feat: PH2158: AvoidPkcsPaddingWithRsaEncryption security analyzer with CodeFixer (#908)

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bcollamore <57269455+bcollamore@users.noreply.github.com>
Co-authored-by: Collamore, Brian <brian.collamore@philips.com>

Author: Copilot

Documentation/Diagnostics/PH2158.md

@@ -0,0 +1,96 @@
+# PH2158: Avoid PKCS#1 v1.5 padding with RSA encryption
+
+| Property | Value  |
+|--|--|
+| Package | [Philips.CodeAnalysis.SecurityAnalyzers](https://www.nuget.org/packages/Philips.CodeAnalysis.SecurityAnalyzers) |
+| Diagnostic ID | PH2158 |
+| Category  | [Security](../Security.md) |
+| Analyzer | [AvoidPkcsPaddingWithRsaEncryptionAnalyzer](https://github.com/philips-software/roslyn-analyzers/blob/main/Philips.CodeAnalysis.SecurityAnalyzers/AvoidPkcsPaddingWithRsaEncryptionAnalyzer.cs)
+| CodeFix  | Yes |
+| Severity | Error |
+| Enabled By Default | No |
+
+## Introduction
+
+This rule identifies usage of PKCS#1 v1.5 padding with RSA encryption, which is vulnerable to padding oracle attacks.
+
+## Reason
+
+PKCS#1 v1.5 padding is susceptible to padding oracle attacks that can allow attackers to decrypt encrypted data or forge signatures. OAEP (Optimal Asymmetric Encryption Padding) provides significantly better security through a more robust padding scheme that includes randomness and cryptographic hashing.
+
+## How to fix violations
+
+Replace `RSAEncryptionPadding.Pkcs1` with `RSAEncryptionPadding.OaepSHA256` or other OAEP variants. The CodeFix provider will automatically suggest replacing `.Pkcs1` with `.OaepSHA256`.
+
+## Examples
+
+### Incorrect
+
+```csharp
+using System.Security.Cryptography;
+
+class Example
+{
+    void EncryptData(RSA rsa, byte[] data)
+    {
+        // This triggers PH2158 - PKCS#1 v1.5 padding is insecure
+        byte[] encrypted = rsa.Encrypt(data, RSAEncryptionPadding.Pkcs1);
+    }
+    
+    void DecryptData(RSA rsa, byte[] encryptedData)
+    {
+        // This also triggers PH2158
+        byte[] decrypted = rsa.Decrypt(encryptedData, RSAEncryptionPadding.Pkcs1);
+    }
+    
+    void AssignPadding()
+    {
+        // This also triggers PH2158
+        RSAEncryptionPadding padding = RSAEncryptionPadding.Pkcs1;
+    }
+}
+```
+
+### Correct
+
+```csharp
+using System.Security.Cryptography;
+
+class Example
+{
+    void EncryptData(RSA rsa, byte[] data)
+    {
+        // Use OAEP padding for better security
+        byte[] encrypted = rsa.Encrypt(data, RSAEncryptionPadding.OaepSHA256);
+    }
+    
+    void DecryptData(RSA rsa, byte[] encryptedData)
+    {
+        // Use OAEP padding for better security
+        byte[] decrypted = rsa.Decrypt(encryptedData, RSAEncryptionPadding.OaepSHA256);
+    }
+    
+    void AssignPadding()
+    {
+        // Use OAEP padding for better security
+        RSAEncryptionPadding padding = RSAEncryptionPadding.OaepSHA256;
+    }
+}
+```
+
+## Configuration
+
+This rule is disabled by default and must be explicitly enabled in your project configuration.
+
+## Suppression
+
+```csharp
+[SuppressMessage("Philips.CodeAnalysis.SecurityAnalyzers", "PH2158:Avoid PKCS#1 v1.5 padding with RSA encryption", Justification = "Reviewed.")]
+```
+
+## References
+
+- [OAEP Padding](https://en.wikipedia.org/wiki/Optimal_asymmetric_encryption_padding)
+- [Padding Oracle Attacks](https://en.wikipedia.org/wiki/Padding_oracle_attack)
+- [RSAEncryptionPadding Class](https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.rsaencryptionpadding)
+- [How much safer is RSA OAEP compared to RSA with PKCS1 v1.5 padding?](https://crypto.stackexchange.com/questions/47436/how-much-safer-is-rsa-oaep-compared-to-rsa-with-pkcs1-v1-5-padding)

Philips.CodeAnalysis.Common/DiagnosticId.cs

@@ -142,5 +142,6 @@ public enum DiagnosticId
 		AvoidTodoComments = 2151,
 		AvoidUnusedToString = 2153,
 		AvoidUnlicensedPackages = 2155,
+		AvoidPkcsPaddingWithRsaEncryption = 2158,
 	}
 }

Philips.CodeAnalysis.SecurityAnalyzers/AvoidPkcsPaddingWithRsaEncryptionAnalyzer.cs

@@ -0,0 +1,75 @@
+// © 2025 Koninklijke Philips N.V. See License.md in the project root for license information.
+
+using System.Collections.Immutable;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Microsoft.CodeAnalysis.Diagnostics;
+using Philips.CodeAnalysis.Common;
+
+namespace Philips.CodeAnalysis.SecurityAnalyzers
+{
+	[DiagnosticAnalyzer(LanguageNames.CSharp)]
+	public class AvoidPkcsPaddingWithRsaEncryptionAnalyzer : DiagnosticAnalyzerBase
+	{
+		private const string Title = @"Avoid PKCS#1 v1.5 padding with RSA encryption";
+		public const string MessageFormat = @"RSA should use OAEP padding instead of PKCS#1 v1.5 padding for better security";
+		private const string Description = @"PKCS#1 v1.5 padding is vulnerable to padding oracle attacks. Use OAEP padding (RSAEncryptionPadding.OaepSHA1, RSAEncryptionPadding.OaepSHA256, etc.) instead for better security.";
+		private const string Category = Categories.Security;
+
+		public static readonly DiagnosticDescriptor Rule = new(
+			DiagnosticId.AvoidPkcsPaddingWithRsaEncryption.ToId(),
+			Title, MessageFormat, Category,
+			DiagnosticSeverity.Error, isEnabledByDefault: false, description: Description);
+
+		public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics => ImmutableArray.Create(Rule);
+
+		protected override void InitializeCompilation(CompilationStartAnalysisContext context)
+		{
+			context.RegisterSyntaxNodeAction(AnalyzeMemberAccess, SyntaxKind.SimpleMemberAccessExpression);
+		}
+
+		private void Analyze(SyntaxNodeAnalysisContext context)
+		{
+			if (Helper.ForTests.IsInTestClass(context))
+			{
+				return;
+			}
+
+			var memberAccess = (MemberAccessExpressionSyntax)context.Node;
+
+			// Check for RSAEncryptionPadding.Pkcs1
+			if (IsRsaEncryptionPaddingPkcs1(memberAccess))
+			{
+				Location location = memberAccess.GetLocation();
+				var diagnostic = Diagnostic.Create(Rule, location);
+				context.ReportDiagnostic(diagnostic);
+			}
+		}
+
+		private void AnalyzeMemberAccess(SyntaxNodeAnalysisContext context)
+		{
+			Analyze(context);
+		}
+
+		private bool IsRsaEncryptionPaddingPkcs1(MemberAccessExpressionSyntax memberAccess)
+		{
+			// Check if it's accessing Pkcs1 member
+			if (memberAccess.Name.Identifier.ValueText != "Pkcs1")
+			{
+				return false;
+			}
+
+			// Fast path: check for fully qualified usage
+			var expressionText = memberAccess.Expression.ToString();
+			if (expressionText == "System.Security.Cryptography.RSAEncryptionPadding")
+			{
+				return true;
+			}
+
+			// Use NamespaceResolver to check if the expression is RSAEncryptionPadding (for using statements)
+			NamespaceResolver namespaceResolver = Helper.ForNamespaces.GetUsingAliases(memberAccess);
+			return namespaceResolver.IsOfType(memberAccess, "System.Security.Cryptography", "RSAEncryptionPadding");
+		}
+	}
+}

Philips.CodeAnalysis.SecurityAnalyzers/AvoidPkcsPaddingWithRsaEncryptionCodeFixProvider.cs

@@ -0,0 +1,37 @@
+// © 2025 Koninklijke Philips N.V. See License.md in the project root for license information.
+
+using System.Collections.Immutable;
+using System.Composition;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CodeFixes;
+using Microsoft.CodeAnalysis.CSharp;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Microsoft.CodeAnalysis.Formatting;
+using Philips.CodeAnalysis.Common;
+
+namespace Philips.CodeAnalysis.SecurityAnalyzers
+{
+	[ExportCodeFixProvider(LanguageNames.CSharp, Name = nameof(AvoidPkcsPaddingWithRsaEncryptionCodeFixProvider)), Shared]
+	public class AvoidPkcsPaddingWithRsaEncryptionCodeFixProvider : SingleDiagnosticCodeFixProvider<MemberAccessExpressionSyntax>
+	{
+		protected override string Title => "Replace with OaepSHA256 padding";
+
+		protected override DiagnosticId DiagnosticId => DiagnosticId.AvoidPkcsPaddingWithRsaEncryption;
+
+		protected override async Task<Document> ApplyFix(Document document, MemberAccessExpressionSyntax node, ImmutableDictionary<string, string> properties, CancellationToken cancellationToken)
+		{
+			SyntaxNode rootNode = await document.GetSyntaxRootAsync(cancellationToken);
+
+			// Replace .Pkcs1 with .OaepSHA256
+			IdentifierNameSyntax newIdentifier = SyntaxFactory.IdentifierName("OaepSHA256");
+			MemberAccessExpressionSyntax newMemberAccess = node.WithName(newIdentifier);
+
+			SyntaxNode newNode = newMemberAccess.WithAdditionalAnnotations(Formatter.Annotation);
+			rootNode = rootNode.ReplaceNode(node, newNode);
+
+			return document.WithSyntaxRoot(rootNode);
+		}
+	}
+}

Philips.CodeAnalysis.Test/Security/AvoidPkcsPaddingWithRsaEncryptionAnalyzerTest.cs

@@ -0,0 +1,139 @@
+// © 2025 Koninklijke Philips N.V. See License.md in the project root for license information.
+
+using System.Collections.Immutable;
+using System.Security.Cryptography;
+using System.Threading.Tasks;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CodeFixes;
+using Microsoft.CodeAnalysis.Diagnostics;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+using Philips.CodeAnalysis.Common;
+using Philips.CodeAnalysis.SecurityAnalyzers;
+using Philips.CodeAnalysis.Test.Helpers;
+using Philips.CodeAnalysis.Test.Verifiers;
+
+namespace Philips.CodeAnalysis.Test.Security
+{
+	[TestClass]
+	public class AvoidPkcsPaddingWithRsaEncryptionAnalyzerTest : CodeFixVerifier
+	{
+		protected override DiagnosticAnalyzer GetDiagnosticAnalyzer()
+		{
+			return new AvoidPkcsPaddingWithRsaEncryptionAnalyzer();
+		}
+
+		protected override CodeFixProvider GetCodeFixProvider()
+		{
+			return new AvoidPkcsPaddingWithRsaEncryptionCodeFixProvider();
+		}
+
+		protected override ImmutableArray<MetadataReference> GetMetadataReferences()
+		{
+			var cryptographyReference = typeof(RSA).Assembly.Location;
+			MetadataReference reference = MetadataReference.CreateFromFile(cryptographyReference);
+
+			return base.GetMetadataReferences().Add(reference);
+		}
+
+		private string GetTemplate()
+		{
+			return @"
+using System;
+using System.Security.Cryptography;
+using System.Text;
+
+namespace AvoidPkcsPaddingWithRsaEncryptionTest
+{{
+	public class Foo 
+	{{
+		public void TestMethod()
+		{{
+			using RSA rsa = RSA.Create(2048);
+			string originalData = ""sensitive data"";
+			byte[] dataToEncrypt = Encoding.UTF8.GetBytes(originalData);
+			
+			{0}
+		}}
+	}}
+}}
+";
+		}
+
+		[DataTestMethod]
+		[DataRow(@"byte[] encrypted = rsa.Encrypt(dataToEncrypt, RSAEncryptionPadding.Pkcs1);")]
+		[DataRow(@"byte[] decrypted = rsa.Decrypt(dataToEncrypt, RSAEncryptionPadding.Pkcs1);")]
+		[DataRow(@"RSAEncryptionPadding padding = RSAEncryptionPadding.Pkcs1;")]
+		[DataRow(@"var padding = RSAEncryptionPadding.Pkcs1;")]
+		[DataRow(@"byte[] encrypted = rsa.Encrypt(dataToEncrypt, System.Security.Cryptography.RSAEncryptionPadding.Pkcs1);")]
+		[TestCategory(TestDefinitions.UnitTests)]
+		public async Task Pkcs1PaddingShouldTriggerDiagnosticAsync(string content)
+		{
+			var format = GetTemplate();
+			var testCode = string.Format(format, content);
+			await VerifyDiagnostic(testCode, DiagnosticId.AvoidPkcsPaddingWithRsaEncryption).ConfigureAwait(false);
+		}
+
+		[DataTestMethod]
+		[DataRow(@"byte[] encrypted = rsa.Encrypt(dataToEncrypt, RSAEncryptionPadding.OaepSHA1);")]
+		[DataRow(@"byte[] encrypted = rsa.Encrypt(dataToEncrypt, RSAEncryptionPadding.OaepSHA256);")]
+		[DataRow(@"byte[] decrypted = rsa.Decrypt(dataToEncrypt, RSAEncryptionPadding.OaepSHA256);")]
+		[DataRow(@"RSAEncryptionPadding padding = RSAEncryptionPadding.OaepSHA1;")]
+		[DataRow(@"var padding = RSAEncryptionPadding.OaepSHA256;")]
+		[DataRow(@"byte[] encrypted = rsa.Encrypt(dataToEncrypt, System.Security.Cryptography.RSAEncryptionPadding.OaepSHA256);")]
+		[DataRow(@"// This is just a comment about Pkcs1")]
+		[DataRow(@"string text = ""This mentions Pkcs1 but is not crypto"";")]
+		[TestCategory(TestDefinitions.UnitTests)]
+		public async Task SecurePaddingShouldNotTriggerDiagnosticAsync(string content)
+		{
+			var format = GetTemplate();
+			var testCode = string.Format(format, content);
+			await VerifySuccessfulCompilation(testCode).ConfigureAwait(false);
+		}
+
+		[TestMethod]
+		[TestCategory(TestDefinitions.UnitTests)]
+		public async Task DoesNotTriggerDiagnosticInTestCodeAsync()
+		{
+			const string template = @"
+using System;
+using System.Security.Cryptography;
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+
+[TestClass]
+public class Foo
+{
+	[TestMethod]
+	public void Test()
+	{
+		using RSA rsa = RSA.Create(2048);
+		byte[] data = new byte[10];
+		byte[] encrypted = rsa.Encrypt(data, RSAEncryptionPadding.Pkcs1);
+	}
+}
+";
+			await VerifySuccessfulCompilation(template).ConfigureAwait(false);
+		}
+
+		[DataTestMethod]
+		[DataRow(
+			@"byte[] encrypted = rsa.Encrypt(dataToEncrypt, RSAEncryptionPadding.Pkcs1);",
+			@"byte[] encrypted = rsa.Encrypt(dataToEncrypt, RSAEncryptionPadding.OaepSHA256);")]
+		[DataRow(
+			@"byte[] decrypted = rsa.Decrypt(dataToEncrypt, RSAEncryptionPadding.Pkcs1);",
+			@"byte[] decrypted = rsa.Decrypt(dataToEncrypt, RSAEncryptionPadding.OaepSHA256);")]
+		[DataRow(
+			@"RSAEncryptionPadding padding = RSAEncryptionPadding.Pkcs1;",
+			@"RSAEncryptionPadding padding = RSAEncryptionPadding.OaepSHA256;")]
+		[DataRow(
+			@"var padding = RSAEncryptionPadding.Pkcs1;",
+			@"var padding = RSAEncryptionPadding.OaepSHA256;")]
+		[TestCategory(TestDefinitions.UnitTests)]
+		public async Task CodeFixShouldReplaceWithOaepSHA256Async(string originalCode, string expectedCode)
+		{
+			var originalSource = string.Format(GetTemplate(), originalCode);
+			var expectedSource = string.Format(GetTemplate(), expectedCode);
+
+			await VerifyFix(originalSource, expectedSource).ConfigureAwait(false);
+		}
+	}
+}