Maximum modulus size
tarcieri opened this issue · 2 comments
In #349 I suggested adopting some sort of ceiling on the size of integers that are acceptable for signatures, i.e. a maximum modulus size. This would prevent parsing some large amount of data that doesn't make sense as a signature to an extremely large integer.
While we do have checks that the signature does not exceed the modulus for a given public key in PKCS#1v15 and PSS now (I believe?), these checks aren't applied until signature verification time, whereas I think this sort of sanity limit would be better applied before we ever parse to a BigUint
.
It could also form an upper bound on what we consider acceptable as an RSA private key, where we currently have no limit.
Perhaps 16384-bits would be acceptable? /cc @dignifiedquire
Perhaps 16384-bits would be acceptable?
I think so.
In an ideal world I would love to do sth like this
key.verify::<MAX_KEY_SIZE>(&signature);
with a default type parameter... but I guess that is a bit out
That could probably be done as a const generic parameter with a default on e.g. RsaPublicKey
/RsaPrivateKey