From 06f9892501b9fb9c14b73fdd95a4d9ff8eae9301 Mon Sep 17 00:00:00 2001
From: "Greg T. Wallace" <greg@gregtwallace.com>
Date: Mon, 24 Jun 2024 18:23:02 -0400
Subject: [PATCH] add rsa 3,072 bit support

---
 README.md                | 13 +++++++------
 pkg/pkcs15/pem_decode.go |  6 +++---
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index b41e8f3..541a046 100644
--- a/README.md
+++ b/README.md
@@ -58,14 +58,15 @@ and licensed under the GPL-3.0 license.
 Both NMC2 and NMC3 devices should be fully supported. However, I have one
 NMC2 device in a home lab and have no way to guarantee success in all cases.
 
-Only RSA 1,024 and 2,048 bit keys are accepted. 1,024 bit RSA is no longer 
-considered completely secure; avoid keys of this size if possible. Most 
+Only RSA 1,024, 2,048, and 3,072 bit keys are accepted. 1,024 bit RSA is no
+longer considered completely secure; avoid keys of this size if possible. Most 
 (all?) public ACME services won't accept keys of this size anyway.
 
-Even though later versions of the NMC3 firmware supports RSA 4,096 and 
-ECDSA keys, this tool does not. These options were not available in APC's
-proprietary tool, and as such I have no way to generate files to reverse 
-engineer.
+NMC2 does not officially support the 3,072 bit key size, however, it works fine
+on my NMC2. If you use this size and it doesn't work on your NMC2, try a 2,048
+bit key instead. Later versions of the NMC3 firmware support RSA 4,096 and 
+ECDSA keys, but this tool does not. ECDSA was not included in APC's proprietary
+tool, and as such I have no way to generate files to reverse engineer.
 
 My setup (and therefore the testing setup) is:
 - APC Smart-UPS 1500VA RM 2U SUA1500RM2U (Firmware Revision 667.18.D)
diff --git a/pkg/pkcs15/pem_decode.go b/pkg/pkcs15/pem_decode.go
index d4b8764..1fab7d0 100644
--- a/pkg/pkcs15/pem_decode.go
+++ b/pkg/pkcs15/pem_decode.go
@@ -13,7 +13,7 @@ var (
 	errPemKeyBadBlock       = errors.New("pkcs15: pem key: failed to decode pem block")
 	errPemKeyFailedToParse  = errors.New("pkcs15: pem key: failed to parse key")
 	errPemKeyWrongBlockType = errors.New("pkcs15: pem key: unsupported pem block type (only pkcs1 and pkcs8 supported)")
-	errPemKeyWrongType      = errors.New("pkcs15: pem key: unsupported key type (only rsa 1,024 or 2,048 supported)")
+	errPemKeyWrongType      = errors.New("pkcs15: pem key: unsupported key type (only rsa 1,024, 2,048, and 3,072 supported)")
 
 	errPemCertBadBlock      = errors.New("pkcs15: pem cert: failed to decode pem block")
 	errPemCertFailedToParse = errors.New("pkcs15: pem cert: failed to parse cert")
@@ -48,7 +48,7 @@ func pemKeyDecode(keyPem []byte) (*rsa.PrivateKey, error) {
 		}
 
 		// verify proper bitlen
-		if rsaKey.N.BitLen() != 1024 && rsaKey.N.BitLen() != 2048 {
+		if rsaKey.N.BitLen() != 1024 && rsaKey.N.BitLen() != 2048 && rsaKey.N.BitLen() != 3072 {
 			return nil, errPemKeyWrongType
 		}
 
@@ -71,7 +71,7 @@ func pemKeyDecode(keyPem []byte) (*rsa.PrivateKey, error) {
 			}
 
 			// verify proper bitlen
-			if rsaKey.N.BitLen() != 1024 && rsaKey.N.BitLen() != 2048 {
+			if rsaKey.N.BitLen() != 1024 && rsaKey.N.BitLen() != 2048 && rsaKey.N.BitLen() != 3072 {
 				return nil, errPemKeyWrongType
 			}