picatz / rsalint

🕵️‍♀️@golang linter for the crypto/rsa package.

Home Page:https://golang.org/pkg/crypto/rsa/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

rsalint

🕵️‍♀️ Linter for the crypto/rsa package.

Install

$ go install github.com/picatz/rsalint/cmd/rsalint@latest

Vulnerable Implementation

package main

import (
    "crypto/rsa"
    "fmt"
    "math/rand"
)

func main() {
    privateKey, err := rsa.GenerateKey(rand.New(rand.NewSource(0)), 1024)
    if err != nil {
        panic(err)
    }
    fmt.Println(privateKey)
}

rsalint can identify a number of potential security problems:

  • Using an insecure source of entropy using math/rand ( always use crypto/rand ).
  • Using an insecure hash function ( not SHA256 or SHA512 ).
  • Generating an RSA key pair using an insecure number of bits ( always use >= 2048 ).
  • Using potentially insecure signing function rsa.SignPKCS1v15 instead of rsa.SignPSS.
  • Using potentially insecure signing function rsa.EncryptPKCS1v15 instead of rsa.EncryptOAEP.
  • Using an insecure value for multi-prime keys for various bit sizes.
  • Using an insecure PKCS1v15 session key size.
  • Not using RSA blinding leading to possible timing side-channel attacks.

Usage

$ rsalint ./path/to/vulnerable/code/...
./path/to/vulnerable/code/main.go:10:37: use the crypto/rand.Reader instead for a cryptographically secure random number generator
./path/to/vulnerable/code/main.go:10:66: always use 2048 bits or greater

About

🕵️‍♀️@golang linter for the crypto/rsa package.

https://golang.org/pkg/crypto/rsa/

License:MIT License


Languages

Language:Go 97.9%Language:Makefile 2.1%