chore(RSA): limit RSA Key Gen to 4096 bits (#606)

aws · Oct 7, 2022 · 2e35d92 · 2e35d92
1 parent fd2516f
commit 2e35d92
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/aws-encryption-sdk-net/Source/Extern/RSAEncryption.cs b/aws-encryption-sdk-net/Source/Extern/RSAEncryption.cs
@@ -121,6 +121,10 @@ public static byte[] GetPublicKeyFromPrivateKeyPemString(string pem)
         }
 
         public static void GenerateKeyPairBytes(int strength, out byte[] publicKeyBytes, out byte[] privateKeyBytes) {
+            if (strength > 4096)
+            {
+                throw new ArgumentException("AWS Crypto will not generate an RSA Key greater than 4096.");
+            }
             RsaKeyPairGenerator keygen = new RsaKeyPairGenerator();
             SecureRandom secureRandom = new SecureRandom();
             keygen.Init(new RsaKeyGenerationParameters(

diff --git a/src/Crypto/RSAEncryption.dfy b/src/Crypto/RSAEncryption.dfy
@@ -64,7 +64,8 @@ module {:extern "RSAEncryption"} RSAEncryption {
   }
 
   method GenerateKeyPair(strength: StrengthBits)
-      returns (publicKey: PublicKey, privateKey: PrivateKey)
+    returns (publicKey: PublicKey, privateKey: PrivateKey)
+    requires strength <= 4096
     ensures privateKey.Valid()
     ensures publicKey.Valid()
   {

diff --git a/test/AwsCryptographicMaterialProviders/Keyrings/TestRawRSAKeyring.dfy b/test/AwsCryptographicMaterialProviders/Keyrings/TestRawRSAKeyring.dfy
@@ -258,6 +258,7 @@ module TestRawRSAKeying {
     )
     requires |namespace| < UINT16_LIMIT
     requires |name| < UINT16_LIMIT
+    requires keyStrength <= 4096
   {
     publicKey, privateKey := RSAEncryption.GenerateKeyPair(
       keyStrength