Create go rule S5542: Encryption algorithms should be used with secur…

…e mode and padding scheme (#4631) * Add go to rule S5542 * SONARGO-136: Add S5542 for Go * Improvements based on review --------- Co-authored-by: daniel-teuchert-sonarsource <[email protected]> Co-authored-by: Daniel Teuchert <[email protected]> Co-authored-by: daniel-teuchert-sonarsource <[email protected]>
SonarSource · Feb 3, 2025 · c99ad72 · c99ad72
1 parent 8c0356d
commit c99ad72
Show file tree

Hide file tree

Showing 2 changed files with 155 additions and 0 deletions.
diff --git a/rules/S5542/go/metadata.json b/rules/S5542/go/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S5542/go/rule.adoc b/rules/S5542/go/rule.adoc
@@ -0,0 +1,153 @@
+
+include::../summary.adoc[]
+
+== Why is this an issue?
+
+include::../rationale.adoc[]
+
+include::../impact.adoc[]
+
+// How to fix it section
+
+== How to fix it
+
+=== Code examples
+
+==== Noncompliant code example
+
+Example with a symmetric cipher, AES in CBC mode:
+
+[source,go,diff-id=1,diff-type=noncompliant]
+----
+import (
+    "crypto/aes"
+    "crypto/cipher"
+    "crypto/rand"
+)
+func encrypt() {
+    plaintext := []byte("Exampleplaintext")
+
+    key := make([]byte, 32) 
+    rand.Read(key)
+    block, _ := aes.NewCipher(key)
+    iv := make([]byte, block.BlockSize())
+    rand.Read(iv)
+
+    encrypter := cipher.NewCBCEncrypter(block, iv) // Noncompliant
+
+    ciphertext := make([]byte, len(plaintext))
+    encrypter.CryptBlocks(ciphertext, plaintext)
+}
+----
+
+The following example shows the function `cipher.Block.Encrypt` being used directly to run AES in a self-build ECB mode:
+
+[source,go]
+----
+import (
+    "crypto/aes"
+    "crypto/rand"
+)
+func encrypt() {
+    plaintext := []byte("Exampleplaintext")
+
+    key := make([]byte, 32) 
+    rand.Read(key)
+    block, _ := aes.NewCipher(key)
+
+    ciphertext := make([]byte, len(plaintext))
+    block.Encrypt(ciphertext, plaintext) // Noncompliant
+}
+----
+
+Example with an asymetric cipher, RSA with PKCS1v15 padding:
+
+[source,go,diff-id=2,diff-type=noncompliant]
+----
+import (
+    "crypto/rand"
+    "crypto/rsa"
+)
+func encrypt() {
+    random := rand.Reader
+    plaintext := []byte("Exampleplaintext")
+    privateKey, _ := rsa.GenerateKey(random, 4096)
+    ciphertext, _ := rsa.EncryptPKCS1v15(random, &privateKey.PublicKey, plaintext) // Noncompliant
+}
+----
+
+==== Compliant solution
+
+include::../common/fix/aes-compliant-example.adoc[]
+
+[source,go,diff-id=1,diff-type=compliant]
+----
+import (
+    "crypto/aes"
+    "crypto/cipher"
+    "crypto/rand"
+)
+func encrypt() {
+    plaintext := []byte("Exampleplaintext")
+
+    key := make([]byte, 32) 
+    rand.Read(key)
+    block, _ := aes.NewCipher(key)
+    nonce := make([]byte, 12)
+    rand.Read(nonce)
+
+    aesgcm, _ := cipher.NewGCM(block)
+
+    ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
+}
+----
+
+include::../common/fix/rsa-compliant-example.adoc[]
+
+[source,go,diff-id=2,diff-type=compliant]
+----
+import (
+    "crypto/rand"
+    "crypto/rsa"
+    "crypto/sha256"
+)
+func encrypt() {
+    random := rand.Reader
+    plaintext := []byte("Exampleplaintext")
+    privateKey, _ := rsa.GenerateKey(random, 4096)
+    ciphertext, _ := rsa.EncryptOAEP(sha256.New(), random, &privateKey.PublicKey, plaintext, nil)
+}
+----
+
+=== How does this work?
+
+include::../common/fix/fix.adoc[]
+
+
+
+== Resources
+
+include::../common/resources/docs.adoc[]
+
+include::../common/resources/articles.adoc[]
+
+include::../common/resources/presentations.adoc[]
+
+include::../common/resources/standards.adoc[]
+
+
+ifdef::env-github,rspecator-view[]
+
+'''
+== Implementation Specification
+(visible only on this page)
+
+include::../message.adoc[]
+
+'''
+== Comments And Links
+(visible only on this page)
+
+include::../comments-and-links.adoc[]
+
+endif::env-github,rspecator-view[]