Check key size is at least 1024 bits

emersion · Mar 11, 2019 · 1eaa896 · 1eaa896
1 parent ab81aa5
commit 1eaa896
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/query.go b/query.go
@@ -5,6 +5,7 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/base64"
+	"fmt"
 	"net"
 	"strings"
 )
@@ -88,6 +89,11 @@ func parsePublicKey(s string) (*queryResult, error) {
 		if !ok {
 			return nil, permFailError("key syntax error: not an RSA public key")
 		}
+		// RFC 8301 section 3.2: verifiers MUST NOT consider signatures using
+		// RSA keys of less than 1024 bits as valid signatures.
+		if rsaPub.Size() * 8 < 1024 {
+			return nil, permFailError(fmt.Sprintf("key is too short: want 1024 bits, has %v bits", rsaPub.Size() * 8))
+		}
 		res.Verifier = &rsaVerifier{rsaPub}
 		res.KeyAlgo = "rsa"
 	default: