Skip to main content

Post quantum cryptography

io.moderne.cryptography.PostQuantumCryptography

This recipe searches for instances in code that may be impacted by post quantum cryptography. Applications may need to support larger key sizes, different algorithms, or use crypto agility to handle the migration. The recipe includes detection of hardcoded values that affect behavior in a post-quantum world, programmatic configuration that may prevent algorithm changes, and general cryptographic usage patterns that should be reviewed.

Recipe source

GitHub, Issue Tracker, Maven Central

info

This recipe is composed of more than one recipe. If you want to customize the set of recipes this is composed of, you can find and copy the GitHub source for the recipe from the link above.

This recipe is available under the Apache License Version 2.0.

Definition

Examples

Example 1
Before
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import java.security.KeyPairGenerator;
import java.security.Security;
import java.security.Provider;

public class CryptoExample {
private static final String ALGORITHM = "AES";
private static final String PROTOCOL = "TLSv1.2";
private static final int KEY_SIZE = 2048;

public void configureCrypto() throws Exception {
// Hardcoded algorithm
KeyGenerator keyGen = KeyGenerator.getInstance(ALGORITHM);
keyGen.init(128);

// Hardcoded key length
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(KEY_SIZE);

// Hardcoded protocol
SSLContext ctx = SSLContext.getInstance(PROTOCOL);

// Hardcoded provider
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");

// Programmatic provider editing
Provider provider = Security.getProvider("SunJCE");
Security.removeProvider("SunJCE");
Security.insertProviderAt(provider, 1);

// SSL configuration
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket();
socket.setEnabledProtocols(new String[]{PROTOCOL});
}
}
After
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import java.security.KeyPairGenerator;
import java.security.Security;
import java.security.Provider;

public class CryptoExample {
private static final String ALGORITHM = "AES";
private static final String PROTOCOL = "TLSv1.2";
private static final int KEY_SIZE = 2048;

public void configureCrypto() throws Exception {
// Hardcoded algorithm
KeyGenerator keyGen = /*~~(ALGORITHM use)~~>*/KeyGenerator.getInstance(ALGORITHM);
/*~~(KEY_SIZE use)~~>*/keyGen.init(128);

// Hardcoded key length
KeyPairGenerator kpg = /*~~(ALGORITHM use)~~>*/KeyPairGenerator.getInstance("RSA");
/*~~(KEY_SIZE use)~~>*/kpg.initialize(KEY_SIZE);

// Hardcoded protocol
SSLContext ctx = /*~~(PROTOCOL use)~~>*/SSLContext.getInstance(PROTOCOL);

// Hardcoded provider
Cipher cipher = /*~~(ALGORITHM use)~~>*/Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");

// Programmatic provider editing
Provider provider = Security.getProvider("SunJCE");
/*~~(PROVIDER_NAME use)~~>*/Security.removeProvider("SunJCE");
Security.insertProviderAt(provider, 1);

// SSL configuration
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket();
/*~~(PROTOCOL use)~~>*/socket.setEnabledProtocols(new String[]{PROTOCOL});
}
}

Example 2
Before
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import java.security.KeyPairGenerator;
import java.security.Security;
import java.security.Provider;

public class CryptoExample {
private static final String ALGORITHM = "AES";
private static final String PROTOCOL = "TLSv1.2";
private static final int KEY_SIZE = 2048;

public void configureCrypto() throws Exception {
// Hardcoded algorithm
KeyGenerator keyGen = KeyGenerator.getInstance(ALGORITHM);
keyGen.init(128);

// Hardcoded key length
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(KEY_SIZE);

// Hardcoded protocol
SSLContext ctx = SSLContext.getInstance(PROTOCOL);

// Hardcoded provider
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");

// Programmatic provider editing
Provider provider = Security.getProvider("SunJCE");
Security.removeProvider("SunJCE");
Security.insertProviderAt(provider, 1);

// SSL configuration
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket();
socket.setEnabledProtocols(new String[]{PROTOCOL});
}
}
After
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import java.security.KeyPairGenerator;
import java.security.Security;
import java.security.Provider;

public class CryptoExample {
private static final String ALGORITHM = "AES";
private static final String PROTOCOL = "TLSv1.2";
private static final int KEY_SIZE = 2048;

public void configureCrypto() throws Exception {
// Hardcoded algorithm
KeyGenerator keyGen = /*~~(ALGORITHM use)~~>*/KeyGenerator.getInstance(ALGORITHM);
/*~~(KEY_SIZE use)~~>*/keyGen.init(128);

// Hardcoded key length
KeyPairGenerator kpg = /*~~(ALGORITHM use)~~>*/KeyPairGenerator.getInstance("RSA");
/*~~(KEY_SIZE use)~~>*/kpg.initialize(KEY_SIZE);

// Hardcoded protocol
SSLContext ctx = /*~~(PROTOCOL use)~~>*/SSLContext.getInstance(PROTOCOL);

// Hardcoded provider
Cipher cipher = /*~~(ALGORITHM use)~~>*/Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");

// Programmatic provider editing
Provider provider = Security.getProvider("SunJCE");
/*~~(PROVIDER_NAME use)~~>*/Security.removeProvider("SunJCE");
Security.insertProviderAt(provider, 1);

// SSL configuration
SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket();
/*~~(PROTOCOL use)~~>*/socket.setEnabledProtocols(new String[]{PROTOCOL});
}
}

Usage

This recipe has no required configuration options. It can be activated by adding a dependency on io.moderne.recipe:rewrite-cryptography in your build file or by running a shell command (in which case no build changes are needed):

  1. Add the following to your build.gradle file:
build.gradle
plugins {
id("org.openrewrite.rewrite") version("latest.release")
}

rewrite {
activeRecipe("io.moderne.cryptography.PostQuantumCryptography")
setExportDatatables(true)
}

repositories {
mavenCentral()
}

dependencies {
rewrite("io.moderne.recipe:rewrite-cryptography:0.9.0")
}
  1. Run gradle rewriteRun to run the recipe.

See how this recipe works across multiple open-source repositories

Run this recipe on OSS repos at scale with the Moderne SaaS.

The community edition of the Moderne platform enables you to easily run recipes across thousands of open-source repositories.

Please contact Moderne for more information about safely running the recipes on your own codebase in a private SaaS.

Data Tables

Taint flow

org.openrewrite.analysis.java.taint.table.TaintFlowTable

Records taint flows from sources to sinks with their taint types.

Column NameDescription
Source fileThe source file that the method call occurred in.
Source lineThe line number where the taint source is located.
SourceThe source code where taint originates.
Sink lineThe line number where the taint sink is located.
SinkThe sink code where taint flows to.
Taint typeThe taint type that matched at the sink.