ssh-key: add a crate feature to allow insecure RSA keys - fixes #336

Author: Eugeny

ssh-key/Cargo.toml

@@ -76,6 +76,7 @@ encryption = [
     "rand_core"
 ]
 getrandom = ["rand_core/getrandom"]
+hazmat-allow-insecure-rsa-keys = []
 p256 = ["dep:p256", "ecdsa"]
 p384 = ["dep:p384", "ecdsa"]
 p521 = ["dep:p521", "ecdsa"]

ssh-key/src/private/rsa.rs

@@ -138,17 +138,17 @@ pub struct RsaKeypair {
 
 impl RsaKeypair {
     /// Minimum allowed RSA key size.
-    #[cfg(feature = "rsa")]
+    #[cfg(all(feature = "rsa", not(feature = "hazmat-allow-insecure-rsa-keys")))]
     pub(crate) const MIN_KEY_SIZE: usize = 2048;
 
     /// Generate a random RSA keypair of the given size.
     #[cfg(feature = "rsa")]
     pub fn random(rng: &mut impl CryptoRngCore, bit_size: usize) -> Result<Self> {
-        if bit_size >= Self::MIN_KEY_SIZE {
-            rsa::RsaPrivateKey::new(rng, bit_size)?.try_into()
-        } else {
-            Err(Error::Crypto)
+        #[cfg(not(feature = "hazmat-allow-insecure-rsa-keys"))]
+        if bit_size < Self::MIN_KEY_SIZE {
+            return Err(Error::Crypto);
         }
+        rsa::RsaPrivateKey::new(rng, bit_size)?.try_into()
     }
 
     /// Create a new keypair from the given `public` and `private` key components.
@@ -260,11 +260,12 @@ impl TryFrom<&RsaKeypair> for rsa::RsaPrivateKey {
             ],
         )?;
 
-        if ret.size().saturating_mul(8) >= RsaKeypair::MIN_KEY_SIZE {
-            Ok(ret)
-        } else {
-            Err(Error::Crypto)
+        #[cfg(not(feature = "hazmat-allow-insecure-rsa-keys"))]
+        if ret.size().saturating_mul(8) < RsaKeypair::MIN_KEY_SIZE {
+            return Err(Error::Crypto);
         }
+
+        Ok(ret)
     }
 }
 

ssh-key/src/public/rsa.rs

@@ -28,7 +28,7 @@ pub struct RsaPublicKey {
 
 impl RsaPublicKey {
     /// Minimum allowed RSA key size.
-    #[cfg(feature = "rsa")]
+    #[cfg(all(feature = "rsa", not(feature = "hazmat-allow-insecure-rsa-keys")))]
     pub(crate) const MIN_KEY_SIZE: usize = RsaKeypair::MIN_KEY_SIZE;
 
     /// Create a new [`RsaPublicKey`] with the given components:
@@ -117,11 +117,12 @@ impl TryFrom<&RsaPublicKey> for rsa::RsaPublicKey {
         )
         .map_err(|_| Error::Crypto)?;
 
-        if ret.size().saturating_mul(8) >= RsaPublicKey::MIN_KEY_SIZE {
-            Ok(ret)
-        } else {
-            Err(Error::Crypto)
+        #[cfg(not(feature = "hazmat-allow-insecure-rsa-keys"))]
+        if ret.size().saturating_mul(8) < RsaPublicKey::MIN_KEY_SIZE {
+            return Err(Error::Crypto);
         }
+
+        Ok(ret)
     }
 }