Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/rsa: better error message for RSA keys too short for PSS #23736

Closed
FiloSottile opened this issue Feb 7, 2018 · 4 comments
Closed

crypto/rsa: better error message for RSA keys too short for PSS #23736

FiloSottile opened this issue Feb 7, 2018 · 4 comments

Comments

@FiloSottile
Copy link
Contributor

If an RSA key is too short for PSS, signing fails with an unhelpful crypto/rsa: encoding error.

We should return a message pointing to the minimum key length.

@Lekensteyn
Copy link
Contributor

Spec for RSASSA-PSS signature generation is here:
https://tools.ietf.org/html/rfc8017#section-8.1.1

"encoding error" is technically the correct output from this function because emLen is roughly the (small) modulus size, which could be smaller than the hash output (and some other data) in step 3 of
https://tools.ietf.org/html/rfc8017#section-9.1.1

Do you think that the error message should be changed to "RSA modulus size too small for PSS signature"? (I did not look at the source code.)

@FiloSottile
Copy link
Contributor Author

FiloSottile commented Feb 7, 2018

Yes, there is no secret leakage (and we should put the check somewhere with no secret access anyway), so it would be better to tell the user how they can fix the issue. It took me a while to realize I was using 512-bit certificates in tests.

@FiloSottile
Copy link
Contributor Author

FiloSottile commented Feb 8, 2018

@agl While looking at this code I noticed that the salt length can end up being zero when using PSSSaltLengthAuto with a key length of hash.Size() + 2.

RFC 8017 calls that out as a valid salt length, with security equivalent to a Full Domain Hashing scheme, however our API does not normally allow a zero-length salt (as PSSSaltLengthAuto is 0) and zero-length salt makes PSS deterministic, which might be unexpected.

Do we want to make that an error condition?

@gopherbot
Copy link

Change https://golang.org/cl/92815 mentions this issue: crypto/rsa: improve error message for keys too short for PSS

@golang golang locked and limited conversation to collaborators Feb 14, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants