Avoid handshake failure with small RSA keys #394
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1024-bit is a small RSA size but this is often the default value when generating with some tools.
As reported in #365, enabling RSA-PSS signatures has side effect and prevents to use keys which were accepted before.
This PR extends selection of hash algorithm to avoid the fatal failure with SHA-512, and pick SHA-384 (or lower) instead.
The data type
DigitalSignatureAlg
is removed, insteadsignatureCompatible
and calling functions usePubKey
instead. When deciding about signature schemes, the full content of the public key is available, so the size of the modulus can be checked.PubKey
allows more key types thanDigitalSignatureAlg
, so to prevent an invalid input to a function likesignatureParams
, the existing decoding toDigitalSignatureAlg
that previously rejected bad inputs is not removed but adapted:Only exception to this rule is when transforming getLocalDigitalSignatureAlg to getLocalPublicKey. The code path ensures that the key pair stored in
hksLocalPublicPrivateKeys
is a combination already validated by isDigitalSignaturePair, so there is no need to verify again.The consistency check between remote public-key type and selected signature scheme that was missing for TLS13 is added to
checkCertVerify
.