Hanno Böck hanno@hboeck.de writes:
You're only checking n (for both private and public keys), I could probably still craft a private key that crashes by choosing one of p or q to be even.
Nettle's private key struct doesn't include n, it's computed as the product of p and q. So if either is even, n will be even too.
Depends on how far you want to go. Easy checks:
- d, e must not be 0, 1, 2
For public keys, with this fix, _prepare_key checks that n is odd and that |n| isn't too small. I'm considering adding the checks that n > 0, and 1 < e < n. In addition, the application ought to check that n isn't unreasonably large, to avoid denial of service, but I don't think that limit belongs in nettle.
For private keys, with the fix the same checks are applied to p * q. One could also check p > 0, q > 0, and that CRT parameters are in the expected range, 0 < a < p - 1, 0 < b < q - 1, 0 < c < p.
Yeah, I've been thinking a bit about it yesterday, I could still see problems with this approach.
I guess part of the problem is that key format standards, like pkcs#1, define valid ranges for parameters. But when using Nettle's rsa_public_key_prepare, the input isn't a key blob defined by some particular standard, but a couple of (big) integers.
Not sure if gnutls uses rsa_public_key_prepare directly, or via rsa_keypair_from_der.
I ended up wishing that there'd be a defined standard set of key sanity checks shared among implementations... but I'm probably just dreaming here...
Valid ranges are defined by key format standards (fine details might differ, I imagine, e.g., one may or may not require that p > q), but there are no standards for deeper sanity checks, as far as I'm aware.
Regards, /Niels