Misuse of cryptography-related APIs can create security vulnerabilities. This includes algorithms with known weaknesses, certain padding modes, lack of integrity checks, insufficiently large key sizes, and insecure combinations of the aforementioned.
1def cryptography_noncompliant():
2 from cryptography.hazmat.primitives import hashes, hmac
3 import secrets
4 # Noncompliant: keysize too small for this algorithm.
5 key = secrets.token_bytes(12)
6 hash_key = hmac.HMAC(key, algorithm=hashes.SHA512_224())
1def cryptography_compliant():
2 from cryptography.hazmat.primitives import hashes, hmac
3 import secrets
4 # Compliant: keysize sufficient for this algorithm.
5 key = secrets.token_bytes(48)
6 hash_key = hmac.HMAC(key, algorithm=hashes.SHA512_224())