From 6f86a7f5203094759ef52694a0cc5af05496f70e Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <hi@filippo.io>
Date: Mon, 24 May 2021 03:45:43 +0200
Subject: [PATCH] agessh: reject small ssh-rsa keys

Fixes #266
---
 agessh/agessh.go      | 3 +++
 agessh/agessh_test.go | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/agessh/agessh.go b/agessh/agessh.go
index 9b212ba..f415b1e 100644
--- a/agessh/agessh.go
+++ b/agessh/agessh.go
@@ -65,6 +65,9 @@ func NewRSARecipient(pk ssh.PublicKey) (*RSARecipient, error) {
 	} else {
 		return nil, errors.New("pk does not implement ssh.CryptoPublicKey")
 	}
+	if r.pubKey.Size() < 2048/8 {
+		return nil, errors.New("RSA key size is too small")
+	}
 	return r, nil
 }
 
diff --git a/agessh/agessh_test.go b/agessh/agessh_test.go
index 95417b9..e815a80 100644
--- a/agessh/agessh_test.go
+++ b/agessh/agessh_test.go
@@ -19,7 +19,7 @@ import (
 )
 
 func TestSSHRSARoundTrip(t *testing.T) {
-	pk, err := rsa.GenerateKey(rand.Reader, 768)
+	pk, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		t.Fatal(err)
 	}