nisse@lysator.liu.se (Niels Möller) writes:
I think it should be easy and reasonable to add code to rsa_public_key_prepare and rsa_private_key_prepare to check that the modulo is odd. What do you think? It's reasonable to have those functions do enough key validation to be able to handle the key without crashing.
Done now (or rather, added to the shared helper function _rsa_check_size).
Attached is a certificate + key where I manually changed the modulus to be even (P.S.: This tool [2] fis very useful for such cases). The certificate is therefore obviously bogus, but that doesn't matter in our case.
Any other easy checks for bogus keys that should be added? I would expect that code parsing key formats, e.g., asn.1, would check sign and range of parameters and catch bogus values early (e.g., the code in nettle's der2rsa.c does that). It's possible to add additional sanity checks to the _key_prepare functions, if desired. It's not entirely obvious where that responsibility should be placed.
Regards, /Niels