When generating cryptographic keys (or key pairs), it is important to use strong parameters. Key length, for instance, should provides enough entropy against brute-force attacks.
RSA and DSA algorithms key size should be at least 2048 bits long ECC (elliptic curve cryptography) algorithms key size should be at least 224 bits long RSA public key exponent should be at least 65537. This rule raises an issue when an RSA, DSA or ECC key-pair generator is initialized using weak parameters.
It supports the following libraries:
from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa dsa.generate_private_key(key_size=1024, backend=backend) # Noncompliant rsa.generate_private_key(public_exponent=999, key_size=2048, backend=backend) # Noncompliant ec.generate_private_key(curve=ec.SECT163R2, backend=backend) # Noncompliant
from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa dsa.generate_private_key(key_size=2048, backend=backend) # Compliant rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backend) # Compliant ec.generate_private_key(curve=ec.SECT409R1, backend=backend) # Compliant