When generating cryptographic keys (or key pairs), it is important to use strong parameters. Key length, for instance, should provide enough
entropy against brute-force attacks.

- For
`RSA`

and `DSA`

algorithms key size should be at least 2048 bits long
- For
`ECC`

(elliptic curve cryptography) algorithms key size should be at least 224 bits long
- For
`RSA`

public key exponent should be at least 65537.

This rule raises an issue when a `RSA`

, `DSA`

or `ECC`

key-pair generator is initialized using weak
parameters.

It supports the following libraries:

## Noncompliant Code Example

from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
dsa.generate_private_key(key_size=1024, backend=backend) # Noncompliant
rsa.generate_private_key(public_exponent=999, key_size=2048, backend=backend) # Noncompliant
ec.generate_private_key(curve=ec.SECT163R2, backend=backend) # Noncompliant

## Compliant Solution

from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
dsa.generate_private_key(key_size=2048, backend=backend) # Compliant
rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backend) # Compliant
ec.generate_private_key(curve=ec.SECT409R1, backend=backend) # Compliant

## See