Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(RSA): limit RSA Key Gen to 4096 bits #606

Merged
merged 2 commits into from
Oct 7, 2022
Merged

chore(RSA): limit RSA Key Gen to 4096 bits #606

merged 2 commits into from
Oct 7, 2022

Conversation

texastony
Copy link
Contributor

@texastony texastony commented Oct 7, 2022
edited
Loading

Issue #, if available: N/A

Description of changes:

  • Limit RSA Key Generation input to 4096 bits

This does NOT impact the public behavior of the ESDK in any way.

The RSA Key Generator is ONLY used for testing.

4096 is the largest RSA Key size KMS supports.

Squash/merge commit message, if applicable: chore(RSA): limit RSA Key Gen to 4096 bits

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Due to dafny-lang/dafny#2500, Traits are dangerous:

  1. Does this PR add any traits or classes that extend a trait?
  2. Are these traits annotated with {:termination false}?

The override checks on
the specifications on
a class' functions/methods/etc. validating
that specifications are
at least as strong as those on
the traits it implements
are not working correctly when
that trait is defined in a different module
(and hence must have {:termination false} on it).

As such, if either (1.) or (2.) is true:

  • manually verified all the trait specifications are copied onto classes that extend them?

@texastony texastony requested a review from a team as a code owner October 7, 2022 05:55
ajewellamz
ajewellamz previously approved these changes Oct 7, 2022
View reviewed changes
robin-aws
robin-aws requested changes Oct 7, 2022
View reviewed changes
Copy link
Contributor

@robin-aws robin-aws left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fact that CI accepted this without any failures is a big problem.

@robin-aws
Copy link
Contributor

Thinking more deeply beyond the initial reaction (just wanted to block the PR in case): is this all we need to do because all callers of the method already satisfy this precondition? I was worried about this being indirectly callable from outside Dafny.

@texastony
Copy link
Contributor Author

In response to @robin-aws concerns,
I am putting this into Draft.

@texastony texastony marked this pull request as draft October 7, 2022 15:52
@texastony
Copy link
Contributor Author

texastony commented Oct 7, 2022
edited
Loading

4096 is the KMS Max, so we are going to refactor to that.
RSA is substantially slower at any key size greater than this.

@texastony texastony marked this pull request as ready for review October 7, 2022 18:57
@texastony texastony changed the title chore(RSA): limit RSA Key Gen to 15360 bits chore(RSA): limit RSA Key Gen to 4096 bits Oct 7, 2022
@robin-aws
Copy link
Contributor

Concerns put to rest - I managed to miss the fact that this existing in src but is only called from test code.

@texastony texastony merged commit 2e35d92 into aws:mainline Oct 7, 2022
@texastony texastony deleted the fix-limit-rsa-key-gen branch October 7, 2022 19:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robin-aws robin-aws robin-aws approved these changes

@ajewellamz ajewellamz ajewellamz left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@texastony @robin-aws @ajewellamz