microsoft
diff --git a/‎powershell/ql/lib/semmle/code/powershell/security/cryptography/CryptoArtifact.qll‎
Lines changed: 6 additions & 0 deletions b/‎powershell/ql/lib/semmle/code/powershell/security/cryptography/CryptoArtifact.qll‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎powershell/ql/lib/semmle/code/powershell/security/cryptography/CryptographyModule.qll‎
Lines changed: 42 additions & 0 deletions b/‎powershell/ql/lib/semmle/code/powershell/security/cryptography/CryptographyModule.qll‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎powershell/ql/src/queries/security/cwe-326/WeakAsymmetricKey.ql‎
Lines changed: 0 additions & 79 deletions b/‎powershell/ql/src/queries/security/cwe-326/WeakAsymmetricKey.ql‎
Lines changed: 0 additions & 79 deletions
diff --git a/‎powershell/ql/src/queries/security/cwe-327/WeakAsymmetricKeySize.qhelp‎
Lines changed: 40 additions & 0 deletions b/‎powershell/ql/src/queries/security/cwe-327/WeakAsymmetricKeySize.qhelp‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎powershell/ql/src/queries/security/cwe-327/WeakAsymmetricKeySize.ql‎
Lines changed: 22 additions & 0 deletions b/‎powershell/ql/src/queries/security/cwe-327/WeakAsymmetricKeySize.ql‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/WeakAsymmetricKey.qlref‎
Lines changed: 0 additions & 1 deletion b/‎powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/WeakAsymmetricKey.qlref‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎…AsymmetricKey/WeakAsymmetricKey.expected‎ ‎…icKeySize/WeakAsymmetricKeySize.expected‎powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/WeakAsymmetricKey.expected renamed to powershell/ql/test/query-tests/security/cwe-327/WeakAsymmetricKeySize/WeakAsymmetricKeySize.expected b/‎…AsymmetricKey/WeakAsymmetricKey.expected‎ ‎…icKeySize/WeakAsymmetricKeySize.expected‎powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/WeakAsymmetricKey.expected renamed to powershell/ql/test/query-tests/security/cwe-327/WeakAsymmetricKeySize/WeakAsymmetricKeySize.expected
diff --git a/‎powershell/ql/test/query-tests/security/cwe-327/WeakAsymmetricKeySize/WeakAsymmetricKeySize.qlref‎
Lines changed: 1 addition & 0 deletions b/‎powershell/ql/test/query-tests/security/cwe-327/WeakAsymmetricKeySize/WeakAsymmetricKeySize.qlref‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎…urity/cwe-326/WeakAsymmetricKey/test.ps1‎ ‎…y/cwe-327/WeakAsymmetricKeySize/test.ps1‎powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/test.ps1 renamed to powershell/ql/test/query-tests/security/cwe-327/WeakAsymmetricKeySize/test.ps1 b/‎…urity/cwe-326/WeakAsymmetricKey/test.ps1‎ ‎…y/cwe-327/WeakAsymmetricKeySize/test.ps1‎powershell/ql/test/query-tests/security/cwe-326/WeakAsymmetricKey/test.ps1 renamed to powershell/ql/test/query-tests/security/cwe-327/WeakAsymmetricKeySize/test.ps1
@@ -36,3 +36,9 @@ abstract class BlockMode extends CryptographicAlgorithm {
     else result = unknownAlgorithm()
   }
 }
+
+abstract class AsymmetricKeyCreation extends CryptographicArtifact {
+  abstract string getAlgorithmName();
+
+  abstract int getKeySize();
+}
@@ -194,3 +194,45 @@ class CipherBlockModeEnum extends BlockMode {
 
   override string getName() { result = modeName }
 }
+
+class RsaCreateKeyCreation extends AsymmetricKeyCreation, DataFlow::CallNode {
+  int keySize;
+
+  RsaCreateKeyCreation() {
+    exists(string method |
+      method = ["create", "new"] and
+      this =
+        API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("cryptography")
+            .getMember(["rsa", "rsacryptoserviceprovider"])
+            .getMember(method)
+            .asCall()
+    ) and
+    keySize = this.getAnArgument().asExpr().getExpr().(ConstExpr).getValueString().toInt()
+  }
+
+  override string getAlgorithmName() { result = "rsa" }
+
+  override int getKeySize() { result = keySize }
+}
+
+class RsaCspObjectKeyCreation extends AsymmetricKeyCreation, CryptoAlgorithmObjectCreation {
+  int keySize;
+
+  RsaCspObjectKeyCreation() {
+    objectName =
+      [
+        "system.security.cryptography.rsacryptoserviceprovider",
+        "rsacryptoserviceprovider"
+      ] and
+    exists(DataFlow::Node arg |
+      arg = this.getAnArgument() and
+      keySize = arg.asExpr().getExpr().(ConstExpr).getValueString().toInt()
+    )
+  }
+
+  override string getAlgorithmName() { result = "rsa" }
+
+  override int getKeySize() { result = keySize }
+}
@@ -0,0 +1,40 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Modern encryption relies on it being computationally infeasible to break the cipher and
+      decode a message without the key. As computational power increases, the ability to break
+      ciphers grows and keys need to become larger.
+    </p>
+    <p>
+      RSA keys smaller than 2048 bits are considered weak and can potentially be broken using
+      modern hardware. Using such keys compromises the confidentiality and integrity of
+      encrypted data.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>
+      Use an RSA key size of at least 2048 bits. For long-term security, consider using
+      4096-bit keys.
+    </p>
+    <p>
+      When calling <code>[System.Security.Cryptography.RSA]::Create()</code> or creating an
+      <code>RSACryptoServiceProvider</code>, always specify a key size of 2048 or greater.
+    </p>
+  </recommendation>
+
+  <example>
+    <p>
+      The following example shows the creation of an RSA key with only 1024 bits, which is
+      considered weak:
+    </p>
+    <sample src="test.ps1" />
+  </example>
+
+  <references>
+    <li>NIST, SP 800-131A: <a href="https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final">Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.</li>
+    <li>Wikipedia: <a href="https://en.wikipedia.org/wiki/RSA_(cryptosystem)">RSA cryptosystem</a>.</li>
+    <li>CWE-327: <a href="https://cwe.mitre.org/data/definitions/327.html">Use of a Broken or Risky Cryptographic Algorithm</a>.</li>
+  </references>
+</qhelp>
@@ -0,0 +1,22 @@
+/**
+ * @name Weak asymmetric key size
+ * @description Using RSA keys smaller than 2048 bits does not provide adequate security.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id powershell/weak-asymmetric-key-size
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import powershell
+import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.security.cryptography.Concepts
+
+from AsymmetricKeyCreation keyCreation, int keySize
+where
+  keySize = keyCreation.getKeySize() and
+  keySize < 2048
+select keyCreation,
+  "RSA key size " + keySize.toString() + " bits is below the minimum of 2048 bits."
@@ -0,0 +1 @@
+queries/security/cwe-327/WeakAsymmetricKeySize.ql
Original file line number	Diff line number	Diff line change
`@@ -36,3 +36,9 @@ abstract class BlockMode extends CryptographicAlgorithm {`
`36`	`36`	`else result = unknownAlgorithm()`
`37`	`37`	`}`
`38`	`38`	`}`
	`39`	`+`
	`40`	`+abstract class AsymmetricKeyCreation extends CryptographicArtifact {`
	`41`	`+ abstract string getAlgorithmName();`
	`42`	`+`
	`43`	`+ abstract int getKeySize();`
	`44`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+queries/security/cwe-327/WeakAsymmetricKeySize.ql`