From 86783480b50c1870197b08b1675131a742f68991 Mon Sep 17 00:00:00 2001
From: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
Date: Wed, 3 Jan 2018 19:04:17 +0100
Subject: [PATCH] Forbid creating algo 5/8/10 keys with out-of-spec sizes

---
 pdns/opensslsigners.cc                  | 14 ++++++++++++++
 regression-tests.api/test_cryptokeys.py |  4 ++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/pdns/opensslsigners.cc b/pdns/opensslsigners.cc
index 8e3bb547bd..633c252789 100644
--- a/pdns/opensslsigners.cc
+++ b/pdns/opensslsigners.cc
@@ -32,6 +32,7 @@
 #include <openssl/opensslv.h>
 #include "opensslsigners.hh"
 #include "dnssecinfra.hh"
+#include "dnsseckeeper.hh"
 
 #if (OPENSSL_VERSION_NUMBER < 0x1010000fL || defined LIBRESSL_VERSION_NUMBER)
 /* OpenSSL < 1.1.0 needs support for threading/locking in the calling application. */
@@ -211,6 +212,19 @@ private:
 
 void OpenSSLRSADNSCryptoKeyEngine::create(unsigned int bits)
 {
+  if ((d_algorithm == DNSSECKeeper::RSASHA1 || d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) && (bits < 512 || bits > 4096)) {
+    /* RFC3110 */
+    throw runtime_error(getName()+" RSASHA1 key generation failed for invalid bits size " + std::to_string(bits));
+  }
+  if (d_algorithm == DNSSECKeeper::RSASHA256 && (bits < 512 || bits > 4096)) {
+    /* RFC5702 */
+    throw runtime_error(getName()+" RSASHA256 key generation failed for invalid bits size " + std::to_string(bits));
+  }
+  if (d_algorithm == DNSSECKeeper::RSASHA512 && (bits < 1024 || bits > 4096)) {
+    /* RFC5702 */
+    throw runtime_error(getName()+" RSASHA512 key generation failed for invalid bits size " + std::to_string(bits));
+  }
+
   BIGNUM *e = BN_new();
   if (!e) {
     throw runtime_error(getName()+" key generation failed, unable to allocate e");
diff --git a/regression-tests.api/test_cryptokeys.py b/regression-tests.api/test_cryptokeys.py
index 553f2198d0..49c4b400d5 100644
--- a/regression-tests.api/test_cryptokeys.py
+++ b/regression-tests.api/test_cryptokeys.py
@@ -112,11 +112,11 @@ class Cryptokeys(ApiTestCase):
 
     # Test POST to add a key with specific algorithm number
     def test_post_specific_number(self):
-        self.post_helper(algo=10, bits=512)
+        self.post_helper(algo=10, bits=1024)
 
     # Test POST to add a key with specific name and bits
     def test_post_specific_name_bits(self):
-        self.post_helper(algo="rsasha256", bits=256)
+        self.post_helper(algo="rsasha256", bits=2048)
 
     # Test POST to add a key with specific name
     def test_post_specific_name(self):
-- 
2.47.2