Add check for weak elliptic curve keys
This expanded check looks for EC keys that are less than 160 bits (high severity) or 224 bits (medium severity). Change-Id: If67997e2ceab3dde29c2d0b6ab6370945fce2979
This commit is contained in:
parent
aa66e18d95
commit
8ae58916dc
|
@ -20,6 +20,7 @@ def _classify_key_size(key_type, key_size):
|
|||
key_sizes = {
|
||||
'DSA': [(1024, bandit.HIGH), (2048, bandit.MEDIUM)],
|
||||
'RSA': [(1024, bandit.HIGH), (2048, bandit.MEDIUM)],
|
||||
'EC': [(160, bandit.HIGH), (224, bandit.MEDIUM)],
|
||||
}
|
||||
|
||||
for size, level in key_sizes[key_type]:
|
||||
|
@ -37,17 +38,29 @@ def _weak_crypto_key_size_cryptography_io(context):
|
|||
'generate_private_key': 'DSA',
|
||||
'cryptography.hazmat.primitives.asymmetric.rsa.'
|
||||
'generate_private_key': 'RSA',
|
||||
'cryptography.hazmat.primitives.asymmetric.ec.'
|
||||
'generate_private_key': 'EC',
|
||||
}
|
||||
arg_position = {
|
||||
'DSA': 0,
|
||||
'RSA': 1,
|
||||
'EC': 0,
|
||||
}
|
||||
key_type = func_key_type.get(context.call_function_name_qual)
|
||||
if key_type:
|
||||
if key_type in ['DSA', 'RSA']:
|
||||
key_size = (context.get_call_arg_value('key_size') or
|
||||
context.get_call_arg_at_position(arg_position[key_type]) or
|
||||
2048)
|
||||
return _classify_key_size(key_type, key_size)
|
||||
elif key_type == 'EC':
|
||||
curve_key_sizes = {
|
||||
'SECP192R1': 192,
|
||||
'SECT163K1': 163,
|
||||
'SECT163R2': 163,
|
||||
}
|
||||
curve = context.call_args[arg_position[key_type]]
|
||||
key_size = curve_key_sizes[curve] if curve in curve_key_sizes else 224
|
||||
return _classify_key_size(key_type, key_size)
|
||||
|
||||
|
||||
def _weak_crypto_key_size_pycrypto(context):
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
from cryptography.hazmat import backends
|
||||
from cryptography.hazmat.primitives.asymmetric import dsa
|
||||
from cryptography.hazmat.primitives.asymmetric import ec
|
||||
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||
from Crypto.PublicKey import DSA
|
||||
from Crypto.PublicKey import RSA
|
||||
|
@ -17,6 +18,8 @@ RSA.generate(bits=2048)
|
|||
# Also correct: without keyword args
|
||||
dsa.generate_private_key(4096,
|
||||
backends.default_backend())
|
||||
ec.generate_private_key(ec.SECP256K1,
|
||||
backends.default_backend())
|
||||
rsa.generate_private_key(3,
|
||||
4096,
|
||||
backends.default_backend())
|
||||
|
@ -35,6 +38,8 @@ RSA.generate(bits=1024)
|
|||
# Also incorrect: without keyword args
|
||||
dsa.generate_private_key(512,
|
||||
backends.default_backend())
|
||||
ec.generate_private_key(ec.SECT163R2,
|
||||
backends.default_backend())
|
||||
rsa.generate_private_key(3,
|
||||
512,
|
||||
backends.default_backend())
|
||||
|
|
|
@ -434,8 +434,8 @@ class FunctionalTests(testtools.TestCase):
|
|||
def test_weak_cryptographic_key(self):
|
||||
'''Test for weak key sizes.'''
|
||||
expect = {
|
||||
'SEVERITY': {'MEDIUM': 4, 'HIGH': 4},
|
||||
'CONFIDENCE': {'HIGH': 8}
|
||||
'SEVERITY': {'MEDIUM': 5, 'HIGH': 4},
|
||||
'CONFIDENCE': {'HIGH': 9}
|
||||
}
|
||||
self.check_example('weak_cryptographic_key_sizes.py', expect)
|
||||
|
||||
|
|
Loading…
Reference in New Issue