kotlin.lang.security.weak-rsa.use-of-weak-rsa-key
semgrepAuthor
unknown
Download Count*
License
RSA keys should be at least 2048 bits based on NIST recommendation.
Run Locally
Run in CI
Defintion
rules:
- id: use-of-weak-rsa-key
message: RSA keys should be at least 2048 bits based on NIST recommendation.
languages:
- kt
severity: WARNING
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#RSA_KEY_SIZE
asvs:
section: V6 Stored Cryptography Verification Requirements
control_id: 6.2.5 Insecure Algorithm
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
version: "4"
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms
category: security
technology:
- kotlin
subcategory:
- audit
likelihood: HIGH
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
patterns:
- pattern-either:
- pattern: |
$KEY = $G.getInstance("RSA")
...
$KEY.initialize($BITS)
- metavariable-comparison:
metavariable: $BITS
comparison: $BITS < 2048
Examples
weak-rsa.kt
import java.security.KeyPairGenerator
public class WeakRSA {
fun rsaWeak(): Void {
// ruleid: use-of-weak-rsa-key
val keyGen: KeyPairGenerator = KeyPairGenerator.getInstance("RSA")
keyGen.initialize(512)
}
fun rsaOK(): Void {
// ok: use-of-weak-rsa-key
val keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
}
}
Short Link: https://sg.run/krq7