diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 97b07e3..08b25c2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -103,6 +103,25 @@ jobs: jdk_version: ${{ matrix.jdk_version }} wolfssl_configure: ${{ matrix.wolfssl_configure }} + # ------------------ RSA 1024 min size sanity check ------------------- + # Only check one Linux and Mac JDK version as a sanity check. Using Zulu, + # but this can be expanded if needed. + # wolfSSL ./configure: + # --enable-jni CFLAGS="-DRSA_MIN_SIZE=1024 + linux-zulu-rsa-min-size: + strategy: + matrix: + os: [ 'ubuntu-latest', 'macos-latest' ] + jdk_version: [ '11' ] + wolfssl_configure: [ '--enable-jni CFLAGS="-DRSA_MIN_SIZE=1024"' ] + name: ${{ matrix.os }} (Zulu JDK ${{ matrix.jdk_version }}, ${{ matrix.wolfssl_configure}}) + uses: ./.github/workflows/linux-common.yml + with: + os: ${{ matrix.os }} + jdk_distro: "zulu" + jdk_version: ${{ matrix.jdk_version }} + wolfssl_configure: ${{ matrix.wolfssl_configure }} + # ------------------ Facebook Infer static analysis ------------------- # Run Facebook infer over PR code, only running on Linux with one # JDK/version for now. diff --git a/jni/include/com_wolfssl_wolfcrypt_Rsa.h b/jni/include/com_wolfssl_wolfcrypt_Rsa.h index b75d427..61a810e 100644 --- a/jni/include/com_wolfssl_wolfcrypt_Rsa.h +++ b/jni/include/com_wolfssl_wolfcrypt_Rsa.h @@ -169,6 +169,14 @@ JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_wolfcrypt_Rsa_wc_1RsaSSL_1Sign JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_wolfcrypt_Rsa_wc_1RsaSSL_1Verify (JNIEnv *, jobject, jbyteArray); +/* + * Class: com_wolfssl_wolfcrypt_Rsa + * Method: rsaMinSize + * Signature: ()I + */ +JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Rsa_rsaMinSize + (JNIEnv *, jclass); + /* * Class: com_wolfssl_wolfcrypt_Rsa * Method: getDefaultRsaExponent diff --git a/jni/jni_rsa.c b/jni/jni_rsa.c index b5bcaa0..9715adb 100644 --- a/jni/jni_rsa.c +++ b/jni/jni_rsa.c @@ -81,6 +81,15 @@ JNIEXPORT jlong JNICALL Java_com_wolfssl_wolfcrypt_Rsa_getDefaultRsaExponent #endif } +JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_Rsa_rsaMinSize + (JNIEnv *env, jclass jcl) +{ + (void)env; + (void)jcl; + + return (jint)RSA_MIN_SIZE; +} + JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_Rsa_MakeRsaKey( JNIEnv *env, jobject this, jint size, jlong e, jobject rng_object) diff --git a/src/main/java/com/wolfssl/wolfcrypt/Rsa.java b/src/main/java/com/wolfssl/wolfcrypt/Rsa.java index 3e57349..051dae1 100644 --- a/src/main/java/com/wolfssl/wolfcrypt/Rsa.java +++ b/src/main/java/com/wolfssl/wolfcrypt/Rsa.java @@ -32,6 +32,8 @@ public class Rsa extends NativeStruct { private boolean hasPrivateKey = false; private Rng rng; + public static final int RSA_MIN_SIZE = Rsa.rsaMinSize(); + /** Lock around object state */ protected final Object stateLock = new Object(); @@ -92,6 +94,7 @@ public class Rsa extends NativeStruct { throws WolfCryptException; private native byte[] wc_RsaSSL_Verify(byte[] data) throws WolfCryptException; + private static native int rsaMinSize(); /** * Create new Rsa object diff --git a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyPairGeneratorTest.java b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyPairGeneratorTest.java index c5ecce7..9346ef9 100644 --- a/src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyPairGeneratorTest.java +++ b/src/test/java/com/wolfssl/provider/jce/test/WolfCryptKeyPairGeneratorTest.java @@ -115,7 +115,8 @@ public class WolfCryptKeyPairGeneratorTest { new ArrayList(); /* Test generation of these RSA key sizes */ - private static int testedRSAKeySizes[] = null; + private static ArrayList testedRSAKeySizes = + new ArrayList(); /* DH test params */ private static byte[] prime = Util.h2b( @@ -149,16 +150,19 @@ public class WolfCryptKeyPairGeneratorTest { Provider p = Security.getProvider("wolfJCE"); assertNotNull(p); - if (Fips.enabled && Fips.fipsVersion >= 5) { - /* FIPS after 2425 doesn't allow 1024-bit RSA key gen */ - testedRSAKeySizes = new int[] { - 2048, 3072, 4096 - }; + /* FIPS after 2425 doesn't allow 1024-bit RSA key gen */ + if ((!Fips.enabled || Fips.fipsVersion < 5) && + (Rsa.RSA_MIN_SIZE <= 1024)) { + testedRSAKeySizes.add(Integer.valueOf(1024)); } - else { - testedRSAKeySizes = new int[] { - 1024, 2048, 3072, 4096 - }; + if (Rsa.RSA_MIN_SIZE <= 2048) { + testedRSAKeySizes.add(Integer.valueOf(2048)); + } + if (Rsa.RSA_MIN_SIZE <= 3072) { + testedRSAKeySizes.add(Integer.valueOf(3072)); + } + if (Rsa.RSA_MIN_SIZE <= 4096) { + testedRSAKeySizes.add(Integer.valueOf(4096)); } /* build list of enabled curves and key sizes, @@ -211,13 +215,13 @@ public class WolfCryptKeyPairGeneratorTest { InvalidAlgorithmParameterException { /* try initializing KPG for all tested key sizes */ - for (int i = 0; i < testedRSAKeySizes.length; i++) { + for (int i = 0; i < testedRSAKeySizes.size(); i++) { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "wolfJCE"); RSAKeyGenParameterSpec rsaSpec = - new RSAKeyGenParameterSpec(testedRSAKeySizes[i], + new RSAKeyGenParameterSpec(testedRSAKeySizes.get(i), BigInteger.valueOf(Rsa.getDefaultRsaExponent())); kpg.initialize(rsaSpec); @@ -236,12 +240,12 @@ public class WolfCryptKeyPairGeneratorTest { InvalidAlgorithmParameterException { /* try initializing KPG for all tested key sizes */ - for (int i = 0; i < testedRSAKeySizes.length; i++) { + for (int i = 0; i < testedRSAKeySizes.size(); i++) { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "wolfJCE"); - kpg.initialize(testedRSAKeySizes[i]); + kpg.initialize(testedRSAKeySizes.get(i)); /* bad key size should fail */ try { @@ -256,13 +260,13 @@ public class WolfCryptKeyPairGeneratorTest { InvalidAlgorithmParameterException { /* try generating keys for all tested sizes */ - for (int i = 0; i < testedRSAKeySizes.length; i++) { + for (int i = 0; i < testedRSAKeySizes.size(); i++) { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "wolfJCE"); RSAKeyGenParameterSpec rsaSpec = - new RSAKeyGenParameterSpec(testedRSAKeySizes[i], + new RSAKeyGenParameterSpec(testedRSAKeySizes.get(i), BigInteger.valueOf(Rsa.getDefaultRsaExponent())); kpg.initialize(rsaSpec); @@ -275,13 +279,13 @@ public class WolfCryptKeyPairGeneratorTest { throws NoSuchProviderException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { - if (testedRSAKeySizes.length > 0) { + if (testedRSAKeySizes.size() > 0) { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "wolfJCE"); RSAKeyGenParameterSpec rsaSpec = - new RSAKeyGenParameterSpec(testedRSAKeySizes[0], + new RSAKeyGenParameterSpec(testedRSAKeySizes.get(0), BigInteger.valueOf(Rsa.getDefaultRsaExponent())); kpg.initialize(rsaSpec); @@ -294,13 +298,13 @@ public class WolfCryptKeyPairGeneratorTest { throws NoSuchProviderException, NoSuchAlgorithmException, InvalidAlgorithmParameterException { - if (testedRSAKeySizes.length > 0) { + if (testedRSAKeySizes.size() > 0) { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "wolfJCE"); RSAKeyGenParameterSpec rsaSpec = - new RSAKeyGenParameterSpec(testedRSAKeySizes[0], + new RSAKeyGenParameterSpec(testedRSAKeySizes.get(0), BigInteger.valueOf(Rsa.getDefaultRsaExponent())); kpg.initialize(rsaSpec); @@ -314,13 +318,13 @@ public class WolfCryptKeyPairGeneratorTest { throws NoSuchProviderException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeySpecException { - if (testedRSAKeySizes.length > 0) { + if (testedRSAKeySizes.size() > 0) { KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "wolfJCE"); RSAKeyGenParameterSpec rsaSpec = - new RSAKeyGenParameterSpec(testedRSAKeySizes[0], + new RSAKeyGenParameterSpec(testedRSAKeySizes.get(0), BigInteger.valueOf(Rsa.getDefaultRsaExponent())); kpg.initialize(rsaSpec); diff --git a/src/test/java/com/wolfssl/wolfcrypt/test/RsaTest.java b/src/test/java/com/wolfssl/wolfcrypt/test/RsaTest.java index 93b8144..aa5b504 100644 --- a/src/test/java/com/wolfssl/wolfcrypt/test/RsaTest.java +++ b/src/test/java/com/wolfssl/wolfcrypt/test/RsaTest.java @@ -80,13 +80,21 @@ public class RsaTest { assertNotEquals(NativeStruct.NULL, new Rsa().getNativeStruct()); } + @Test + public void testGetMinRsaSize() { + + int minRsaSize = Rsa.RSA_MIN_SIZE; + assertTrue(minRsaSize > 0); + } + @Test public void testMakeKey() { Rsa key = null; /* FIPS after 2425 doesn't allow 1024-bit RSA key gen */ - if (Fips.enabled && Fips.fipsVersion < 5) { + if ((Fips.enabled && Fips.fipsVersion < 5) || + (!Fips.enabled && Rsa.RSA_MIN_SIZE <= 1024)) { key = new Rsa(); key.makeKey(1024, 65537, rng); key.releaseNativeStruct(); @@ -237,7 +245,8 @@ public class RsaTest { + "be35abca5ce7935334a1455d1339654246a19fcdf5bf"); /* FIPS after 2425 doesn't allow 1024-bit RSA key gen */ - if (Fips.enabled && Fips.fipsVersion >= 5) { + if ((Fips.enabled && Fips.fipsVersion >= 5) || + (Rsa.RSA_MIN_SIZE > 1024)) { /* skip */ return; }