> From: owner-openssl-us...@openssl.org On Behalf Of Alexander Lamaison > Sent: Thursday, 30 July, 2009 08:05
> I'm calling PEM_read_bio_RSAPrivateKey and > PEM_read_bio_DSAPrivateKey with private keys loaded from > files on disk. I read the file into a string, put that into > a BIO and then call the function. > > At the moment, I'm reading the entire key file into memory > but, of course, this isn't very safe. The user could > accidentally specify a huge file and this would try to read > all of it into a string. What is the maximum size of the > RSA/DSA key files that OpenSSL can read? I can just return > an error if the file exceeds that. I've tried to find a > specification for the key files but not had much success. > I don't think there's any limit on the file size as such, other than as imposed by the filesystem or C runtime, because OpenSSL allows PEM-format files to contain arbitrary "garbage" in addition to the actual PEM object (key, cert, etc.) In particular in cert files it is often convenient to have the decoded human-readable form (especially issuer, subject, validity and some extensions) as well as the machinable cert. The same is allowed for other things like CRLs, CSRs, keys, although in my experience those are less often useful. Assuming you (also) ignore/discard extraneous stuff, the size of a PEM-encoded object is 4/3 times the DER object rounded up plus header, trailer, and newlines roughly 40-60 chars. DER encoding itself has no limit and as far as I can tell OpenSSL's ASN1 routines impose no limit other than available memory (for the DER object plus the decoded or to-be-encoded internal one). The bignums OpenSSL uses for most PKC values have int for num-chunks, so on a machine with 16-bit int (as C allows) this could impose limits; but most machines nowadays have 32-bit int (or even more). For RSA, OpenSSL (in software = no engine) will not do ops USING (key with) modulus > 16K bits, at least by default. It will happily, if slowly, GENERATE a bigger one, which might be supported by other engine(s). Assuming you only use usable keys (!) and usual small pubexpt, a 16Kbit RSA private key is roughly 4.5*2K ~ 9K bytes DER. For DSA, original DSS allowed only 512 to 1024 (and 160) although the algorithm can work for other sizes and OpenSSL does. 186-3 (just final last month!) makes it 1024 to 3072 (and 160 to 256) but recommends 3072 only for CAs. (800-56.1 rates that as comparable in strength to 128 symmetric, and approved beyond 2030.) So if you only (need to) generate compliant signatures, a 3Kbit DSA private key is roughly 3*.4=1.2k bytes DER. dsa/dsa_ossl.c won't verify a modulus >10k bits. It apparently will sign (which is cheaper) but an unverifiable signature is pretty useless. A 10kbit DSA private key is roughly 3*1.3=4k bytes DER. An encrypted privkey -- and you should be cautious about storing privkeys unencrypted in disk files -- is slightly longer, but by a fixed (not proportionate) amount. Are you sorry you asked now? <G> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
