From e3a3a43170b59f2259f3b5d8c6ca8c5f339d0679 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 13 Feb 2025 14:25:30 +0100 Subject: [PATCH] Create rule S4426: Cryptographic keys should be robust (#4659) * Add go to rule S4426 * Add description for S4426 for Go --------- Co-authored-by: daniel-teuchert-sonarsource Co-authored-by: Daniel Teuchert Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> --- rules/S4426/common/fix/fix.adoc | 2 +- rules/S4426/go/metadata.json | 2 + rules/S4426/go/rule.adoc | 135 ++++++++++++++++++++++++++++++++ 3 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 rules/S4426/go/metadata.json create mode 100644 rules/S4426/go/rule.adoc diff --git a/rules/S4426/common/fix/fix.adoc b/rules/S4426/common/fix/fix.adoc index d543b421839..7f45a3864e3 100644 --- a/rules/S4426/common/fix/fix.adoc +++ b/rules/S4426/common/fix/fix.adoc @@ -9,7 +9,7 @@ The security of these algorithms depends on the difficulty of attacks attempting to solve their underlying mathematical problem. In general, a minimum key size of *2048* bits is recommended for both. It -provides 112 bits of security. A key length of *3072* or *4092* should be +provides 112 bits of security. A key length of *3072* or *4096* should be preferred when possible. ==== AES (Advanced Encryption Standard) diff --git a/rules/S4426/go/metadata.json b/rules/S4426/go/metadata.json new file mode 100644 index 00000000000..7a73a41bfdf --- /dev/null +++ b/rules/S4426/go/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S4426/go/rule.adoc b/rules/S4426/go/rule.adoc new file mode 100644 index 00000000000..c5d5daa7f32 --- /dev/null +++ b/rules/S4426/go/rule.adoc @@ -0,0 +1,135 @@ + +include::../summary.adoc[] + +== Why is this an issue? + +include::../rationale.adoc[] + +include::../impact.adoc[] + +// How to fix it section + +== How to fix it + +=== Code examples + +include::../common/fix/code-rationale.adoc[] + +==== Noncompliant code example + +include::../common/fix/rsa.adoc[] + +[source,go,diff-id=1,diff-type=noncompliant] +---- +import ( + "crypto/rand" + "crypto/rsa" +) + +func generateRsaKey() rsa.PrivateKey { + privateKey, _ := rsa.GenerateKey(rand.Reader, 1024) // Noncompliant + return *privateKey +} +---- + +include::../common/fix/dsa.adoc[] + +[source,go,diff-id=2,diff-type=noncompliant] +---- +import ( + "crypto/dsa" + "crypto/rand" +) + +func generateDsaKey() dsa.PrivateKey { + var parameters dsa.Parameters + dsa.GenerateParameters(¶meters, rand.Reader, dsa.L1024N160) // Noncompliant + var privateKey dsa.PrivateKey + privateKey.Parameters = parameters + dsa.GenerateKey(&privateKey, rand.Reader) + return privateKey +} +---- + +==== Compliant solution + +include::../common/fix/rsa.adoc[] + +[source,go,diff-id=1,diff-type=compliant] +---- +import ( + "crypto/rand" + "crypto/rsa" +) + +func generateRsaKey() rsa.PrivateKey { + privateKey, _ := rsa.GenerateKey(rand.Reader, 4096) + return *privateKey +} +---- + +include::../common/fix/dsa.adoc[] + +[source,go,diff-id=2,diff-type=compliant] +---- +import ( + "crypto/dsa" + "crypto/rand" +) + +func generateDsaKey() dsa.PrivateKey { + var parameters dsa.Parameters + dsa.GenerateParameters(¶meters, rand.Reader, dsa.L3072N256) + var privateKey dsa.PrivateKey + privateKey.Parameters = parameters + dsa.GenerateKey(&privateKey, rand.Reader) + return privateKey +} +---- + + +=== How does this work? + +As a rule of thumb, use the cryptographic algorithms and mechanisms that are +considered strong by the cryptography community. + +==== RSA (Rivest-Shamir-Adleman) and DSA (Digital Signature Algorithm) + +The security of these algorithms depends on the difficulty of attacks +attempting to solve their underlying mathematical problem. + +In general, a minimum key size of *2048* bits is recommended for both. It +provides 112 bits of security. A key length of *3072* or *4096* should be +preferred when possible. + +=== Going the extra mile + +include::../common/extra-mile/pre-quantum.adoc[] + + +== Resources + +include::../common/resources/docs.adoc[] + +include::../common/resources/articles.adoc[] + +include::../common/resources/presentations.adoc[] + +include::../common/resources/standards.adoc[] + + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +include::../message.adoc[] + +''' +== Comments And Links +(visible only on this page) + +include::../comments-and-links.adoc[] + +endif::env-github,rspecator-view[]