Discover Packages
github.com/picatz/rsalint
module
Version:
v1.0.1
Opens a new window with list of versions in this module.
Published: Feb 18, 2022
License: MIT
Opens a new window with license information.
README
README
¶
rsalint
🕵️♀️ Linter for the crypto/rsa
package.
Install
$ go install github.com/picatz/rsalint/cmd/rsalint@latest
Vulnerable Implementation
package main
import (
"crypto/rsa"
"fmt"
"math/rand"
)
func main() {
privateKey, err := rsa.GenerateKey(rand.New(rand.NewSource(0)), 1024)
if err != nil {
panic(err)
}
fmt.Println(privateKey)
}
rsalint
can identify a number of potential security problems:
Using an insecure source of entropy using math/rand
( always use crypto/rand
).
Using an insecure hash function ( not SHA256 or SHA512 ).
Generating an RSA key pair using an insecure number of bits ( always use >= 2048
).
Using potentially insecure signing function rsa.SignPKCS1v15
instead of rsa.SignPSS
.
Using potentially insecure signing function rsa.EncryptPKCS1v15
instead of rsa.EncryptOAEP
.
Using an insecure value for multi-prime keys for various bit sizes.
Using an insecure PKCS1v15 session key size.
Not using RSA blinding leading to possible timing side-channel attacks.
Usage
$ rsalint ./path/to/vulnerable/code/...
./path/to/vulnerable/code/main.go:10:37: use the crypto/rand.Reader instead for a cryptographically secure random number generator
./path/to/vulnerable/code/main.go:10:66: always use 2048 bits or greater
Expand ▾
Collapse ▴
Directories
¶
cmd
Package rsacheck defines an Analyzer to report insecure usage of the "crypto/rsa" package.
Package rsacheck defines an Analyzer to report insecure usage of the "crypto/rsa" package.
Click to show internal directories.
Click to hide internal directories.