Merge pull request #34 from libp2p/bug/weak-rsa-keys

Raise minimum bits required for RSA key to 2048
libp2p · Aug 1, 2019 · 8dda665 · 8dda665
2 parents 8dbcc5a + b07ce71
commit 8dda665
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 8 deletions.
diff --git a/core/crypto/rsa_common.go b/core/crypto/rsa_common.go
@@ -1,10 +1,25 @@
 package crypto
 
 import (
-	"errors"
+	"fmt"
+	"os"
 )
 
+// WeakRsaKeyEnv is an environment variable which, when set, lowers the
+// minimum required bits of RSA keys to 512. This should be used exclusively in
+// test situations.
+const WeakRsaKeyEnv = "LIBP2P_ALLOW_WEAK_RSA_KEYS"
+
+var MinRsaKeyBits = 2048
+
 // ErrRsaKeyTooSmall is returned when trying to generate or parse an RSA key
-// that's smaller than 512 bits. Keys need to be larger enough to sign a 256bit
-// hash so this is a reasonable absolute minimum.
-var ErrRsaKeyTooSmall = errors.New("rsa keys must be >= 512 bits to be useful")
+// that's smaller than MinRsaKeyBits bits. In test
+var ErrRsaKeyTooSmall error
+
+func init() {
+	if _, ok := os.LookupEnv(WeakRsaKeyEnv); ok {
+		MinRsaKeyBits = 512
+	}
+
+	ErrRsaKeyTooSmall = fmt.Errorf("rsa keys must be >= %d bits to be useful", MinRsaKeyBits)
+}
diff --git a/core/crypto/rsa_go.go b/core/crypto/rsa_go.go
@@ -27,7 +27,7 @@ type RsaPublicKey struct {
 
 // GenerateRSAKeyPair generates a new rsa private and public key
 func GenerateRSAKeyPair(bits int, src io.Reader) (PrivKey, PubKey, error) {
-	if bits < 512 {
+	if bits < MinRsaKeyBits {
 		return nil, nil, ErrRsaKeyTooSmall
 	}
 	priv, err := rsa.GenerateKey(src, bits)
@@ -102,7 +102,7 @@ func UnmarshalRsaPrivateKey(b []byte) (PrivKey, error) {
 	if err != nil {
 		return nil, err
 	}
-	if sk.N.BitLen() < 512 {
+	if sk.N.BitLen() < MinRsaKeyBits {
 		return nil, ErrRsaKeyTooSmall
 	}
 	return &RsaPrivateKey{sk: *sk}, nil
@@ -118,7 +118,7 @@ func UnmarshalRsaPublicKey(b []byte) (PubKey, error) {
 	if !ok {
 		return nil, errors.New("not actually an rsa public key")
 	}
-	if pk.N.BitLen() < 512 {
+	if pk.N.BitLen() < MinRsaKeyBits {
 		return nil, ErrRsaKeyTooSmall
 	}
 	return &RsaPublicKey{*pk}, nil

diff --git a/core/crypto/rsa_openssl.go b/core/crypto/rsa_openssl.go
@@ -21,7 +21,7 @@ type RsaPublicKey struct {
 
 // GenerateRSAKeyPair generates a new rsa private and public key
 func GenerateRSAKeyPair(bits int, _ io.Reader) (PrivKey, PubKey, error) {
-	if bits < 512 {
+	if bits < MinRsaKeyBits {
 		return nil, nil, ErrRsaKeyTooSmall
 	}