Skip to content
This repository has been archived by the owner on Sep 6, 2022. It is now read-only.

Raise minimum bits required for RSA key to 2048 #34

Merged
merged 4 commits into from
Aug 1, 2019
Merged

Raise minimum bits required for RSA key to 2048 #34

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f10115e
Raise minimum bits required for RSA key to 2048
bigs Jul 10, 2019
c817d49
Add env flag for allowing unsafe rsa keys in tests
bigs Jul 12, 2019
d95ff26
UNSAFE -> WEAK in RSA key environment variable
bigs Aug 1, 2019
f1175db
Rename constant for weak RSA key environment variable
bigs Aug 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .travis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ go:
env:
global:
- BUILD_DEPTYPE=gomod
- LIBP2P_ALLOW_WEAK_RSA_KEYS=1
matrix:
- GOTFLAGS="-race"
- GOTFLAGS="-race -tags=openssl"
Expand Down
23 changes: 19 additions & 4 deletions crypto/rsa_common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,25 @@
package crypto

import (
"errors"
"fmt"
"os"
)

// WeakRsaKeyEnv is an environment variable which, when set, lowers the
// minimum required bits of RSA keys to 512. This should be used exclusively in
// test situations.
const WeakRsaKeyEnv = "LIBP2P_ALLOW_WEAK_RSA_KEYS"

var MinRsaKeyBits = 2048

// ErrRsaKeyTooSmall is returned when trying to generate or parse an RSA key
// that's smaller than 512 bits. Keys need to be larger enough to sign a 256bit
// hash so this is a reasonable absolute minimum.
var ErrRsaKeyTooSmall = errors.New("rsa keys must be >= 512 bits to be useful")
// that's smaller than MinRsaKeyBits bits. In test
var ErrRsaKeyTooSmall error

func init() {
if _, ok := os.LookupEnv(WeakRsaKeyEnv); ok {
MinRsaKeyBits = 512
}

ErrRsaKeyTooSmall = fmt.Errorf("rsa keys must be >= %d bits to be useful", MinRsaKeyBits)
}
6 changes: 3 additions & 3 deletions crypto/rsa_go.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ type RsaPublicKey struct {

// GenerateRSAKeyPair generates a new rsa private and public key
func GenerateRSAKeyPair(bits int, src io.Reader) (PrivKey, PubKey, error) {
if bits < 512 {
if bits < MinRsaKeyBits {
return nil, nil, ErrRsaKeyTooSmall
}
priv, err := rsa.GenerateKey(src, bits)
Expand Down Expand Up @@ -102,7 +102,7 @@ func UnmarshalRsaPrivateKey(b []byte) (PrivKey, error) {
if err != nil {
return nil, err
}
if sk.N.BitLen() < 512 {
if sk.N.BitLen() < MinRsaKeyBits {
return nil, ErrRsaKeyTooSmall
}
return &RsaPrivateKey{sk: *sk}, nil
Expand All @@ -118,7 +118,7 @@ func UnmarshalRsaPublicKey(b []byte) (PubKey, error) {
if !ok {
return nil, errors.New("not actually an rsa public key")
}
if pk.N.BitLen() < 512 {
if pk.N.BitLen() < MinRsaKeyBits {
return nil, ErrRsaKeyTooSmall
}
return &RsaPublicKey{*pk}, nil
Expand Down
2 changes: 1 addition & 1 deletion crypto/rsa_openssl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ type RsaPublicKey struct {

// GenerateRSAKeyPair generates a new rsa private and public key
func GenerateRSAKeyPair(bits int, _ io.Reader) (PrivKey, PubKey, error) {
if bits < 512 {
if bits < MinRsaKeyBits {
return nil, nil, ErrRsaKeyTooSmall
}

Expand Down