Skip to content

Validate key size in generate_key() before OpenSSL calls #178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
toddr merged 1 commit into from
Apr 23, 2026
Merged

Validate key size in generate_key() before OpenSSL calls #178

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions RSA.xs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -813,6 +813,8 @@ generate_key(proto, bitsSV, exponent = 65537)
int error = 0;
#endif
CODE:
if (SvIV(bitsSV) < 512)
croak("RSA key size must be at least 512 bits (got %"IVdf")", SvIV(bitsSV));
if (exponent < 3 || (exponent % 2) == 0)
croak("RSA exponent must be odd and >= 3 (got %lu)", exponent);
e = BN_new();
Expand Down
20 changes: 19 additions & 1 deletion t/keygen.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ my $HAS_BIGNUM = eval { require Crypt::OpenSSL::Bignum; 1 } ? 1 : 0;
my $BITS = 2048;
my $BYTES = $BITS / 8;

plan tests => 24;
plan tests => 29;

# --- Default exponent (65537) explicitly passed ---
{
Expand Down Expand Up @@ -161,3 +161,21 @@ plan tests => 24;
ok(!$result, "SHA256 signature fails under SHA1 mode");
}
}

# --- Key size validation ---
{
eval { Crypt::OpenSSL::RSA->generate_key(-1) };
like($@, qr/at least 512 bits/, "generate_key croaks on negative key size");

eval { Crypt::OpenSSL::RSA->generate_key(0) };
like($@, qr/at least 512 bits/, "generate_key croaks on zero key size");

eval { Crypt::OpenSSL::RSA->generate_key(256) };
like($@, qr/at least 512 bits/, "generate_key croaks on 256-bit key size");

eval { Crypt::OpenSSL::RSA->generate_key(511) };
like($@, qr/at least 512 bits/, "generate_key croaks on 511-bit key size");

my $rsa = eval { Crypt::OpenSSL::RSA->generate_key(512) };
ok($rsa && !$@, "generate_key accepts 512-bit key size (minimum)");
}
Loading