java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key
semgrep
Author
9,135
Download Count*
License
RSA keys should be at least 2048 bits based on NIST recommendation.
Run Locally
Run in CI
Defintion
rules:
- id: use-of-weak-rsa-key
message: RSA keys should be at least 2048 bits based on NIST recommendation.
languages:
- java
severity: WARNING
metadata:
functional-categories:
- crypto::search::key-length::java.security
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE
asvs:
section: V6 Stored Cryptography Verification Requirements
control_id: 6.2.5 Insecure Algorithm
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
version: "4"
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
category: security
technology:
- java
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
patterns:
- pattern: |
KeyPairGenerator $KEY = $G.getInstance("RSA");
...
$KEY.initialize($BITS);
- metavariable-comparison:
metavariable: $BITS
comparison: $BITS < 2048
Examples
weak-rsa.java
import java.security.KeyPairGenerator;
public class WeakRSA {
static void rsaWeak() {
// ruleid: use-of-weak-rsa-key
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(512);
}
static void rsaOK() {
// ok: use-of-weak-rsa-key
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
}
}
Short Link: https://sg.run/4x6x