Create rule S4426: Cryptographic keys should be robust (#4659)

* Add go to rule S4426 * Add description for S4426 for Go --------- Co-authored-by: daniel-teuchert-sonarsource <[email protected]> Co-authored-by: Daniel Teuchert <[email protected]> Co-authored-by: daniel-teuchert-sonarsource <[email protected]>
SonarSource · Feb 13, 2025 · e3a3a43 · e3a3a43
1 parent 2619fbc
commit e3a3a43
Show file tree

Hide file tree

Showing 3 changed files with 138 additions and 1 deletion.
diff --git a/rules/S4426/common/fix/fix.adoc b/rules/S4426/common/fix/fix.adoc
@@ -9,7 +9,7 @@ The security of these algorithms depends on the difficulty of attacks
 attempting to solve their underlying mathematical problem.
 
 In general, a minimum key size of *2048* bits is recommended for both.  It
-provides 112 bits of security. A key length of *3072* or *4092* should be
+provides 112 bits of security. A key length of *3072* or *4096* should be
 preferred when possible.
 
 ==== AES (Advanced Encryption Standard)

diff --git a/rules/S4426/go/metadata.json b/rules/S4426/go/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S4426/go/rule.adoc b/rules/S4426/go/rule.adoc
@@ -0,0 +1,135 @@
+
+include::../summary.adoc[]
+
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+// How to fix it section
+
+== How to fix it
+
+=== Code examples
+
+include::../common/fix/code-rationale.adoc[]
+
+==== Noncompliant code example
+
+include::../common/fix/rsa.adoc[]
+
+[source,go,diff-id=1,diff-type=noncompliant]
+----
+import (
+    "crypto/rand"
+    "crypto/rsa"
+)
+
+func generateRsaKey() rsa.PrivateKey {
+    privateKey, _ := rsa.GenerateKey(rand.Reader, 1024) // Noncompliant
+    return *privateKey
+}
+----
+
+include::../common/fix/dsa.adoc[]
+
+[source,go,diff-id=2,diff-type=noncompliant]
+----
+import (
+    "crypto/dsa"
+    "crypto/rand"
+)
+
+func generateDsaKey() dsa.PrivateKey {
+    var parameters dsa.Parameters
+    dsa.GenerateParameters(&parameters, rand.Reader, dsa.L1024N160) // Noncompliant
+    var privateKey dsa.PrivateKey
+    privateKey.Parameters = parameters
+    dsa.GenerateKey(&privateKey, rand.Reader)
+    return privateKey
+}
+----
+
+==== Compliant solution
+
+include::../common/fix/rsa.adoc[]
+
+[source,go,diff-id=1,diff-type=compliant]
+----
+import (
+    "crypto/rand"
+    "crypto/rsa"
+)
+
+func generateRsaKey() rsa.PrivateKey {
+    privateKey, _ := rsa.GenerateKey(rand.Reader, 4096)
+    return *privateKey
+}
+----
+
+include::../common/fix/dsa.adoc[]
+
+[source,go,diff-id=2,diff-type=compliant]
+----
+import (
+    "crypto/dsa"
+    "crypto/rand"
+)
+
+func generateDsaKey() dsa.PrivateKey {
+    var parameters dsa.Parameters
+    dsa.GenerateParameters(&parameters, rand.Reader, dsa.L3072N256)
+    var privateKey dsa.PrivateKey
+    privateKey.Parameters = parameters
+    dsa.GenerateKey(&privateKey, rand.Reader)
+    return privateKey
+}
+----
+
+
+=== How does this work?
+
+As a rule of thumb, use the cryptographic algorithms and mechanisms that are
+considered strong by the cryptography community.
+
+==== RSA (Rivest-Shamir-Adleman) and DSA (Digital Signature Algorithm)
+
+The security of these algorithms depends on the difficulty of attacks
+attempting to solve their underlying mathematical problem.
+
+In general, a minimum key size of *2048* bits is recommended for both.  It
+provides 112 bits of security. A key length of *3072* or *4096* should be
+preferred when possible.
+
+=== Going the extra mile
+
+include::../common/extra-mile/pre-quantum.adoc[]
+
+
+== Resources
+
+include::../common/resources/docs.adoc[]
+
+include::../common/resources/articles.adoc[]
+
+include::../common/resources/presentations.adoc[]
+
+include::../common/resources/standards.adoc[]
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+
+endif::env-github,rspecator-view[]