go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key

returntocorp

Author

9,135

Download Count*

LGPL Commons Clause

License

RSA keys should be at least 2048 bits

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: use-of-weak-rsa-key
    message: RSA keys should be at least 2048 bits
    languages:
      - go
    severity: WARNING
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://github.com/securego/gosec/blob/master/rules/rsa.go
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
      category: security
      technology:
        - go
      confidence: HIGH
      subcategory:
        - audit
      likelihood: HIGH
      impact: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    patterns:
      - pattern-either:
          - pattern: |
              rsa.GenerateKey(..., $BITS)
          - pattern: |
              rsa.GenerateMultiPrimeKey(..., $BITS)
      - metavariable-comparison:
          metavariable: $BITS
          comparison: $BITS < 2048

Examples

use_of_weak_rsa_key.go

package main

import (
	"crypto/rand"
	"crypto/rsa"
	"fmt"
)

func main() {
	//Generate Private Key
	// ruleid: use-of-weak-rsa-key
	pvk, err := rsa.GenerateKey(rand.Reader, 1024)
	if err != nil {
		fmt.Println(err)
	}
	fmt.Println(pvk)

	// ok: use-of-weak-rsa-key
	pvk, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		fmt.Println(err)
	}
	fmt.Println(pvk)
}

Short Link: https://sg.run/9oY4