security: refuse to create RSA keys longer than 16384 bits
RSA keys of this size are too slow to be usable in practice,
and OpenSSL rejects them.
Change-Id: Ia121d7cd0b0cbf4185bd1a317d69644ea1baba69
diff --git a/ndn-cxx/security/key-params.cpp b/ndn-cxx/security/key-params.cpp
index 2b50519..817e780 100644
--- a/ndn-cxx/security/key-params.cpp
+++ b/ndn-cxx/security/key-params.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2022 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -43,6 +43,7 @@
namespace detail {
const uint32_t MIN_RSA_KEY_SIZE = 2048;
+const uint32_t MAX_RSA_KEY_SIZE = 16384;
const uint32_t DEFAULT_RSA_KEY_SIZE = 2048;
const uint32_t EC_KEY_SIZES[] = {224, 256, 384, 521};
const uint32_t DEFAULT_EC_KEY_SIZE = 256;
@@ -53,7 +54,7 @@
uint32_t
RsaKeyParamsInfo::checkKeySize(uint32_t size)
{
- if (size < MIN_RSA_KEY_SIZE)
+ if (size < MIN_RSA_KEY_SIZE || size > MAX_RSA_KEY_SIZE)
NDN_THROW(KeyParams::Error("Unsupported RSA key size " + to_string(size)));
return size;
}
@@ -67,8 +68,8 @@
uint32_t
EcKeyParamsInfo::checkKeySize(uint32_t size)
{
- for (size_t i = 0; i < (sizeof(EC_KEY_SIZES) / sizeof(EC_KEY_SIZES[0])); i++) {
- if (EC_KEY_SIZES[i] == size)
+ for (auto s : EC_KEY_SIZES) {
+ if (s == size)
return size;
}
NDN_THROW(KeyParams::Error("Unsupported EC key size " + to_string(size)));
@@ -83,8 +84,8 @@
uint32_t
AesKeyParamsInfo::checkKeySize(uint32_t size)
{
- for (size_t i = 0; i < (sizeof(AES_KEY_SIZES) / sizeof(AES_KEY_SIZES[0])); i++) {
- if (AES_KEY_SIZES[i] == size)
+ for (auto s : AES_KEY_SIZES) {
+ if (s == size)
return size;
}
NDN_THROW(KeyParams::Error("Unsupported AES key size " + to_string(size)));
diff --git a/tests/unit/security/key-params.t.cpp b/tests/unit/security/key-params.t.cpp
index b2dafcd..f051b06 100644
--- a/tests/unit/security/key-params.t.cpp
+++ b/tests/unit/security/key-params.t.cpp
@@ -1,6 +1,6 @@
/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
- * Copyright (c) 2013-2019 Regents of the University of California.
+ * Copyright (c) 2013-2022 Regents of the University of California.
*
* This file is part of ndn-cxx library (NDN C++ library with eXperimental eXtensions).
*
@@ -44,6 +44,9 @@
BOOST_CHECK_EQUAL(params2.getKeyIdType(), KeyIdType::SHA256);
BOOST_CHECK_THROW(RsaKeyParams(1024), KeyParams::Error);
+ BOOST_CHECK_THROW(RsaKeyParams(2000), KeyParams::Error);
+ BOOST_CHECK_THROW(RsaKeyParams(16500), KeyParams::Error);
+ BOOST_CHECK_THROW(RsaKeyParams(20480), KeyParams::Error);
name::Component keyId("keyId");
RsaKeyParams params4(keyId);