Add weak asymmetric key size detection query for PowerShell

chanel-y · Copilot · chanel-y · commit cabf6d056a84 · 2026-04-09T09:32:12.000-07:00
Detects RSA key sizes below 2048 bits via RSA.Create(), RSA::new(),
and RSACryptoServiceProvider::new() patterns.

Covers: Cryptography.10012 (CWE-326)

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/powershell/ql/src/queries/security/cwe-326/WeakAsymmetricKey.ql b/powershell/ql/src/queries/security/cwe-326/WeakAsymmetricKey.ql
@@ -0,0 +1,79 @@
+/**
+ * @name Weak asymmetric key size
+ * @description Using RSA keys smaller than 2048 bits does not provide adequate security.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id powershell/microsoft/security/weak-asymmetric-key
+ * @tags security
+ *       external/cwe/cwe-326
+ */
+
+import powershell
+import semmle.code.powershell.ApiGraphs
+import semmle.code.powershell.dataflow.DataFlow
+
+/**
+ * Holds if `keySize` is below the minimum RSA key size of 2048 bits.
+ */
+bindingset[keySize]
+predicate isWeakKeySize(int keySize) { keySize > 0 and keySize < 2048 }
+
+/**
+ * An RSA.Create(keySize) or RSA::new(keySize) call via the API graph with a weak key size.
+ */
+class WeakRsaCreateCall extends DataFlow::CallNode {
+  int keySize;
+
+  WeakRsaCreateCall() {
+    exists(string method |
+      method = ["create", "new"] and
+      this =
+        API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("cryptography")
+            .getMember(["rsa", "rsacryptoserviceprovider"])
+            .getMember(method)
+            .asCall()
+    ) and
+    keySize = this.getAnArgument().asExpr().getExpr().(ConstExpr).getValueString().toInt() and
+    isWeakKeySize(keySize)
+  }
+
+  int getKeySize() { result = keySize }
+}
+
+/**
+ * A New-Object RSACryptoServiceProvider(keySize) with a weak key size.
+ */
+class WeakRsaCspCreation extends DataFlow::ObjectCreationNode {
+  int keySize;
+
+  WeakRsaCspCreation() {
+    exists(string objName |
+      objName =
+        this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString().toLowerCase() and
+      objName =
+        [
+          "system.security.cryptography.rsacryptoserviceprovider",
+          "rsacryptoserviceprovider"
+        ]
+    ) and
+    exists(DataFlow::Node arg |
+      arg = this.getAnArgument() and
+      keySize = arg.asExpr().getExpr().(ConstExpr).getValueString().toInt() and
+      isWeakKeySize(keySize)
+    )
+  }
+
+  int getKeySize() { result = keySize }
+}
+
+from DataFlow::Node node, int keySize
+where
+  exists(WeakRsaCreateCall c | node = c and keySize = c.getKeySize())
+  or
+  exists(WeakRsaCspCreation c | node = c and keySize = c.getKeySize())
+select node,
+  "RSA key size " + keySize.toString() + " bits is below the minimum of 2048 bits."
diff --git a/powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/WeakAsymmetricKey.expected b/powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/WeakAsymmetricKey.expected
@@ -0,0 +1,3 @@
+| test.ps1:6:8:6:55 | Call to create | RSA key size 1024 bits is below the minimum of 2048 bits. |
+| test.ps1:9:8:9:54 | Call to create | RSA key size 512 bits is below the minimum of 2048 bits. |
+| test.ps1:12:8:12:73 | Call to new | RSA key size 1024 bits is below the minimum of 2048 bits. |
diff --git a/powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/WeakAsymmetricKey.qlref b/powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/WeakAsymmetricKey.qlref
@@ -0,0 +1 @@
+queries/security/cwe-326/WeakAsymmetricKey.ql
diff --git a/powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/test.ps1 b/powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/test.ps1
@@ -0,0 +1,25 @@
+# ===================================================================
+# ========== TRUE POSITIVES (should trigger alert) ==================
+# ===================================================================
+
+# --- Case 1: RSA.Create with 1024-bit key ---
+$rsa = [System.Security.Cryptography.RSA]::Create(1024) # BAD
+
+# --- Case 2: RSA.Create with 512-bit key ---
+$rsa = [System.Security.Cryptography.RSA]::Create(512) # BAD
+
+# --- Case 3: RSACryptoServiceProvider with 1024-bit key via ::new() ---
+$rsa = [System.Security.Cryptography.RSACryptoServiceProvider]::new(1024) # BAD
+
+# ===================================================================
+# ========== TRUE NEGATIVES (should NOT trigger alert) ==============
+# ===================================================================
+
+# --- Safe: RSA.Create with 2048-bit key ---
+$rsa = [System.Security.Cryptography.RSA]::Create(2048) # GOOD
+
+# --- Safe: RSA.Create with 4096-bit key ---
+$rsa = [System.Security.Cryptography.RSA]::Create(4096) # GOOD
+
+# --- Safe: RSA.Create with no argument (default key size) ---
+$rsa = [System.Security.Cryptography.RSA]::Create() # GOOD

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+\| test.ps1:6:8:6:55 \| Call to create \| RSA key size 1024 bits is below the minimum of 2048 bits. \|`
	`2`	`+\| test.ps1:9:8:9:54 \| Call to create \| RSA key size 512 bits is below the minimum of 2048 bits. \|`
	`3`	`+\| test.ps1:12:8:12:73 \| Call to new \| RSA key size 1024 bits is below the minimum of 2048 bits. \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+queries/security/cwe-326/WeakAsymmetricKey.ql`