Calling all algebraic coders ... [snip]
> > I would suggest the following for checking RSA public keys: > > > > 1) that the public exponent e satisfies 3 <= e < n and that > > e is odd (PKCS#1) [this doesn't prevent low exponent > > attacks however] > > 2) that the modulus n is not a probable prime > > (e.g., apply 80 rounds of Miller-Rabin) > > 3) that n is not divisible by small primes > > 4) that n is not a perfect power > > 5) that n provides a suitable setting for the factoring > > problem (e.g., |n| > 512 bits or 768 bits, etc.), and give > > a warning if it is not. > > > > I am working on some code which I hope to donate to > > OpenSSL that accomplishes (4) and more... > > Yay, thanks. Adam, have you had any joy with code for this? Until we find an adequate replacement/supplement for RSA_check_key() that *does* behave in transparent manner w.r.t. ENGINEs, I'm thinking that the best interim solution to this problem (and the RT ticket) would be in two parts; (1) the documentation. Ie. to note that RSA_check_key() is *not* a function that works transparently with any RSA key type / ENGINE implementation. This could go into 0.9.7-stable too if it makes it in time for the release, as it would hopefully reduce the number of times this bug-report comes up before 0.9.8 gets released :-) (2) check whether rsa->engine is non-NULL and if so, and *any* of the private key/CRT components are missing, return an error code such as RSA_R_CAN_NOT_CHECK_ENGINE_KEY. This approach would assume that any embedded/opaque key supported by an ENGINE wouldn't populate all the private key elements (ie. HSMs shouldn't need to use d, p, q, dmp1, dmq1, iqmp). BTW: this change could only go into the HEAD (ie. not in time for 0.9.7). Thoughts from anyone? Cheers, Geoff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
