Maximum modulus size

[tarcieri]

In #349 I suggested adopting some sort of ceiling on the size of integers that are acceptable for signatures, i.e. a maximum modulus size. This would prevent parsing some large amount of data that doesn't make sense as a signature to an extremely large integer.

While we do have checks that the signature does not exceed the modulus for a given public key in PKCS#1v15 and PSS now (I believe?), these checks aren't applied until signature verification time, whereas I think this sort of sanity limit would be better applied before we ever parse to a BigUint.

It could also form an upper bound on what we consider acceptable as an RSA private key, where we currently have no limit.

Perhaps 16384-bits would be acceptable? /cc @dignifiedquire

[dignifiedquire]

Perhaps 16384-bits would be acceptable?

I think so.

In an ideal world I would love to do sth like this

key.verify::<MAX_KEY_SIZE>(&signature);

with a default type parameter... but I guess that is a bit out

[tarcieri]

That could probably be done as a const generic parameter with a default on e.g. RsaPublicKey/RsaPrivateKey