Page MenuHome GnuPG
Create Task
Maniphest T6220

gpg --full-generate-key does not use max RSA keysize when --enable-large-rsa is set
Closed, WontfixPublic
Actions

Description

--full-generate-key presumably ends up calling ask_keysize(), which does not take opt.flags.large_rsa into account the way that gen_rsa() appears to. This results in the keysize being limited to 4096 instead of 8192 as expected.
I am familiar with the security ramifications of using an 8192 bits RSA key, but I saw this as an implementation flaw and thought it would be worth officially reporting as I know others have encountered issues doing so both in the past and to date (just search "gpg create 8192 rsa key").

To reproduce: gpg --full-generate-key --enable-large-rsa

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 8192
RSA keysizes must be in the range 1024-4096
What keysize do you want? (3072)

Debian 11.5, GnuPG 2.2.27 or build tag gnupg-2.2.27 w/ --enable-large-secmem

Details

Version
2.2.27

Event Timeline

2l47 created this task.Sep 27 2022, 11:38 PM
2l47 added projects: gnupg, g10code (gnupg-2.2).
werner closed this task as Wontfix.Sep 28 2022, 9:17 AM
werner claimed this task.
werner added a subscriber: werner.

Sorry, this as been discussed ad nausea. We try our best to help people not to use useless and harmful (e.g. performance of the WoT) algorithm choices.

2l47 added a comment.Sep 28 2022, 9:26 AM

Perhaps --full-generate-key should provide more algorithm choices, then, e.g. ed25519?

werner added a comment.EditedSep 28 2022, 10:23 AM

Add --expert and use a decent version of GnuPG. 2.2 is our long term support branch and is not the current stable production version (which is 2.3.7)

canti59 added a commit: rG8046fcac63db: po: Update Czech translation..Oct 14 2022, 2:10 AM
gniibe removed a commit: rG8046fcac63db: po: Update Czech translation..Oct 14 2022, 2:50 AM