RsaPublicKey::from_public_key_pem crashing when using more than 4096 bits

[PaulDotSH]

Generating a private key with more than 4096 bits using RsaPrivateKey::new and deriving a public key from it works fine, however when trying to read the same key from a string using RsaPublicKey::from_public_key_pem, the lib panics if the key uses more than 4096 bits, it works fine with 4096 or less, jumping to 4097 makes it panic.

[tarcieri]

What version are you using? Can you try 0.7.0-rc.1 if you haven’t already?

[PaulDotSH]

What version are you using? Can you try 0.7.0-rc.1 if you haven’t already?

Sorry for not specifying, yes I'm using "0.7.0-rc.1"

[PaulDotSH]

Here's some sample code that triggers this panic

    let bits = 4097;
    let private_key = RsaPrivateKey::new(OsRng.borrow_mut(), bits).expect("failed to generate a key");
    fs::write("privkey.txt", private_key.to_pkcs8_pem(LineEnding::LF).unwrap().as_str());
    let public_key = RsaPublicKey::from(&private_key);
    fs::write("pubkey.txt", public_key.to_public_key_pem(LineEnding::LF).unwrap());


    let pub_key_str =  fs::read_to_string("pubkey.txt").unwrap();

[lumag]

Can not reproduce this with Rust 1.60, and RSA 0.6.1 or 0.7.0-rc.

[AppleSheeple]

@PaulDotSH

Are you neither checking the result of your writes, nor flushing after them?

Did you check if the read content of pubkey.txt looks valid and complete?

[lumag]

@AppleSheeple yes:

Public Key Information:
	Public Key Algorithm: RSA
	Algorithm Security Level: High (4097 bits)
		Modulus (bits 4097):
			01:a7:6d:9e:e2:68:5d:ac:c4:73:91:1d:ea:05:81:34
			31:05:d2:1e:ec:db:3d:04:d1:bd:b6:95:bc:ae:1e:54
			fc:67:63:71:76:26:4c:8d:b9:9e:b2:5f:38:cf:ff:a1
			fa:57:ab:b7:27:90:91:71:38:59:05:4a:c3:91:6c:ec
			a1:0a:ad:55:ee:7a:d7:f5:e8:07:8d:5a:3d:82:0d:3a
			b6:57:b6:71:83:63:39:25:c8:82:82:02:3f:fd:58:02
			61:bf:5a:69:b7:ff:28:75:d2:2b:5f:9a:b4:6f:d9:f0
			e8:fc:2a:bf:d0:2f:51:f6:09:f6:68:34:57:6d:7d:50
			d0:58:cd:b7:12:44:55:40:e7:9c:0c:7f:7f:76:04:91
			28:de:6b:46:2a:70:92:e7:1d:54:2d:84:73:b2:ea:a3
			61:e3:a7:86:0d:25:7e:47:74:2d:e3:9f:af:c0:76:99
			1a:34:b3:61:f8:9e:54:b9:ed:23:1a:2f:18:23:03:f7
			2f:9d:3c:75:b2:98:06:e2:10:21:50:1c:5f:e4:48:04
			1b:06:b7:96:fa:c4:8d:e5:b4:96:51:01:4b:c3:a4:bf
			05:fa:92:fa:77:18:f4:7e:d9:7f:f2:31:22:b4:d4:8a
			b8:1a:6d:b6:6e:1a:b0:bd:48:67:da:18:56:19:07:be
			ee:16:e7:97:17:60:8d:13:e6:38:be:c3:91:73:74:56
			32:58:44:83:72:d6:f0:3f:8a:f9:3d:70:ab:a2:d5:f2
			6b:4e:38:7a:67:b1:1e:cb:82:d1:43:77:6e:b9:a1:cb
			4b:36:87:18:6e:40:9f:6e:26:ac:41:ab:80:c8:99:53
			46:7c:fa:ca:c5:1d:14:1b:83:f1:5e:31:bb:93:6e:93
			d1:6d:bc:52:e1:35:35:27:aa:d6:72:75:5f:73:f3:f9
			fb:17:6d:6d:f1:d4:03:79:53:0d:94:3f:c4:e4:a7:aa
			0e:00:aa:80:37:71:fb:d1:df:67:25:36:65:18:6e:39
			61:b6:3e:bf:09:47:21:93:74:7f:69:e8:86:2a:c2:c0
			9c:40:d7:54:9d:0f:97:b9:02:87:77:71:42:9c:b7:47
			77:b6:ca:08:08:3b:02:7b:79:2b:9f:7d:6d:43:56:cc
			57:15:d2:2c:ae:b2:a9:9d:da:0b:c5:a7:67:c5:0a:1b
			b6:af:9f:2c:cb:c7:f1:77:10:86:3a:8b:ce:22:73:31
			ba:2d:29:64:41:ae:4c:98:5a:38:b8:be:df:d3:24:cd
			05:c9:40:d6:bd:69:c2:04:cb:a8:0d:05:d6:17:53:15
			74:50:9e:db:55:1f:56:09:c9:d9:93:20:be:03:e8:90
			d5
		Exponent (bits 24):
			01:00:01

Public Key ID:
	sha1:cb3bbaea44ae56cf2c7fb6332da1657c6b3904aa
	sha256:23f928efe80f8186bcd2c5f84c01405183d85fbaf5516cf868e1a19bb6481eec
Public Key PIN:
	pin-sha256:I/ko7+gPgYa80sX4TAFAUYPYX7r1UWz4aOGhm7ZIHuw=


-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEBp22e4mhdrMRzkR3qBYE0
MQXSHuzbPQTRvbaVvK4eVPxnY3F2JkyNuZ6yXzjP/6H6V6u3J5CRcThZBUrDkWzs
oQqtVe561/XoB41aPYINOrZXtnGDYzklyIKCAj/9WAJhv1ppt/8oddIrX5q0b9nw
6Pwqv9AvUfYJ9mg0V219UNBYzbcSRFVA55wMf392BJEo3mtGKnCS5x1ULYRzsuqj
YeOnhg0lfkd0LeOfr8B2mRo0s2H4nlS57SMaLxgjA/cvnTx1spgG4hAhUBxf5EgE
Gwa3lvrEjeW0llEBS8OkvwX6kvp3GPR+2X/yMSK01Iq4Gm22bhqwvUhn2hhWGQe+
7hbnlxdgjRPmOL7DkXN0VjJYRINy1vA/ivk9cKui1fJrTjh6Z7Eey4LRQ3duuaHL
SzaHGG5An24mrEGrgMiZU0Z8+srFHRQbg/FeMbuTbpPRbbxS4TU1J6rWcnVfc/P5
+xdtbfHUA3lTDZQ/xOSnqg4AqoA3cfvR32clNmUYbjlhtj6/CUchk3R/aeiGKsLA
nEDXVJ0Pl7kCh3dxQpy3R3e2yggIOwJ7eSuffW1DVsxXFdIsrrKpndoLxadnxQob
tq+fLMvH8XcQhjqLziJzMbotKWRBrkyYWji4vt/TJM0FyUDWvWnCBMuoDQXWF1MV
dFCe21UfVgnJ2ZMgvgPokNUCAwEAAQ==

[PaulDotSH]

Can not reproduce this with Rust 1.60, and RSA 0.6.1 or 0.7.0-rc.

I used Rust 1.60 with latest version of the crate on Windows 10 with latest updates, did you use this on GNU/Linux?

Also sorry for the late reply

[PaulDotSH]

@PaulDotSH

Are you neither checking the result of your writes, nor flushing after them?

Did you check if the read content of pubkey.txt looks valid and complete?

I don't think fs::write needs flushing, the keys generated are fine, importing them seems to have problems

[tarcieri]

@PaulDotSH can you post the panic message and backtrace? You have multiple unwraps in your example. Are you sure it's not one of those?

Note we added a deliberate cap of 4096-bits to address #166 in #176. We could potentially raise that if there are legitimate use cases, but the higher we raise it the more it can enable an algorithmic DoS.

However, that case should surface as Result::Err, not a panic.

[PaulDotSH]

@PaulDotSH can you post the panic message and backtrace? You have multiple unwraps in your example. Are you sure it's not one of those?

Note we added a deliberate cap of 4096-bits to address #166 in #176. We could potentially raise that if there are legitimate use cases, but the higher we raise it the more it can enable an algorithmic DoS.

However, that case should surface as Result::Err, not a panic.

Thanks! Not sure there is a use case, for my app I was going to let the user select any amount from 2048 to 8192

[tarcieri]

We just shipped rsa v0.7.0 which uses 4096-bits as the upper bound for PKCS#1/PKCS#8 keys.

We can potentially bikeshed that cap if you'd like to open an issue. However I would argue 4096-bits is commonly used as an upper bound as it's a point of diminishing returns after which the security margin is already quite large but performance drops off exponentially.

See the ISRG CPS v2.0 guidelines as an example of this from the X.509 ecosystem:

https://letsencrypt.org/documents/isrg-cps-v2.0/#dv-ssl-end-entity-certificate

Subject Public Key

RSA with modulus between 2048 and 4096, inclusive

Beyond that feels like a case of Too Much Crypto.

[tarcieri]

Going to close this as working as expected, however feel free to open a separate issue to discuss the size cap.