fix: all JWA defined RSA operations require key of 2048 or more

BREAKING CHANGE: all [JWA](https://tools.ietf.org/html/rfc7518) defined RSA based operations require key size of 2048 bits or more.
panva · Mar 16, 2019 · cc70c5d · cc70c5d
1 parent d3853f0
commit cc70c5d
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 2 deletions.
diff --git a/lib/jwk/key/rsa.js b/lib/jwk/key/rsa.js
@@ -62,6 +62,10 @@ class RSAKey extends Key {
  }
 
  algorithms (operation, { use = this.use, alg = this.alg } = {}) {
+ if (this.length < 2048) {
+ return new Set()
+ }
+
  if (alg) {
  return new Set(this.algorithms(operation, { alg: null, use }).has(alg) ? [alg] : undefined)
  }
@@ -106,7 +110,7 @@ class RSAKey extends Key {
  }
 
  static async generate (len = 2048, opts, privat = true) {
- if (!Number.isSafeInteger(len) || len < 512 || len % 8 !== 0) {
+ if (!Number.isSafeInteger(len) || len < 2048 || len % 8 !== 0) {
  throw new TypeError('invalid bit length')
  }
 
@@ -116,7 +120,7 @@ class RSAKey extends Key {
  }
 
  static generateSync (len = 2048, opts, privat = true) {
- if (!Number.isSafeInteger(len) || len < 512 || len % 8 !== 0) {
+ if (!Number.isSafeInteger(len) || len < 2048 || len % 8 !== 0) {
  throw new TypeError('invalid bit length')
  }
 

diff --git a/test/fixtures/index.js b/test/fixtures/index.js
@@ -45,6 +45,8 @@ module.exports.JWK = {
  }
 }
 
+module.exports.RSA_512 = readFileSync(join(__dirname, 'rsa_512.pem'))
+
 module.exports.PEM = {
  RSA: {
  private: readFileSync(join(__dirname, 'rsa.key')),

diff --git a/test/fixtures/rsa_512.pem b/test/fixtures/rsa_512.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANfIj0FsIfWjNqyGxriALLDMU6qUTts+
+LvQc2rVWj9iC4IPFZKIFZB10V+FDGBsA8o9VmQlA6/fDxsZNW+rRLckCAwEAAQ==
+-----END PUBLIC KEY-----
diff --git a/test/jwk/rsa.test.js b/test/jwk/rsa.test.js
@@ -34,6 +34,14 @@ test(`RSA key .algorithms invalid operation`, t => {
  t.deepEqual([...result], ['PS256', 'RS256', 'PS384', 'RS384', 'PS512', 'RS512', 'RSA-OAEP', 'RSA1_5'])
  })
 
+ test('RSA < 2048 bits does not support any algorithms', t => {
+ const keyObject = createPublicKey(fixtures.RSA_512)
+ const key = new RSAKey(keyObject)
+ const result = key.algorithms()
+ t.is(result.constructor, Set)
+ t.deepEqual([...result], [])
+ })
+
  test('RSA Private key algorithms (no operation, w/ alg)', t => {
  const key = new RSAKey(keyObject, { alg: 'RS256' })
  const result = key.algorithms()