();
             };
         } else if (value instanceof com.ibm.engine.model.BlockSize<Tree> blockSize) {

python/src/main/java/com/ibm/plugin/translation/translator/contexts/PycaMacContextTranslator.java

@@ -20,14 +20,18 @@
 package com.ibm.plugin.translation.translator.contexts;
 
 import com.ibm.engine.model.IValue;
+import com.ibm.engine.model.ValueAction;
 import com.ibm.engine.model.context.DetectionContext;
 import com.ibm.engine.model.context.IDetectionContext;
 import com.ibm.engine.rule.IBundle;
 import com.ibm.mapper.IContextTranslation;
 import com.ibm.mapper.mapper.pyca.PycaCipherMapper;
+import com.ibm.mapper.mapper.pyca.PycaDigestMapper;
 import com.ibm.mapper.model.Cipher;
 import com.ibm.mapper.model.INode;
 import com.ibm.mapper.model.algorithms.CMAC;
+import com.ibm.mapper.model.algorithms.HMAC;
+import com.ibm.mapper.model.algorithms.Poly1305;
 import com.ibm.mapper.utils.DetectionLocation;
 import java.util.Optional;
 import org.jetbrains.annotations.NotNull;
@@ -62,9 +66,19 @@ public final class PycaMacContextTranslator implements IContextTranslation<Tree>
                                             return null;
                                         });
                     }
+                    case "hmac" -> {
+                        final PycaDigestMapper digestMapper = new PycaDigestMapper();
+                        yield digestMapper
+                                .parse(algorithm.asString(), detectionLocation)
+                                .map(HMAC::new);
+                    }
                     default -> Optional.empty();
                 };
             }
+        } else if (value instanceof ValueAction<Tree> action) {
+            if (action.asString().equalsIgnoreCase("poly1305")) {
+                return Optional.of(new HMAC(new Poly1305(detectionLocation)));
+            }
         }
         return Optional.empty();
     }

python/src/main/java/com/ibm/plugin/translation/translator/contexts/PycaPrivateKeyContextTranslator.java

@@ -124,7 +124,6 @@ public final class PycaPrivateKeyContextTranslator implements IContextTranslatio
                                 return privateKey;
                             });
         }
-
         return Optional.empty();
     }
 

python/src/test/files/rules/detection/mac/CryptographyPoly1305TestFile.py → python/src/test/files/rules/detection/mac/PycaPoly1305TestFile.py

@@ -2,7 +2,7 @@
 
 def generate_poly1305(key, data):
     # Create a Poly1305 context with the given key
-    poly1305_ctx = Poly1305(key) # Noncompliant {{MAC}}
+    poly1305_ctx = Poly1305(key) # Noncompliant {{Poly1305}}
 
     # Update the context with the data
     poly1305_ctx.update(data)

python/src/test/files/rules/detection/padding/CryptographyPaddingTestFile.py → python/src/test/files/rules/detection/padding/PycaPaddingTestFile.py

@@ -5,7 +5,7 @@
 key = os.urandom(32)
 iv = os.urandom(16)
 # Create a cipher object
-cipher = Cipher(algorithms.CAST5(key), modes.CFB(iv)) # Noncompliant {{CAST5}} {{CFB}}
+cipher = Cipher(algorithms.CAST5(key), modes.CFB(iv)) # Noncompliant {{CAST5}}
 
 padder = padding.ANSIX923(128).padder()
 padded_data = padder.update(b"a secret message")

python/src/test/files/rules/detection/symmetric/CryptographyCipher1TestFile.py → python/src/test/files/rules/detection/symmetric/PycaCipher1TestFile.py

@@ -5,7 +5,7 @@
 key = os.urandom(32)
 iv = os.urandom(16)
 # Create a cipher object
-cipher = Cipher(algorithms.AES(key), modes.CBC(iv)) # Noncompliant {{AES}} {{CBC}}
+cipher = Cipher(algorithms.AES(key), modes.CBC(iv)) # Noncompliant {{AES}}
 
 # Specify padding (PKCS7 in this case)
 padder = PKCS7(algorithms.AES.block_size).padder()

python/src/test/files/rules/detection/symmetric/CryptographyCipher2TestFile.py → python/src/test/files/rules/detection/symmetric/PycaCipher2TestFile.py

@@ -5,7 +5,7 @@
 key = os.urandom(32)
 iv = os.urandom(16)
 # Create a cipher object
-cipher = Cipher(algorithms.Camellia(key), modes.OFB(iv)) # Noncompliant {{Camellia}} {{OFB}}
+cipher = Cipher(algorithms.Camellia(key), modes.OFB(iv)) # Noncompliant {{Camellia}}
 
 # Encrypt
 encryptor = cipher.encryptor()