Don't generate RSA keys <1024 bits (#10278)

alex · web-flow · commit 83dcbc190165 · 2024-01-28T19:39:47.000Z
* Don't generate RSA keys &lt;1024 bits

* Update CHANGELOG.rst
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -8,6 +8,11 @@ Changelog
 
 .. note:: This version is not yet released and is under active development.
 
+* :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key`
+  now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still
+  considered insecure, users should generally use a key size of 2048-bits.
+
+
 .. _v42-0-1:
 
 42.0.1 - 2024-01-24
diff --git a/src/cryptography/hazmat/primitives/asymmetric/rsa.py b/src/cryptography/hazmat/primitives/asymmetric/rsa.py
@@ -150,8 +150,8 @@ def _verify_rsa_parameters(public_exponent: int, key_size: int) -> None:
             "65537. Almost everyone should choose 65537 here!"
         )
 
-    if key_size < 512:
-        raise ValueError("key_size must be at least 512-bits.")
+    if key_size < 1024:
+        raise ValueError("key_size must be at least 1024-bits.")
 
 
 def _modinv(e: int, m: int) -> int:

Original file line number	Diff line number	Diff line change
`@@ -150,8 +150,8 @@ def _verify_rsa_parameters(public_exponent: int, key_size: int) -> None:`
`150`	`150`	`"65537. Almost everyone should choose 65537 here!"`
`151`	`151`	`)`
`152`	`152`
`153`		`- if key_size < 512:`
`154`		`- raise ValueError("key_size must be at least 512-bits.")`
	`153`	`+ if key_size < 1024:`
	`154`	`+ raise ValueError("key_size must be at least 1024-bits.")`
`155`	`155`
`156`	`156`
`157`	`157`	`def _modinv(e: int, m: int) -> int:`