Add check for weak elliptic curve keys

This expanded check looks for EC keys that are less than 160 bits
(high severity) or 224 bits (medium severity).

Change-Id: If67997e2ceab3dde29c2d0b6ab6370945fce2979

bandit/plugins/weak_cryptographic_key.py

@@ -20,6 +20,7 @@ def _classify_key_size(key_type, key_size):
     key_sizes = {
         'DSA': [(1024, bandit.HIGH), (2048, bandit.MEDIUM)],
         'RSA': [(1024, bandit.HIGH), (2048, bandit.MEDIUM)],
+        'EC': [(160, bandit.HIGH), (224, bandit.MEDIUM)],
     }
 
     for size, level in key_sizes[key_type]:
@@ -37,17 +38,29 @@ def _weak_crypto_key_size_cryptography_io(context):
         'generate_private_key': 'DSA',
         'cryptography.hazmat.primitives.asymmetric.rsa.'
         'generate_private_key': 'RSA',
+        'cryptography.hazmat.primitives.asymmetric.ec.'
+        'generate_private_key': 'EC',
     }
     arg_position = {
         'DSA': 0,
         'RSA': 1,
+        'EC': 0,
     }
     key_type = func_key_type.get(context.call_function_name_qual)
-    if key_type:
+    if key_type in ['DSA', 'RSA']:
         key_size = (context.get_call_arg_value('key_size') or
                     context.get_call_arg_at_position(arg_position[key_type]) or
                     2048)
         return _classify_key_size(key_type, key_size)
+    elif key_type == 'EC':
+        curve_key_sizes = {
+            'SECP192R1': 192,
+            'SECT163K1': 163,
+            'SECT163R2': 163,
+        }
+        curve = context.call_args[arg_position[key_type]]
+        key_size = curve_key_sizes[curve] if curve in curve_key_sizes else 224
+        return _classify_key_size(key_type, key_size)
 
 
 def _weak_crypto_key_size_pycrypto(context):

examples/weak_cryptographic_key_sizes.py

@@ -1,5 +1,6 @@
 from cryptography.hazmat import backends
 from cryptography.hazmat.primitives.asymmetric import dsa
+from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.asymmetric import rsa
 from Crypto.PublicKey import DSA
 from Crypto.PublicKey import RSA
@@ -17,6 +18,8 @@ RSA.generate(bits=2048)
 # Also correct: without keyword args
 dsa.generate_private_key(4096,
                          backends.default_backend())
+ec.generate_private_key(ec.SECP256K1,
+                        backends.default_backend())
 rsa.generate_private_key(3,
                          4096,
                          backends.default_backend())
@@ -35,6 +38,8 @@ RSA.generate(bits=1024)
 # Also incorrect: without keyword args
 dsa.generate_private_key(512,
                          backends.default_backend())
+ec.generate_private_key(ec.SECT163R2,
+                        backends.default_backend())
 rsa.generate_private_key(3,
                          512,
                          backends.default_backend())

tests/functional/test_functional.py

@@ -434,8 +434,8 @@ class FunctionalTests(testtools.TestCase):
     def test_weak_cryptographic_key(self):
         '''Test for weak key sizes.'''
         expect = {
-            'SEVERITY': {'MEDIUM': 4, 'HIGH': 4},
-            'CONFIDENCE': {'HIGH': 8}
+            'SEVERITY': {'MEDIUM': 5, 'HIGH': 4},
+            'CONFIDENCE': {'HIGH': 9}
         }
         self.check_example('weak_cryptographic_key_sizes.py', expect)