Check key size

yim-lee · yim-lee · commit ecaec8a1441c · 2021-02-09T18:07:53.000-08:00
diff --git a/Sources/PackageCollectionsSigning/Key/Key+RSA.swift b/Sources/PackageCollectionsSigning/Key/Key+RSA.swift
@@ -43,6 +43,10 @@ typealias RSAPrivateKey = BoringSSLRSAPrivateKey
 struct CoreRSAPrivateKey: PrivateKey {
     let underlying: SecKey
 
+    var sizeInBits: Int {
+        toBits(bytes: SecKeyGetBlockSize(self.underlying))
+    }
+
     init<Data>(pem data: Data) throws where Data: DataProtocol {
         let pemString = String(decoding: data, as: UTF8.self)
         let pemDocument = try ASN1.PEMDocument(pemString: pemString)
@@ -67,6 +71,10 @@ struct CoreRSAPrivateKey: PrivateKey {
 struct CoreRSAPublicKey: PublicKey {
     let underlying: SecKey
 
+    var sizeInBits: Int {
+        toBits(bytes: SecKeyGetBlockSize(self.underlying))
+    }
+
     /// `data` should be in PKCS #1 format
     init(data: Data) throws {
         let options: [String: Any] = [
@@ -104,6 +112,10 @@ final class BoringSSLRSAPrivateKey: PrivateKey, BoringSSLKey {
         CCryptoBoringSSL_RSA_free(self.underlying)
     }
 
+    var sizeInBits: Int {
+        toBits(bytes: Int(CCryptoBoringSSL_RSA_size(self.underlying)))
+    }
+
     init<Data>(pem data: Data) throws where Data: DataProtocol {
         let key = try Self.load(pem: data) { bio in
             CCryptoBoringSSL_PEM_read_bio_PrivateKey(bio, nil, nil, nil)
@@ -126,6 +138,10 @@ final class BoringSSLRSAPublicKey: PublicKey, BoringSSLKey {
         CCryptoBoringSSL_RSA_free(self.underlying)
     }
 
+    var sizeInBits: Int {
+        toBits(bytes: Int(CCryptoBoringSSL_RSA_size(self.underlying)))
+    }
+
     /// `data` should be in the PKCS #1 format
     init(data: Data) throws {
         let bytes = data.copyBytes()
diff --git a/Sources/PackageCollectionsSigning/Key/Key.swift b/Sources/PackageCollectionsSigning/Key/Key.swift
@@ -40,3 +40,7 @@ enum KeyType {
     case RSA
     case EC
 }
+
+func toBits(bytes: Int) -> Int {
+    bytes * 8
+}
diff --git a/Sources/PackageCollectionsSigning/PackageCollectionSigning.swift b/Sources/PackageCollectionsSigning/PackageCollectionSigning.swift
@@ -15,6 +15,8 @@ import PackageCollectionsModel
 public struct PackageCollectionSigning {
     public typealias Model = PackageCollectionModel.V1
 
+    private static let minimumRSAKeySizeInBits = 2048
+
     let certPolicy: CertificatePolicy
 
     public init() {
@@ -84,6 +86,7 @@ public struct PackageCollectionSigning {
                         case .EC:
                             privateKey = try ECPrivateKey(pem: privateKeyPEM)
                         }
+                        try self.validateKey(privateKey)
 
                         // Generate the signature
                         let signatureBytes = try Signature.generate(for: collection, with: header, using: privateKey, jsonEncoder: jsonEncoder)
@@ -173,11 +176,20 @@ public struct PackageCollectionSigning {
             callback(.failure(error))
         }
     }
+
+    private func validateKey(_ privateKey: PrivateKey) throws {
+        if let rsaKey = privateKey as? RSAPrivateKey {
+            guard rsaKey.sizeInBits >= Self.minimumRSAKeySizeInBits else {
+                throw PackageCollectionSigningError.invalidKeySize(minimumBits: Self.minimumRSAKeySizeInBits)
+            }
+        }
+    }
 }
 
 enum PackageCollectionSigningError: Error {
     case emptyCertChain
     case invalidCertChain
     case invalidSignature
     case missingCertInfo
+    case invalidKeySize(minimumBits: Int)
 }
diff --git a/Tests/PackageCollectionsSigningTests/KeyTests+RSA.swift b/Tests/PackageCollectionsSigningTests/KeyTests+RSA.swift
@@ -22,15 +22,18 @@ class RSAKeyTests: XCTestCase {
             let data = Data(try localFileSystem.readFileContents(path).contents)
 
             let certificate = try Certificate(derEncoded: data)
-            XCTAssertNoThrow(try certificate.publicKey())
+            let key = try certificate.publicKey() as! RSAPublicKey
+            XCTAssertEqual(2048, key.sizeInBits)
         }
     }
 
     func testPublicKeyFromPEM() throws {
-        XCTAssertNoThrow(try RSAPublicKey(pem: rsaPublicKey.bytes))
+        let key = try RSAPublicKey(pem: rsaPublicKey.bytes)
+        XCTAssertEqual(2048, key.sizeInBits)
     }
 
     func testPrivateKeyFromPEM() throws {
-        XCTAssertNoThrow(try RSAPrivateKey(pem: rsaPrivateKey.bytes))
+        let key = try RSAPrivateKey(pem: rsaPrivateKey.bytes)
+        XCTAssertEqual(2048, key.sizeInBits)
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -40,3 +40,7 @@ enum KeyType {`
`40`	`40`	`case RSA`
`41`	`41`	`case EC`
`42`	`42`	`}`
	`43`	`+`
	`44`	`+func toBits(bytes: Int) -> Int {`
	`45`	`+ bytes * 8`
	`46`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -22,15 +22,18 @@ class RSAKeyTests: XCTestCase {`
`22`	`22`	`let data = Data(try localFileSystem.readFileContents(path).contents)`
`23`	`23`
`24`	`24`	`let certificate = try Certificate(derEncoded: data)`
`25`		`- XCTAssertNoThrow(try certificate.publicKey())`
	`25`	`+ let key = try certificate.publicKey() as! RSAPublicKey`
	`26`	`+ XCTAssertEqual(2048, key.sizeInBits)`
`26`	`27`	`}`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`func testPublicKeyFromPEM() throws {`
`30`		`- XCTAssertNoThrow(try RSAPublicKey(pem: rsaPublicKey.bytes))`
	`31`	`+ let key = try RSAPublicKey(pem: rsaPublicKey.bytes)`
	`32`	`+ XCTAssertEqual(2048, key.sizeInBits)`
`31`	`33`	`}`
`32`	`34`
`33`	`35`	`func testPrivateKeyFromPEM() throws {`
`34`		`- XCTAssertNoThrow(try RSAPrivateKey(pem: rsaPrivateKey.bytes))`
	`36`	`+ let key = try RSAPrivateKey(pem: rsaPrivateKey.bytes)`
	`37`	`+ XCTAssertEqual(2048, key.sizeInBits)`
`35`	`38`	`}`
`36`	`39`	`}`