Limit pubkey size in challenge request #48

timweri · 2024-01-19T07:21:57Z

Limit the length of the public key string in the Challenge request to mitigate DoS risk.

Testing done on local DB:

Happy path of challenge request works. Was able to get challenge and register a FIDO key.
Modified Rustica CLI to send a long public key in the Challenge request. Without the pubkey size limit, I was able to fetch a challenge. With the pubkey size limit, the assert works:

[2024-01-19T07:15:32Z WARN  rustica::logging::stdout] The pubkey size is too large (543 chars) for a challenge request from [obelisk]

timweri · 2024-01-19T07:29:26Z

@obelisk 512 chars might be too generous. Thoughts on 256?

ssh-certs requests ED25519 keys from the Yubikey, which is always 127 chars. Not sure if there's any case where there would be comment in the pubkey.

Rustica is tightly coupled with ssh-certs and ssh-certs always asks for ED25519 keys that are always 127 chars, we can even clamp it to < 128 chars.

timweri force-pushed the limit-challenge-req-size branch from 3a2b59c to f64045e Compare January 19, 2024 07:22

timweri requested a review from obelisk January 19, 2024 07:22

timweri force-pushed the limit-challenge-req-size branch from f64045e to 1069f86 Compare January 19, 2024 07:30

Limit pubkey size in challenge request

ed03cbc

timweri force-pushed the limit-challenge-req-size branch from 1069f86 to ed03cbc Compare January 19, 2024 18:34

obelisk approved these changes Jan 19, 2024

View reviewed changes

obelisk merged commit 630f638 into hacking_on_mozilla Jan 19, 2024

timweri deleted the limit-challenge-req-size branch March 2, 2024 01:29

Provide feedback