quantum-c#: add support for RSAPKC1Signature formatters

Author: fcasal

csharp/ql/lib/experimental/quantum/dotnet/Cryptography.qll

@@ -62,8 +62,12 @@ class RsaType extends CryptographyType {
   RsaType() { this.hasName("RSA") }
 }
 
+class RsaPkcs1Type extends CryptographyType {
+  RsaPkcs1Type() { this.getName().matches("RSAPKCS1Signature%") }
+}
+
 class EcdsaCreateCall extends CryptographyCreateCall {
-  EcdsaCreateCall() { this.getQualifier().getType().hasName("ECDsa") }
+  EcdsaCreateCall() { this.getQualifier().getType() instanceof EcdsaType }
 }
 
 // This class is used to model the `ECDsa.Create(ECParameters)` call
@@ -305,9 +309,11 @@ class EcdsaSignerQualifier extends SignerQualifier instanceof Expr {
 }
 
 class RsaSignerQualifier extends SignerQualifier instanceof Expr {
-  RsaSignerQualifier() { super.getType() instanceof RsaType }
+  RsaSignerQualifier() {
+    super.getType() instanceof RsaType or super.getType() instanceof RsaPkcs1Type
+  }
 
-  override string getRawAlgorithmName() { result = "RSA" }
+  override string getRawAlgorithmName() { result = super.getType().getName() }
 
   override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
     result = Crypto::KeyOpAlg::TSignature(Crypto::KeyOpAlg::OtherSignatureAlgorithmType())

csharp/ql/lib/experimental/quantum/dotnet/FlowAnalysis.qll

@@ -64,8 +64,6 @@ module HashAlgorithmNameToUseConfig implements DataFlow::ConfigSig {
 
 module HashAlgorithmNameToUse = DataFlow::Global<HashAlgorithmNameToUseConfig>;
 
-module SigningCreateToUseFlow = CreationToUseFlow<SigningCreateCall, SignerUse>;
-
 module HashCreateToUseFlow = CreationToUseFlow<HashAlgorithmCreateCall, HashUse>;
 
 module CryptoStreamFlow = CreationToUseFlow<CryptoStreamCreation, CryptoStreamUse>;
@@ -254,3 +252,40 @@ class PropertyWriteFlowStep extends AdditionalFlowInputStep {
 
   override DataFlow::Node getOutput() { result.asExpr() = assignment.getLValue() }
 }
+
+module SigningCreateToUseFlow {
+  private module SigningCreateToUseFlow implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SigningCreateCall }
+
+    predicate isSink(DataFlow::Node sink) {
+      sink.asExpr() = any(SignerUse use).(QualifiableExpr).getQualifier()
+    }
+
+    /**
+     * An additional flow step across new object creations that use the original objects.
+     *
+     * Example:
+     * ```
+     * RSA rsa = RSA.Create()
+     * RSAPKCS1SignatureFormatter rsaFormatter = new(rsa);
+     * rsaFormatter.SetHashAlgorithm(nameof(SHA256));
+     * signedHash = rsaFormatter.CreateSignature(hash);
+     * ```
+     */
+    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+      exists(ObjectCreation create |
+        node2.asExpr() = create and node1.asExpr() = create.getAnArgument()
+      )
+    }
+  }
+
+  private module CreationToUseFlow = DataFlow::Global<SigningCreateToUseFlow>;
+
+  SigningCreateCall getCreationFromUse(
+    SignerUse use, CreationToUseFlow::PathNode source, CreationToUseFlow::PathNode sink
+  ) {
+    source.getNode().asExpr() = result and
+    sink.getNode().asExpr() = use.(QualifiableExpr).getQualifier() and
+    CreationToUseFlow::flowPath(source, sink)
+  }
+}

csharp/ql/test/experimental/library-tests/quantum/dotnet/signatures/SignatureExample.cs

@@ -25,7 +25,6 @@ private static void DemonstrateECDSAExample(string message)
             Console.WriteLine("=== ECDSA Example ===");
 
             // Create ECDSA instance with P-256 curve
-            var nistP256 = ECCurve.NamedCurves.nistP256;
             using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
 
             // Message to sign

csharp/ql/test/experimental/library-tests/quantum/dotnet/signatures/sign_operations.expected

@@ -1,15 +1,15 @@
-| SignatureExample.cs:37:29:37:82 | SignOperation | SignatureExample.cs:37:44:37:55 | Message |
-| SignatureExample.cs:42:27:42:93 | VerifyOperation | SignatureExample.cs:42:44:42:55 | Message |
-| SignatureExample.cs:52:35:52:104 | VerifyOperation | SignatureExample.cs:52:52:52:66 | Message |
-| SignatureExample.cs:58:32:58:91 | SignOperation | SignatureExample.cs:58:50:58:64 | Message |
-| SignatureExample.cs:61:30:61:105 | VerifyOperation | SignatureExample.cs:61:50:61:64 | Message |
-| SignatureExample.cs:67:39:67:105 | SignOperation | SignatureExample.cs:67:64:67:78 | Message |
-| SignatureExample.cs:68:37:68:126 | VerifyOperation | SignatureExample.cs:68:64:68:78 | Message |
-| SignatureExample.cs:78:26:78:96 | SignOperation | SignatureExample.cs:78:39:78:42 | Message |
-| SignatureExample.cs:79:28:79:105 | VerifyOperation | SignatureExample.cs:79:43:79:46 | Message |
-| SignatureExample.cs:85:36:85:116 | SignOperation | SignatureExample.cs:85:59:85:62 | Message |
-| SignatureExample.cs:86:38:86:135 | VerifyOperation | SignatureExample.cs:86:63:86:66 | Message |
-| SignatureExample.cs:91:37:91:118 | SignOperation | SignatureExample.cs:91:61:91:64 | Message |
-| SignatureExample.cs:92:39:92:138 | VerifyOperation | SignatureExample.cs:92:65:92:68 | Message |
-| SignatureExample.cs:116:30:116:63 | SignOperation | SignatureExample.cs:116:59:116:62 | Message |
-| SignatureExample.cs:127:21:127:68 | VerifyOperation | SignatureExample.cs:127:52:127:55 | Message |
+| SignatureExample.cs:36:29:36:82 | SignOperation | SignatureExample.cs:36:44:36:55 | Message |
+| SignatureExample.cs:41:27:41:93 | VerifyOperation | SignatureExample.cs:41:44:41:55 | Message |
+| SignatureExample.cs:51:35:51:104 | VerifyOperation | SignatureExample.cs:51:52:51:66 | Message |
+| SignatureExample.cs:57:32:57:91 | SignOperation | SignatureExample.cs:57:50:57:64 | Message |
+| SignatureExample.cs:60:30:60:105 | VerifyOperation | SignatureExample.cs:60:50:60:64 | Message |
+| SignatureExample.cs:66:39:66:105 | SignOperation | SignatureExample.cs:66:64:66:78 | Message |
+| SignatureExample.cs:67:37:67:126 | VerifyOperation | SignatureExample.cs:67:64:67:78 | Message |
+| SignatureExample.cs:77:26:77:96 | SignOperation | SignatureExample.cs:77:39:77:42 | Message |
+| SignatureExample.cs:78:28:78:105 | VerifyOperation | SignatureExample.cs:78:43:78:46 | Message |
+| SignatureExample.cs:84:36:84:116 | SignOperation | SignatureExample.cs:84:59:84:62 | Message |
+| SignatureExample.cs:85:38:85:135 | VerifyOperation | SignatureExample.cs:85:63:85:66 | Message |
+| SignatureExample.cs:90:37:90:118 | SignOperation | SignatureExample.cs:90:61:90:64 | Message |
+| SignatureExample.cs:91:39:91:138 | VerifyOperation | SignatureExample.cs:91:65:91:68 | Message |
+| SignatureExample.cs:115:30:115:63 | SignOperation | SignatureExample.cs:115:59:115:62 | Message |
+| SignatureExample.cs:126:21:126:68 | VerifyOperation | SignatureExample.cs:126:52:126:55 | Message |

csharp/ql/test/experimental/library-tests/quantum/dotnet/signatures/sign_operations_algorithm.expected

@@ -1,13 +1,15 @@
-| SignatureExample.cs:37:29:37:82 | SignOperation | ECDSA | ECDsa |
-| SignatureExample.cs:42:27:42:93 | VerifyOperation | ECDSA | ECDsa |
-| SignatureExample.cs:52:35:52:104 | VerifyOperation | ECDSA | ECDsa |
-| SignatureExample.cs:58:32:58:91 | SignOperation | ECDSA | ECDsa |
-| SignatureExample.cs:61:30:61:105 | VerifyOperation | ECDSA | ECDsa |
-| SignatureExample.cs:67:39:67:105 | SignOperation | ECDSA | ECDsa |
-| SignatureExample.cs:68:37:68:126 | VerifyOperation | ECDSA | ECDsa |
-| SignatureExample.cs:78:26:78:96 | SignOperation | UnknownSignature | RSA |
-| SignatureExample.cs:79:28:79:105 | VerifyOperation | UnknownSignature | RSA |
-| SignatureExample.cs:85:36:85:116 | SignOperation | UnknownSignature | RSA |
-| SignatureExample.cs:86:38:86:135 | VerifyOperation | UnknownSignature | RSA |
-| SignatureExample.cs:91:37:91:118 | SignOperation | UnknownSignature | RSA |
-| SignatureExample.cs:92:39:92:138 | VerifyOperation | UnknownSignature | RSA |
+| SignatureExample.cs:36:29:36:82 | SignOperation | ECDSA | ECDsa |
+| SignatureExample.cs:41:27:41:93 | VerifyOperation | ECDSA | ECDsa |
+| SignatureExample.cs:51:35:51:104 | VerifyOperation | ECDSA | ECDsa |
+| SignatureExample.cs:57:32:57:91 | SignOperation | ECDSA | ECDsa |
+| SignatureExample.cs:60:30:60:105 | VerifyOperation | ECDSA | ECDsa |
+| SignatureExample.cs:66:39:66:105 | SignOperation | ECDSA | ECDsa |
+| SignatureExample.cs:67:37:67:126 | VerifyOperation | ECDSA | ECDsa |
+| SignatureExample.cs:77:26:77:96 | SignOperation | UnknownSignature | RSA |
+| SignatureExample.cs:78:28:78:105 | VerifyOperation | UnknownSignature | RSA |
+| SignatureExample.cs:84:36:84:116 | SignOperation | UnknownSignature | RSA |
+| SignatureExample.cs:85:38:85:135 | VerifyOperation | UnknownSignature | RSA |
+| SignatureExample.cs:90:37:90:118 | SignOperation | UnknownSignature | RSA |
+| SignatureExample.cs:91:39:91:138 | VerifyOperation | UnknownSignature | RSA |
+| SignatureExample.cs:115:30:115:63 | SignOperation | UnknownSignature | RSAPKCS1SignatureFormatter |
+| SignatureExample.cs:126:21:126:68 | VerifyOperation | UnknownSignature | RSAPKCS1SignatureDeformatter |

csharp/ql/test/experimental/library-tests/quantum/dotnet/signatures/sign_operations_keys.expected

@@ -1,13 +1,15 @@
-| SignatureExample.cs:37:29:37:82 | SignOperation | SignatureExample.cs:29:31:29:72 | Key |
-| SignatureExample.cs:42:27:42:93 | VerifyOperation | SignatureExample.cs:29:31:29:72 | Key |
-| SignatureExample.cs:52:35:52:104 | VerifyOperation | SignatureExample.cs:29:31:29:72 | Key |
-| SignatureExample.cs:58:32:58:91 | SignOperation | SignatureExample.cs:56:34:56:47 | Key |
-| SignatureExample.cs:61:30:61:105 | VerifyOperation | SignatureExample.cs:56:34:56:47 | Key |
-| SignatureExample.cs:67:39:67:105 | SignOperation | SignatureExample.cs:66:48:66:57 | Key |
-| SignatureExample.cs:68:37:68:126 | VerifyOperation | SignatureExample.cs:66:48:66:57 | Key |
-| SignatureExample.cs:78:26:78:96 | SignOperation | SignatureExample.cs:76:29:76:40 | Key |
-| SignatureExample.cs:79:28:79:105 | VerifyOperation | SignatureExample.cs:76:29:76:40 | Key |
-| SignatureExample.cs:85:36:85:116 | SignOperation | SignatureExample.cs:84:50:84:59 | Key |
-| SignatureExample.cs:86:38:86:135 | VerifyOperation | SignatureExample.cs:84:50:84:59 | Key |
-| SignatureExample.cs:91:37:91:118 | SignOperation | SignatureExample.cs:90:40:90:55 | Key |
-| SignatureExample.cs:92:39:92:138 | VerifyOperation | SignatureExample.cs:90:40:90:55 | Key |
+| SignatureExample.cs:36:29:36:82 | SignOperation | SignatureExample.cs:28:31:28:72 | Key |
+| SignatureExample.cs:41:27:41:93 | VerifyOperation | SignatureExample.cs:28:31:28:72 | Key |
+| SignatureExample.cs:51:35:51:104 | VerifyOperation | SignatureExample.cs:28:31:28:72 | Key |
+| SignatureExample.cs:57:32:57:91 | SignOperation | SignatureExample.cs:55:34:55:47 | Key |
+| SignatureExample.cs:60:30:60:105 | VerifyOperation | SignatureExample.cs:55:34:55:47 | Key |
+| SignatureExample.cs:66:39:66:105 | SignOperation | SignatureExample.cs:65:48:65:57 | Key |
+| SignatureExample.cs:67:37:67:126 | VerifyOperation | SignatureExample.cs:65:48:65:57 | Key |
+| SignatureExample.cs:77:26:77:96 | SignOperation | SignatureExample.cs:75:29:75:40 | Key |
+| SignatureExample.cs:78:28:78:105 | VerifyOperation | SignatureExample.cs:75:29:75:40 | Key |
+| SignatureExample.cs:84:36:84:116 | SignOperation | SignatureExample.cs:83:50:83:59 | Key |
+| SignatureExample.cs:85:38:85:135 | VerifyOperation | SignatureExample.cs:83:50:83:59 | Key |
+| SignatureExample.cs:90:37:90:118 | SignOperation | SignatureExample.cs:89:40:89:55 | Key |
+| SignatureExample.cs:91:39:91:138 | VerifyOperation | SignatureExample.cs:89:40:89:55 | Key |
+| SignatureExample.cs:115:30:115:63 | SignOperation | SignatureExample.cs:108:30:108:41 | Key |
+| SignatureExample.cs:126:21:126:68 | VerifyOperation | SignatureExample.cs:119:30:119:41 | Key |

csharp/ql/test/experimental/library-tests/quantum/dotnet/signatures/sign_operations_signatures.expected

@@ -1,8 +1,8 @@
-| SignatureExample.cs:42:27:42:93 | VerifyOperation | SignatureExample.cs:42:44:42:55 | Message | SignatureExample.cs:42:58:42:66 | SignatureInput |
-| SignatureExample.cs:52:35:52:104 | VerifyOperation | SignatureExample.cs:52:52:52:66 | Message | SignatureExample.cs:52:69:52:77 | SignatureInput |
-| SignatureExample.cs:61:30:61:105 | VerifyOperation | SignatureExample.cs:61:50:61:64 | Message | SignatureExample.cs:61:67:61:78 | SignatureInput |
-| SignatureExample.cs:68:37:68:126 | VerifyOperation | SignatureExample.cs:68:64:68:78 | Message | SignatureExample.cs:68:81:68:99 | SignatureInput |
-| SignatureExample.cs:79:28:79:105 | VerifyOperation | SignatureExample.cs:79:43:79:46 | Message | SignatureExample.cs:79:49:79:51 | SignatureInput |
-| SignatureExample.cs:86:38:86:135 | VerifyOperation | SignatureExample.cs:86:63:86:66 | Message | SignatureExample.cs:86:69:86:81 | SignatureInput |
-| SignatureExample.cs:92:39:92:138 | VerifyOperation | SignatureExample.cs:92:65:92:68 | Message | SignatureExample.cs:92:71:92:84 | SignatureInput |
-| SignatureExample.cs:127:21:127:68 | VerifyOperation | SignatureExample.cs:127:52:127:55 | Message | SignatureExample.cs:127:58:127:67 | SignatureInput |
+| SignatureExample.cs:41:27:41:93 | VerifyOperation | SignatureExample.cs:41:44:41:55 | Message | SignatureExample.cs:41:58:41:66 | SignatureInput |
+| SignatureExample.cs:51:35:51:104 | VerifyOperation | SignatureExample.cs:51:52:51:66 | Message | SignatureExample.cs:51:69:51:77 | SignatureInput |
+| SignatureExample.cs:60:30:60:105 | VerifyOperation | SignatureExample.cs:60:50:60:64 | Message | SignatureExample.cs:60:67:60:78 | SignatureInput |
+| SignatureExample.cs:67:37:67:126 | VerifyOperation | SignatureExample.cs:67:64:67:78 | Message | SignatureExample.cs:67:81:67:99 | SignatureInput |
+| SignatureExample.cs:78:28:78:105 | VerifyOperation | SignatureExample.cs:78:43:78:46 | Message | SignatureExample.cs:78:49:78:51 | SignatureInput |
+| SignatureExample.cs:85:38:85:135 | VerifyOperation | SignatureExample.cs:85:63:85:66 | Message | SignatureExample.cs:85:69:85:81 | SignatureInput |
+| SignatureExample.cs:91:39:91:138 | VerifyOperation | SignatureExample.cs:91:65:91:68 | Message | SignatureExample.cs:91:71:91:84 | SignatureInput |
+| SignatureExample.cs:126:21:126:68 | VerifyOperation | SignatureExample.cs:126:52:126:55 | Message | SignatureExample.cs:126:58:126:67 | SignatureInput |