Mercurial Repositories > eric / file comparison
comparison: src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/weakCryptographicKey.py
src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/weakCryptographicKey.py
- branch
- eric7
- changeset 9221
- bf71ee032bb4
- parent 9209
- b99e7fd55fd3
- child 9325
- 8157eb19aba5
equal
deleted
inserted
replaced
| 9220:e9e7eca7efee | 9221:bf71ee032bb4 |
|---|---|
| 19 | 19 |
| 20 | 20 |
| 21 def getChecks(): | 21 def getChecks(): |
| 22 """ | 22 """ |
| 23 Public method to get a dictionary with checks handled by this module. | 23 Public method to get a dictionary with checks handled by this module. |
| 24 | 24 |
| 25 @return dictionary containing checker lists containing checker function and | 25 @return dictionary containing checker lists containing checker function and |
| 26 list of codes | 26 list of codes |
| 27 @rtype dict | 27 @rtype dict |
| 28 """ | 28 """ |
| 29 return { | 29 return { |
| 34 | 34 |
| 35 | 35 |
| 36 def _classifyKeySize(reportError, config, keyType, keySize, node): | 36 def _classifyKeySize(reportError, config, keyType, keySize, node): |
| 37 """ | 37 """ |
| 38 Function to classify a key and report an error if insufficient. | 38 Function to classify a key and report an error if insufficient. |
| 39 | 39 |
| 40 @param reportError function to be used to report errors | 40 @param reportError function to be used to report errors |
| 41 @type func | 41 @type func |
| 42 @param config dictionary with configuration data | 42 @param config dictionary with configuration data |
| 43 @type dict | 43 @type dict |
| 44 @param keyType type of key to be classified ('DSA', 'RSA', 'EC') | 44 @param keyType type of key to be classified ('DSA', 'RSA', 'EC') |
| 55 try: | 55 try: |
| 56 keySize = int(keySize) | 56 keySize = int(keySize) |
| 57 except ValueError: | 57 except ValueError: |
| 58 # size provided via a variable - can't process it at the moment | 58 # size provided via a variable - can't process it at the moment |
| 59 return False | 59 return False |
| 60 | 60 |
| 61 conf = {} | 61 conf = {} |
| 62 conf.update(SecurityDefaults) | 62 conf.update(SecurityDefaults) |
| 63 if config: | 63 if config: |
| 64 conf.update(config) | 64 conf.update(config) |
| 65 | 65 |
| 66 keySizes = { | 66 keySizes = { |
| 67 "DSA": [ | 67 "DSA": [ |
| 68 (conf["weak_key_size_dsa_high"], "H"), | 68 (conf["weak_key_size_dsa_high"], "H"), |
| 69 (conf["weak_key_size_dsa_medium"], "M"), | 69 (conf["weak_key_size_dsa_medium"], "M"), |
| 70 ], | 70 ], |
| 75 "EC": [ | 75 "EC": [ |
| 76 (conf["weak_key_size_ec_high"], "H"), | 76 (conf["weak_key_size_ec_high"], "H"), |
| 77 (conf["weak_key_size_ec_medium"], "M"), | 77 (conf["weak_key_size_ec_medium"], "M"), |
| 78 ], | 78 ], |
| 79 } | 79 } |
| 80 | 80 |
| 81 for size, level in keySizes[keyType]: | 81 for size, level in keySizes[keyType]: |
| 82 if keySize < size: | 82 if keySize < size: |
| 83 reportError( | 83 reportError( |
| 84 node.lineno - 1, | 84 node.lineno - 1, node.col_offset, "S505", level, "H", keyType, size |
| 85 node.col_offset, | |
| 86 "S505", | |
| 87 level, | |
| 88 "H", | |
| 89 keyType, | |
| 90 size | |
| 91 ) | 85 ) |
| 92 return True | 86 return True |
| 93 | 87 |
| 94 return False | 88 return False |
| 95 | 89 |
| 96 | 90 |
| 97 def _weakCryptoKeySizeCryptography(reportError, context, config): | 91 def _weakCryptoKeySizeCryptography(reportError, context, config): |
| 98 """ | 92 """ |
| 99 Function to check 'cryptography.hazmat' for weak key use. | 93 Function to check 'cryptography.hazmat' for weak key use. |
| 100 | 94 |
| 101 @param reportError function to be used to report errors | 95 @param reportError function to be used to report errors |
| 102 @type func | 96 @type func |
| 103 @param context security context object | 97 @param context security context object |
| 104 @type SecurityContext | 98 @type SecurityContext |
| 105 @param config dictionary with configuration data | 99 @param config dictionary with configuration data |
| 106 @type dict | 100 @type dict |
| 107 @return flag indicating an error was reported | 101 @return flag indicating an error was reported |
| 108 @rtype bool | 102 @rtype bool |
| 109 """ | 103 """ |
| 110 funcKeyType = { | 104 funcKeyType = { |
| 111 'cryptography.hazmat.primitives.asymmetric.dsa.' | 105 "cryptography.hazmat.primitives.asymmetric.dsa." "generate_private_key": "DSA", |
| 112 'generate_private_key': 'DSA', | 106 "cryptography.hazmat.primitives.asymmetric.rsa." "generate_private_key": "RSA", |
| 113 'cryptography.hazmat.primitives.asymmetric.rsa.' | 107 "cryptography.hazmat.primitives.asymmetric.ec." "generate_private_key": "EC", |
| 114 'generate_private_key': 'RSA', | |
| 115 'cryptography.hazmat.primitives.asymmetric.ec.' | |
| 116 'generate_private_key': 'EC', | |
| 117 } | 108 } |
| 118 argPosition = { | 109 argPosition = { |
| 119 'DSA': 0, | 110 "DSA": 0, |
| 120 'RSA': 1, | 111 "RSA": 1, |
| 121 'EC': 0, | 112 "EC": 0, |
| 122 } | 113 } |
| 123 keyType = funcKeyType.get(context.callFunctionNameQual) | 114 keyType = funcKeyType.get(context.callFunctionNameQual) |
| 124 if keyType in ['DSA', 'RSA']: | 115 if keyType in ["DSA", "RSA"]: |
| 125 keySize = (context.getCallArgValue('key_size') or | 116 keySize = ( |
| 126 context.getCallArgAtPosition(argPosition[keyType]) or | 117 context.getCallArgValue("key_size") |
| 127 2048) | 118 or context.getCallArgAtPosition(argPosition[keyType]) |
| 128 return _classifyKeySize(reportError, config, keyType, keySize, | 119 or 2048 |
| 129 context.node) | 120 ) |
| 130 | 121 return _classifyKeySize(reportError, config, keyType, keySize, context.node) |
| 131 elif keyType == 'EC': | 122 |
| 123 elif keyType == "EC": | |
| 132 curveKeySizes = { | 124 curveKeySizes = { |
| 133 'SECP192R1': 192, | 125 "SECP192R1": 192, |
| 134 'SECT163K1': 163, | 126 "SECT163K1": 163, |
| 135 'SECT163R2': 163, | 127 "SECT163R2": 163, |
| 136 } | 128 } |
| 137 curve = (context.getCallArgValue('curve') or | 129 curve = ( |
| 138 context.callArgs[argPosition[keyType]]) | 130 context.getCallArgValue("curve") or context.callArgs[argPosition[keyType]] |
| 131 ) | |
| 139 keySize = curveKeySizes[curve] if curve in curveKeySizes else 224 | 132 keySize = curveKeySizes[curve] if curve in curveKeySizes else 224 |
| 140 return _classifyKeySize(reportError, config, keyType, keySize, | 133 return _classifyKeySize(reportError, config, keyType, keySize, context.node) |
| 141 context.node) | 134 |
| 142 | |
| 143 else: | 135 else: |
| 144 return False | 136 return False |
| 145 | 137 |
| 146 | 138 |
| 147 def _weakCryptoKeySizePycrypto(reportError, context, config): | 139 def _weakCryptoKeySizePycrypto(reportError, context, config): |
| 148 """ | 140 """ |
| 149 Function to check 'pycrypto' for weak key use. | 141 Function to check 'pycrypto' for weak key use. |
| 150 | 142 |
| 151 @param reportError function to be used to report errors | 143 @param reportError function to be used to report errors |
| 152 @type func | 144 @type func |
| 153 @param context security context object | 145 @param context security context object |
| 154 @type SecurityContext | 146 @type SecurityContext |
| 155 @param config dictionary with configuration data | 147 @param config dictionary with configuration data |
| 156 @type dict | 148 @type dict |
| 157 @return flag indicating an error was reported | 149 @return flag indicating an error was reported |
| 158 @rtype bool | 150 @rtype bool |
| 159 """ | 151 """ |
| 160 funcKeyType = { | 152 funcKeyType = { |
| 161 'Crypto.PublicKey.DSA.generate': 'DSA', | 153 "Crypto.PublicKey.DSA.generate": "DSA", |
| 162 'Crypto.PublicKey.RSA.generate': 'RSA', | 154 "Crypto.PublicKey.RSA.generate": "RSA", |
| 163 'Cryptodome.PublicKey.DSA.generate': 'DSA', | 155 "Cryptodome.PublicKey.DSA.generate": "DSA", |
| 164 'Cryptodome.PublicKey.RSA.generate': 'RSA', | 156 "Cryptodome.PublicKey.RSA.generate": "RSA", |
| 165 } | 157 } |
| 166 keyType = funcKeyType.get(context.callFunctionNameQual) | 158 keyType = funcKeyType.get(context.callFunctionNameQual) |
| 167 if keyType: | 159 if keyType: |
| 168 keySize = (context.getCallArgValue('bits') or | 160 keySize = ( |
| 169 context.getCallArgAtPosition(0) or | 161 context.getCallArgValue("bits") or context.getCallArgAtPosition(0) or 2048 |
| 170 2048) | 162 ) |
| 171 return _classifyKeySize(reportError, config, keyType, keySize, | 163 return _classifyKeySize(reportError, config, keyType, keySize, context.node) |
| 172 context.node) | |
| 173 return False | 164 return False |
| 174 | 165 |
| 175 | 166 |
| 176 def checkWeakCryptographicKey(reportError, context, config): | 167 def checkWeakCryptographicKey(reportError, context, config): |
| 177 """ | 168 """ |
| 178 Function to check for weak cryptographic key use. | 169 Function to check for weak cryptographic key use. |
| 179 | 170 |
| 180 @param reportError function to be used to report errors | 171 @param reportError function to be used to report errors |
| 181 @type func | 172 @type func |
| 182 @param context security context object | 173 @param context security context object |
| 183 @type SecurityContext | 174 @type SecurityContext |
| 184 @param config dictionary with configuration data | 175 @param config dictionary with configuration data |
| 185 @type dict | 176 @type dict |
| 186 """ | 177 """ |
| 187 ( | 178 ( |
| 188 _weakCryptoKeySizeCryptography(reportError, context, config) or | 179 _weakCryptoKeySizeCryptography(reportError, context, config) |
| 189 _weakCryptoKeySizePycrypto(reportError, context, config) | 180 or _weakCryptoKeySizePycrypto(reportError, context, config) |
| 190 ) | 181 ) |
