go.lang.security.audit.crypto.use_of_weak_rsa_key.use-of-weak-rsa-key
semgrepAuthor
9,135
Download Count*
License
RSA keys should be at least 2048 bits
Run Locally
Run in CI
Defintion
rules:
- id: use-of-weak-rsa-key
message: RSA keys should be at least 2048 bits
languages:
- go
severity: WARNING
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://github.com/securego/gosec/blob/master/rules/rsa.go
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
category: security
technology:
- go
confidence: HIGH
subcategory:
- audit
likelihood: HIGH
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
patterns:
- pattern-either:
- pattern: |
rsa.GenerateKey(..., $BITS)
- pattern: |
rsa.GenerateMultiPrimeKey(..., $BITS)
- metavariable-comparison:
metavariable: $BITS
comparison: $BITS < 2048
- focus-metavariable:
- $BITS
fix: |
2048
Examples
use_of_weak_rsa_key.go
package main
import (
"crypto/rand"
"crypto/rsa"
"fmt"
)
func main() {
//Generate Private Key
// ruleid: use-of-weak-rsa-key
pvk, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
fmt.Println(err)
}
fmt.Println(pvk)
// ok: use-of-weak-rsa-key
pvk, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
fmt.Println(err)
}
fmt.Println(pvk)
}
Short Link: https://sg.run/9oY4