From 908ad77af8731c0e8a7645575ea71fbbdd404d41 Mon Sep 17 00:00:00 2001 From: xunchang Date: Tue, 26 Mar 2019 09:54:34 -0700 Subject: Allow RSA 4096 key in package verification The RSA_verify sitll works for 4096 bits keys. And we just need to loose the check on modulus. Sample commands to generate the key & package: 1. openssl genrsa -out keypair.pem 4096 2. openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt \ -in keypair.pem -out private.pk8 3. openssl req -new -x509 -key keypair.pem -out public.x509.pem \ -days 365 4. java -Djava.library.path=prebuilts/sdk/tools/linux/lib64 -jar \ prebuilts/sdk/tools/lib/signapk.jar -w public.x509.pem private.pk8 \ unsigned.zip signed.zip Bug: 129163830 Test: unit tests pass Change-Id: I5a5ff539c9ff1955c02ec2ce4b17563cb92808a4 --- verifier.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'verifier.cpp') diff --git a/verifier.cpp b/verifier.cpp index 68a011e0d..08d852b37 100644 --- a/verifier.cpp +++ b/verifier.cpp @@ -373,8 +373,8 @@ bool CheckRSAKey(const std::unique_ptr& rsa) { const BIGNUM* out_e; RSA_get0_key(rsa.get(), &out_n, &out_e, nullptr /* private exponent */); auto modulus_bits = BN_num_bits(out_n); - if (modulus_bits != 2048) { - LOG(ERROR) << "Modulus should be 2048 bits long, actual: " << modulus_bits; + if (modulus_bits != 2048 && modulus_bits != 4096) { + LOG(ERROR) << "Modulus should be 2048 or 4096 bits long, actual: " << modulus_bits; return false; } -- cgit v1.2.3