1 /* Copyright 2018 Google LLC 2 * 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * https://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 // Copyright 2007 Google Inc. All Rights Reserved 16 17 package com.google.security.annotations; 18 19 import java.lang.annotation.ElementType; 20 import java.lang.annotation.Retention; 21 import java.lang.annotation.RetentionPolicy; 22 import java.lang.annotation.Target; 23 24 /** 25 * Crypto Key Annotation: Label any cryptographic keys in code with this 26 * annotation. This will help identify cryptographic keys that are exposed in 27 * source code. Keys in source code should be annotated with an owner, purpose, 28 * removal priority, and leak severity. 29 * 30 * Example of usage: 31 * @CryptoAnnotation( 32 * purpose = CryptoAnnotation.Purpose.AUTHENTICATION, 33 * owner = "sweis", 34 * bugId = 7041243, 35 * leakSeverity = CryptoAnnotation.LeakSeverity.S2, 36 * removalPriority = CryptoAnnotation.RemovalPriority.P1, 37 * description = "This key is used to sign blah blah blah." 38 * removalDate = "9/2007 39 * ) 40 * byte[] keyBytes = {0xDE, 0xAD, 0xBE, 0xEF}; 41 * 42 * @author sweis@google.com (Steve Weis) 43 */ 44 @Retention(RetentionPolicy.SOURCE) 45 @Target({ElementType.FIELD, ElementType.LOCAL_VARIABLE}) 46 public @interface CryptoAnnotation { 47 /* 48 * Keys with "encryption" and "authentication" purposes should be removed 49 * from source code. 50 * 51 * Keys with "obfuscation" and "integrity check" purposes do not necessarily 52 * need to be cryptographically strong. They may or may not be removed from 53 * code at the discretion of the code owner. 54 */ 55 public enum Purpose {ENCRYPTION, AUTHENTICATION, OBFUSCATION, 56 INTEGRITY_CHECK, PASSWORD, OTHER} 57 public enum LeakSeverity {S0, S1, S2, S3, S4, NoRisk} 58 public enum RemovalPriority {P0, P1, P2, P3, P4, WillNotFix} 59 leakSeverity()60 LeakSeverity leakSeverity(); removalPriority()61 RemovalPriority removalPriority(); bugId()62 int bugId() default 0; owner()63 String owner(); // Will be contacted in the event a key is leaked purpose()64 Purpose purpose(); description()65 String description() default ""; removalDate()66 String removalDate() default ""; 67 } 68 69