Raise minimum bits required for RSA key to 2048

2025-04-28 17:10:14 +08:00 · 2019-07-10 17:54:14 -04:00 · 2019-07-10 17:54:14 -04:00 · f10115e58f
commit f10115e58f
parent 2835a4015f
5 changed files with 13 additions and 11 deletions
--- a/crypto/key_test.go
+++ b/crypto/key_test.go
@ -17,7 +17,7 @@ func TestKeys(t *testing.T) {
 }

 func testKeyType(typ int, t *testing.T) {
-	sk, pk, err := test.RandTestKeyPair(typ, 512)
+	sk, pk, err := test.RandTestKeyPair(typ, 2048)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -114,7 +114,7 @@ func testKeyEquals(t *testing.T, k Key) {
 		t.Fatal("Key not equal to key with same bytes.")
 	}

-	sk, pk, err := test.RandTestKeyPair(RSA, 512)
+	sk, pk, err := test.RandTestKeyPair(RSA, 2048)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/crypto/rsa_common.go
+++ b/crypto/rsa_common.go
@ -1,10 +1,12 @@
 package crypto

 import (
-	"errors"
+	"fmt"
 )

+const MinRsaKeyBits = 2048
+
 // ErrRsaKeyTooSmall is returned when trying to generate or parse an RSA key
 // that's smaller than 512 bits. Keys need to be larger enough to sign a 256bit
 // hash so this is a reasonable absolute minimum.
-var ErrRsaKeyTooSmall = errors.New("rsa keys must be >= 512 bits to be useful")
+var ErrRsaKeyTooSmall = fmt.Errorf("rsa keys must be >= %d bits to be useful", MinRsaKeyBits)
--- a/crypto/rsa_go.go
+++ b/crypto/rsa_go.go
@ -27,7 +27,7 @@ type RsaPublicKey struct {

 // GenerateRSAKeyPair generates a new rsa private and public key
 func GenerateRSAKeyPair(bits int, src io.Reader) (PrivKey, PubKey, error) {
-	if bits < 512 {
+	if bits < MinRsaKeyBits {
 		return nil, nil, ErrRsaKeyTooSmall
 	}
 	priv, err := rsa.GenerateKey(src, bits)
@ -102,7 +102,7 @@ func UnmarshalRsaPrivateKey(b []byte) (PrivKey, error) {
 	if err != nil {
 		return nil, err
 	}
-	if sk.N.BitLen() < 512 {
+	if sk.N.BitLen() < MinRsaKeyBits {
 		return nil, ErrRsaKeyTooSmall
 	}
 	return &RsaPrivateKey{sk: *sk}, nil
@ -118,7 +118,7 @@ func UnmarshalRsaPublicKey(b []byte) (PubKey, error) {
 	if !ok {
 		return nil, errors.New("not actually an rsa public key")
 	}
-	if pk.N.BitLen() < 512 {
+	if pk.N.BitLen() < MinRsaKeyBits {
 		return nil, ErrRsaKeyTooSmall
 	}
 	return &RsaPublicKey{*pk}, nil
--- a/crypto/rsa_openssl.go
+++ b/crypto/rsa_openssl.go
@ -21,7 +21,7 @@ type RsaPublicKey struct {

 // GenerateRSAKeyPair generates a new rsa private and public key
 func GenerateRSAKeyPair(bits int, _ io.Reader) (PrivKey, PubKey, error) {
-	if bits < 512 {
+	if bits < MinRsaKeyBits {
 		return nil, nil, ErrRsaKeyTooSmall
 	}

--- a/crypto/rsa_test.go
+++ b/crypto/rsa_test.go
@ -6,7 +6,7 @@ import (
 )

 func TestRSABasicSignAndVerify(t *testing.T) {
-	priv, pub, err := GenerateRSAKeyPair(512, rand.Reader)
+	priv, pub, err := GenerateRSAKeyPair(2048, rand.Reader)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -47,7 +47,7 @@ func TestRSASmallKey(t *testing.T) {
 }

 func TestRSASignZero(t *testing.T) {
-	priv, pub, err := GenerateRSAKeyPair(512, rand.Reader)
+	priv, pub, err := GenerateRSAKeyPair(2048, rand.Reader)
 	if err != nil {
 		t.Fatal(err)
 	}
@ -68,7 +68,7 @@ func TestRSASignZero(t *testing.T) {
 }

 func TestRSAMarshalLoop(t *testing.T) {
-	priv, pub, err := GenerateRSAKeyPair(512, rand.Reader)
+	priv, pub, err := GenerateRSAKeyPair(2048, rand.Reader)
 	if err != nil {
 		t.Fatal(err)
 	}