python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size
semgrep
Author
6,591
Download Count*
License
Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.
Run Locally
Run in CI
Defintion
rules:
- id: insufficient-rsa-key-size
patterns:
- pattern-either:
- pattern: cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key(...,
key_size=$SIZE, ...)
- pattern: cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key($EXP,
$SIZE, ...)
- metavariable-comparison:
metavariable: $SIZE
comparison: $SIZE < 2048
- focus-metavariable: $SIZE
fix: |
2048
message: Detected an insufficient key size for RSA. NIST recommends a key size
of 2048 or higher.
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
references:
- https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
category: security
technology:
- cryptography
subcategory:
- audit
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
functional-categories:
- crypto::search::key-length::cryptography
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- python
severity: WARNING
Examples
insufficient-rsa-key-size.py
import os
from cryptography.hazmat import backends
from cryptography.hazmat.primitives.asymmetric import rsa
rsa.generate_private_key(public_exponent=65537,
# ok: insufficient-rsa-key-size
key_size=2048,
backend=backends.default_backend())
rsa.generate_private_key(65537,
# ok: insufficient-rsa-key-size
2048,
backends.default_backend())
rsa.generate_private_key(public_exponent=65537,
# ok: insufficient-rsa-key-size
key_size=os.getenv("KEY_SIZE"),
backend=backends.default_backend())
rsa.generate_private_key(65537,
# ok: insufficient-rsa-key-size
2048,
backends.default_backend())
rsa.generate_private_key(public_exponent=65537,
# ruleid: insufficient-rsa-key-size
key_size=1024,
backend=backends.default_backend())
rsa.generate_private_key(65537,
# ruleid: insufficient-rsa-key-size
1024,
backends.default_backend())
Short Link: https://sg.run/RoQq