Maximum modulus size #350
Comments
I think so. In an ideal world I would love to do sth like this key.verify::<MAX_KEY_SIZE>(&signature);with a default type parameter... but I guess that is a bit out |
|
That could probably be done as a const generic parameter with a default on e.g. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
In #349 I suggested adopting some sort of ceiling on the size of integers that are acceptable for signatures, i.e. a maximum modulus size. This would prevent parsing some large amount of data that doesn't make sense as a signature to an extremely large integer.
While we do have checks that the signature does not exceed the modulus for a given public key in PKCS#1v15 and PSS now (I believe?), these checks aren't applied until signature verification time, whereas I think this sort of sanity limit would be better applied before we ever parse to a
BigUint.It could also form an upper bound on what we consider acceptable as an RSA private key, where we currently have no limit.
Perhaps 16384-bits would be acceptable? /cc @dignifiedquire
The text was updated successfully, but these errors were encountered: