rsalint

module
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 18, 2022 License: MIT

README

rsalint

🕵️‍♀️ Linter for the crypto/rsa package.

Install

$ go install github.com/picatz/rsalint/cmd/rsalint@latest

Vulnerable Implementation

package main

import (
    "crypto/rsa"
    "fmt"
    "math/rand"
)

func main() {
    privateKey, err := rsa.GenerateKey(rand.New(rand.NewSource(0)), 1024)
    if err != nil {
        panic(err)
    }
    fmt.Println(privateKey)
}

rsalint can identify a number of potential security problems:

  • Using an insecure source of entropy using math/rand ( always use crypto/rand ).
  • Using an insecure hash function ( not SHA256 or SHA512 ).
  • Generating an RSA key pair using an insecure number of bits ( always use >= 2048 ).
  • Using potentially insecure signing function rsa.SignPKCS1v15 instead of rsa.SignPSS.
  • Using potentially insecure signing function rsa.EncryptPKCS1v15 instead of rsa.EncryptOAEP.
  • Using an insecure value for multi-prime keys for various bit sizes.
  • Using an insecure PKCS1v15 session key size.
  • Not using RSA blinding leading to possible timing side-channel attacks.

Usage

$ rsalint ./path/to/vulnerable/code/...
./path/to/vulnerable/code/main.go:10:37: use the crypto/rand.Reader instead for a cryptographically secure random number generator
./path/to/vulnerable/code/main.go:10:66: always use 2048 bits or greater

Directories

Path Synopsis
cmd
rsalint
Package rsacheck defines an Analyzer to report insecure usage of the "crypto/rsa" package.
 Package rsacheck defines an Analyzer to report insecure usage of the "crypto/rsa" package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.