Uploaded image for project: 'SonarPython'
  1. SonarPython
  2. SONARPY-359

Rule S4426: Cryptographic keys generations should be based on strong parameters

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.15
    • Component/s: Rules
    • Labels:
      None

      Description

      Rule summary

      Recommended parameter strength

      • DSA and RSA key size: 2048 bits or above
      • ECC key size: 224 bits or above
      • RSA public key exponent: 2^16 = 65537 or above

      Noncompliant

      cryptography

      from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
      
      # key_size = DSA key size
      dsa.generate_private_key(key_size=1024, backend=backend) # Noncompliant
      
      # key_size = RSA key size
      # public_exponent = RSA public key exponent
      rsa.generate_private_key(public_exponent=65537, key_size=1024, backend=backend) # Noncompliant; Use a key length of at least 2048 bits
      rsa.generate_private_key(public_exponent=999 key_size=2048, backend=backend) # Noncompliant; Use a public key exponent of at least 65537
      rsa.generate_private_key(public_exponent=999 key_size=1024, backend=backend) # Noncompliant; Use a key length of at least 2048 bits. Use a public key exponent of at least 65537
      
      # curve = ECC predefined curve.
      # Forbidden values for curve parameter: SECP192R1, SECT163K1, SECT163R2
      private_key_ec = ec.generate_private_key(curve=ec.SECT163R2, backend=backend)  # Noncompliant; Use a key length of at least 224 bits
      

      PyCrypto

      import Crypto
      from Crypto.PublicKey import DSA, RSA
      
      # bits = DSA key size
      DSA.generate(bits=1024) # Noncompliant; Use a key length of at least 2048
      
      # bits = RSA key size
      # e = RSA public key exponent
      RSA.generate(bits=1024, e=65537) # Noncompliant; Use a key length of at least 2048 bit
      RSA.generate(bits=2048, e=999) # Noncompliant; Use a public key exponent of at least 65537
      RSA.generate(bits=1024, e=999) # Noncompliant; Use a key length of at least 2048 bits. Use a public key exponent of at least 65537
      

      Cryptodome

      import Cryptodome
      from Cryptodome.PublicKey import DSA, RSA
      
      # bits = DSA key size
      DSA.generate(bits=1024) # Noncompliant; Use a key length of at least 2048 bit
      
      # bits = RSA key size
      # e = RSA public key exponent
      RSA.generate(bits=1024, e=65537) # Noncompliant; Use a key length of at least 2048 bit
      RSA.generate(bits=2048, e=999) # Noncompliant; Use a public key exponent of at least 65537
      RSA.generate(bits=1024, e=999) # Noncompliant; Use a key length of at least 2048 bits. Use a public key exponent of at least 65537
      
      # ECC: All available curves are compliant on this library
      

      Compliant

      cryptography

      from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
      
      dsa.generate_private_key(key_size=2048, backend=backend) # Compliant
      
      rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backend) # Compliant
      
      ec.generate_private_key(curve=ec.SECT409R1, backend=backend) # Compliant
      

      PyCrypto

      import Crypto
      from Crypto.PublicKey import DSA, RSA
      
      DSA.generate(bits=2048) # Compliant
      
      RSA.generate(bits=2048, e=65537) # Compliant
      

      Cryptodome

      import Cryptodome
      from Cryptodome.PublicKey import DSA, RSA
      
      DSA.generate(bits=2048) # Compliant
      
      RSA.generate(bits=2048, e=65537) # Compliant
      

      Additional test cases: https://github.com/SonarSource/security-expected-issues/tree/master/python/rules/vulnerabilities/RSPEC-4426%20Cryptographic%20keys%20generations%20should%20be%20based%20on%20strong%20parameters

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                andrea.guarino Andrea Guarino
                Reporter:
                pierre-loup.tristant Pierre-Loup Tristant
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: