When generating cryptographic keys (or key pairs), it is important to use a key length that provides enough entropy against brute-force attacks. For the RSA algorithm, it should be at least 2048 bits long.

This rule raises an issue when an RSA key-pair generator is initialized with too small a length parameter.

Noncompliant Code Example

$config = array(
    "digest_alg" => "sha512",
    "private_key_bits" => 1024, // Noncompliant
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$res = openssl_pkey_new($config);

Compliant Solution

$config = array(
    "digest_alg" => "sha512",
    "private_key_bits" => 4096, // Compliant
    "private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$res = openssl_pkey_new($config);

See