Mercurial Repositories > eric / file comparison

comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/weakCryptographicKey.py

src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/weakCryptographicKey.py

branch
eric7
changeset 9209
b99e7fd55fd3
parent 8881
54e42bc2437a
child 9221
bf71ee032bb4
equal deleted inserted replaced
9208:3fc8dfeb6ebe 9209:b99e7fd55fd3
1 # -*- coding: utf-8 -*-
2
3 # Copyright (c) 2020 - 2022 Detlev Offenbach <detlev@die-offenbachs.de>
4 #
5
6 """
7 Module implementing checks for weak cryptographic key use.
8 """
9
10 #
11 # This is a modified version of the one found in the bandit package.
12 #
13 # Original Copyright 2014 Hewlett-Packard Development Company, L.P.
14 #
15 # SPDX-License-Identifier: Apache-2.0
16 #
17
18 from Security.SecurityDefaults import SecurityDefaults
19
20
21 def getChecks():
22 """
23 Public method to get a dictionary with checks handled by this module.
24
25 @return dictionary containing checker lists containing checker function and
26 list of codes
27 @rtype dict
28 """
29 return {
30 "Call": [
31 (checkWeakCryptographicKey, ("S505",)),
32 ],
33 }
34
35
36 def _classifyKeySize(reportError, config, keyType, keySize, node):
37 """
38 Function to classify a key and report an error if insufficient.
39
40 @param reportError function to be used to report errors
41 @type func
42 @param config dictionary with configuration data
43 @type dict
44 @param keyType type of key to be classified ('DSA', 'RSA', 'EC')
45 @type str
46 @param keySize size of the key to be classified
47 @type int
48 @param node node the key was extracted from (needed for reporting)
49 @type ast.Call
50 @return flag indicating an error was reported
51 @rtype bool
52 """
53 if isinstance(keySize, str):
54 # try to convert to an integer
55 try:
56 keySize = int(keySize)
57 except ValueError:
58 # size provided via a variable - can't process it at the moment
59 return False
60
61 conf = {}
62 conf.update(SecurityDefaults)
63 if config:
64 conf.update(config)
65
66 keySizes = {
67 "DSA": [
68 (conf["weak_key_size_dsa_high"], "H"),
69 (conf["weak_key_size_dsa_medium"], "M"),
70 ],
71 "RSA": [
72 (conf["weak_key_size_rsa_high"], "H"),
73 (conf["weak_key_size_rsa_medium"], "M"),
74 ],
75 "EC": [
76 (conf["weak_key_size_ec_high"], "H"),
77 (conf["weak_key_size_ec_medium"], "M"),
78 ],
79 }
80
81 for size, level in keySizes[keyType]:
82 if keySize < size:
83 reportError(
84 node.lineno - 1,
85 node.col_offset,
86 "S505",
87 level,
88 "H",
89 keyType,
90 size
91 )
92 return True
93
94 return False
95
96
97 def _weakCryptoKeySizeCryptography(reportError, context, config):
98 """
99 Function to check 'cryptography.hazmat' for weak key use.
100
101 @param reportError function to be used to report errors
102 @type func
103 @param context security context object
104 @type SecurityContext
105 @param config dictionary with configuration data
106 @type dict
107 @return flag indicating an error was reported
108 @rtype bool
109 """
110 funcKeyType = {
111 'cryptography.hazmat.primitives.asymmetric.dsa.'
112 'generate_private_key': 'DSA',
113 'cryptography.hazmat.primitives.asymmetric.rsa.'
114 'generate_private_key': 'RSA',
115 'cryptography.hazmat.primitives.asymmetric.ec.'
116 'generate_private_key': 'EC',
117 }
118 argPosition = {
119 'DSA': 0,
120 'RSA': 1,
121 'EC': 0,
122 }
123 keyType = funcKeyType.get(context.callFunctionNameQual)
124 if keyType in ['DSA', 'RSA']:
125 keySize = (context.getCallArgValue('key_size') or
126 context.getCallArgAtPosition(argPosition[keyType]) or
127 2048)
128 return _classifyKeySize(reportError, config, keyType, keySize,
129 context.node)
130
131 elif keyType == 'EC':
132 curveKeySizes = {
133 'SECP192R1': 192,
134 'SECT163K1': 163,
135 'SECT163R2': 163,
136 }
137 curve = (context.getCallArgValue('curve') or
138 context.callArgs[argPosition[keyType]])
139 keySize = curveKeySizes[curve] if curve in curveKeySizes else 224
140 return _classifyKeySize(reportError, config, keyType, keySize,
141 context.node)
142
143 else:
144 return False
145
146
147 def _weakCryptoKeySizePycrypto(reportError, context, config):
148 """
149 Function to check 'pycrypto' for weak key use.
150
151 @param reportError function to be used to report errors
152 @type func
153 @param context security context object
154 @type SecurityContext
155 @param config dictionary with configuration data
156 @type dict
157 @return flag indicating an error was reported
158 @rtype bool
159 """
160 funcKeyType = {
161 'Crypto.PublicKey.DSA.generate': 'DSA',
162 'Crypto.PublicKey.RSA.generate': 'RSA',
163 'Cryptodome.PublicKey.DSA.generate': 'DSA',
164 'Cryptodome.PublicKey.RSA.generate': 'RSA',
165 }
166 keyType = funcKeyType.get(context.callFunctionNameQual)
167 if keyType:
168 keySize = (context.getCallArgValue('bits') or
169 context.getCallArgAtPosition(0) or
170 2048)
171 return _classifyKeySize(reportError, config, keyType, keySize,
172 context.node)
173 return False
174
175
176 def checkWeakCryptographicKey(reportError, context, config):
177 """
178 Function to check for weak cryptographic key use.
179
180 @param reportError function to be used to report errors
181 @type func
182 @param context security context object
183 @type SecurityContext
184 @param config dictionary with configuration data
185 @type dict
186 """
187 (
188 _weakCryptoKeySizeCryptography(reportError, context, config) or
189 _weakCryptoKeySizePycrypto(reportError, context, config)
190 )

Mercurial Repository: eric

eric ide

mercurial