Never attempt to process an RSA 16K key on Android

vcsjones · web-flow · commit dc6cc9eb717b · 2026-06-05T14:22:54.000-04:00
Android's Conscrypt does not appear to process RSA 16K keys. It also
does not appropriately clear BoringSSL's error queue, so when you
attempt to import an RSA 16K key, the error may appear elsewhere, which
can produce nonsense errors.

For example, attempting to import an RSA 16K key, then doing
ChaCha20Poly1305 with a bad tag would raise an
`java.security.InvalidKeyException: error:04000080:RSA
routines:OPENSSL_internal:MODULUS_TOO_LARGE`, which is of course an
incorrect exception for Cipher's ChaCha20/Poly1305 to raise.

The "best" fix for this currently is to simply never touch an RSA 16K
key from our unit tests. We don't have direct access to BoringSSL's
error queue, so we can't manage it or inspect it to fix the problem on
the RSA side.

Actual APIs that clear the error queue are somewhat costly. We can
investigate some of those but we are relying on side effects that may
not always hold.

This is the easiest fix so far that doesn't require somewhat undesirable
changes in actual product code.
diff --git a/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs b/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/EncryptDecrypt.cs
@@ -644,7 +644,7 @@ public void RsaDecryptAfterExport()
             Assert.Equal(TestData.HelloBytes, output);
         }
 
-        [Fact]
+        [ConditionalFact(typeof(ImportExport), nameof(ImportExport.Supports16384))]
         public void LargeKeyCryptRoundtrip()
         {
             byte[] output;
diff --git a/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/ImportExport.cs b/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/ImportExport.cs
@@ -69,7 +69,7 @@ public static void PaddedExport()
             RSATestHelpers.AssertKeyEquals(diminishedDPParameters, exported);
         }
 
-        [Fact]
+        [ConditionalFact(typeof(ImportExport), nameof(ImportExport.Supports16384))]
         public static void LargeKeyImportExport()
         {
             RSAParameters imported = TestData.RSA16384Params;
@@ -367,6 +367,13 @@ internal static RSAParameters MakePublic(in RSAParameters rsaParams)
 
         private static bool TestRsa16384()
         {
+            if (PlatformDetection.IsAndroid)
+            {
+                // We cannot detect this on Android at the moment. Even attempting to generate or import a 16K RSA key
+                // may leave the error queue in the incorrect state. See https://github.com/google/conscrypt/issues/1507
+                return false;
+            }
+
             try
             {
                 using (RSA rsa = RSAFactory.Create())
diff --git a/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/SignVerify.cs b/src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/RSA/SignVerify.cs
@@ -1022,7 +1022,7 @@ public void VerifyExpectedSignature_PssSha256_RSA2048()
                 modulus2048Signature);
         }
 
-        [Fact]
+        [ConditionalFact(typeof(ImportExport), nameof(ImportExport.Supports16384))]
         public void VerifyExpectedSignature_PssSha256_RSA16384()
         {
             byte[] modulus2048Signature = (
@@ -1098,7 +1098,7 @@ public void VerifyExpectedSignature_PssSha256_RSA16384()
                 modulus2048Signature);
         }
 
-        [Fact]
+        [ConditionalFact(typeof(ImportExport), nameof(ImportExport.Supports16384))]
         public void VerifyExpectedSignature_PssSha384()
         {
             byte[] bigModulusSignature = (

Original file line number	Diff line number	Diff line change
`@@ -644,7 +644,7 @@ public void RsaDecryptAfterExport()`
`644`	`644`	`Assert.Equal(TestData.HelloBytes, output);`
`645`	`645`	`}`
`646`	`646`
`647`		`- [Fact]`
	`647`	`+ [ConditionalFact(typeof(ImportExport), nameof(ImportExport.Supports16384))]`
`648`	`648`	`public void LargeKeyCryptRoundtrip()`
`649`	`649`	`{`
`650`	`650`	`byte[] output;`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public static void PaddedExport()`
`69`	`69`	`RSATestHelpers.AssertKeyEquals(diminishedDPParameters, exported);`
`70`	`70`	`}`
`71`	`71`
`72`		`- [Fact]`
	`72`	`+ [ConditionalFact(typeof(ImportExport), nameof(ImportExport.Supports16384))]`
`73`	`73`	`public static void LargeKeyImportExport()`
`74`	`74`	`{`
`75`	`75`	`RSAParameters imported = TestData.RSA16384Params;`
`@@ -367,6 +367,13 @@ internal static RSAParameters MakePublic(in RSAParameters rsaParams)`
`367`	`367`
`368`	`368`	`private static bool TestRsa16384()`
`369`	`369`	`{`
	`370`	`+ if (PlatformDetection.IsAndroid)`
	`371`	`+ {`
	`372`	`+ // We cannot detect this on Android at the moment. Even attempting to generate or import a 16K RSA key`
	`373`	`+ // may leave the error queue in the incorrect state. See https://github.com/google/conscrypt/issues/1507`
	`374`	`+ return false;`
	`375`	`+ }`
	`376`	`+`
`370`	`377`	`try`
`371`	`378`	`{`
`372`	`379`	`using (RSA rsa = RSAFactory.Create())`
Original file line number	Diff line number	Diff line change
`@@ -1022,7 +1022,7 @@ public void VerifyExpectedSignature_PssSha256_RSA2048()`
`1022`	`1022`	`modulus2048Signature);`
`1023`	`1023`	`}`
`1024`	`1024`
`1025`		`- [Fact]`
	`1025`	`+ [ConditionalFact(typeof(ImportExport), nameof(ImportExport.Supports16384))]`
`1026`	`1026`	`public void VerifyExpectedSignature_PssSha256_RSA16384()`
`1027`	`1027`	`{`
`1028`	`1028`	`byte[] modulus2048Signature = (`
`@@ -1098,7 +1098,7 @@ public void VerifyExpectedSignature_PssSha256_RSA16384()`
`1098`	`1098`	`modulus2048Signature);`
`1099`	`1099`	`}`
`1100`	`1100`
`1101`		`- [Fact]`
	`1101`	`+ [ConditionalFact(typeof(ImportExport), nameof(ImportExport.Supports16384))]`
`1102`	`1102`	`public void VerifyExpectedSignature_PssSha384()`
`1103`	`1103`	`{`
`1104`	`1104`	`byte[] bigModulusSignature = (`