ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-04-11 21:31:44 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

[CORDA-1539] Minimum RSA key of 2048 bits on validatePublicKey (#3239)

Browse Source
This commit is contained in:
Konstantinos Chalkias 2018-05-29 17:11:00 +01:00 committed by GitHub
parent 1c7b44fb3d
commit ac212972ea
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.ci/api-current.txt
View File

@ -1245,6 +1245,7 @@ public final class net.corda.core.crypto.Crypto extends java.lang.Object
public static final java.security.PublicKey toSupportedPublicKey(java.security.PublicKey)
@NotNull
public static final java.security.PublicKey toSupportedPublicKey(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
public static final boolean validatePublicKey(java.security.PublicKey)
@NotNull
public static final net.corda.core.crypto.SignatureScheme COMPOSITE_KEY
@NotNull

10
core/src/main/kotlin/net/corda/core/crypto/Crypto.kt
View File

@ -897,6 +897,13 @@ object Crypto {
return signatureScheme.schemeCodeName in signatureSchemeMap
}
/**
* Check if a public key satisfies algorithm specs.
* For instance, an ECC key should lie on the curve and not being point-at-infinity.
*/
@JvmStatic
fun validatePublicKey(key: PublicKey): Boolean = validatePublicKey(findSignatureScheme(key), key)
// Validate a key, by checking its algorithmic params.
private fun validateKey(signatureScheme: SignatureScheme, key: Key): Boolean {
return when (key) {
@ -910,7 +917,8 @@ object Crypto {
private fun validatePublicKey(signatureScheme: SignatureScheme, key: PublicKey): Boolean {
return when (key) {
is BCECPublicKey, is EdDSAPublicKey -> publicKeyOnCurve(signatureScheme, key)
is BCRSAPublicKey, is BCSphincs256PublicKey -> true // TODO: Check if non-ECC keys satisfy params (i.e. approved/valid RSA modulus size).
is BCRSAPublicKey -> key.modulus.bitLength() >= 2048 // Although the recommended RSA key size is 3072, we accept any key >= 2048bits.
is BCSphincs256PublicKey -> true
else -> throw IllegalArgumentException("Unsupported key type: ${key::class}")
}
}

5
docs/source/changelog.rst
View File

@ -104,6 +104,10 @@ Unreleased
(even if JPA annotation nullable=false was absent).
In case your Cordapps use this entity class to persist data in own custom tables as non Primary Key columns refer to :doc:`upgrade-notes` for upgrade instructions.
* Adding a public method to check if a public key satisfies Corda recommended algorithm specs, `Crypto.validatePublicKey(java.security.PublicKey)`.
For instance, this method will check if an ECC key lies on a valid curve or if an RSA key is >= 2048bits. This might
be required for extra key validation checks, e.g., for Doorman to check that a CSR key meets the minimum security requirements.
.. _changelog_v3.1:
Version 3.1
@ -126,7 +130,6 @@ Version 3.1
* Fixed node's behaviour on startup when there is no connectivity to network map. Node continues to work normally if it has
all the needed network data, waiting in the background for network map to become available.
.. _changelog_v3:
Version 3.0