NetDB: Disallow RSA for RI or LS

core/java/src/net/i2p/data/DatabaseEntry.java

@@ -13,6 +13,8 @@ import java.util.Arrays;
 
 import net.i2p.I2PAppContext;
 import net.i2p.crypto.DSAEngine;
+import net.i2p.crypto.SigAlgo;
+import net.i2p.crypto.SigType;
 
 /**
  *<p>
@@ -206,6 +208,12 @@ public abstract class DatabaseEntry extends DataStructureImpl {
         if (data == null)
             return false;
         // if the data is non-null the SPK will be non-null
-        return DSAEngine.getInstance().verifySignature(_signature, data, getSigningPublicKey());
+        SigningPublicKey spk = getSigningPublicKey();
+        SigType type = spk.getType();
+        // As of 0.9.28, disallow RSA as it's so slow it could be
+        // used as a DoS
+        if (type == null || type.getBaseAlgorithm() == SigAlgo.RSA)
+            return false;
+        return DSAEngine.getInstance().verifySignature(_signature, data, spk);
     }
 }

router/java/src/net/i2p/router/networkdb/kademlia/KademliaNetworkDatabaseFacade.java

@@ -19,6 +19,7 @@ import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
 
+import net.i2p.crypto.SigAlgo;
 import net.i2p.crypto.SigType;
 import net.i2p.data.Certificate;
 import net.i2p.data.DatabaseEntry;
@@ -1080,7 +1081,7 @@ public class KademliaNetworkDatabaseFacade extends NetworkDatabaseFacade {
                     try {
                         KeyCertificate kc = c.toKeyCertificate();
                         SigType type = kc.getSigType();
-                        if (type == null || !type.isAvailable()) {
+                        if (type == null || !type.isAvailable() || type.getBaseAlgorithm() == SigAlgo.RSA) {
                             failPermanently(d);
                             String stype = (type != null) ? type.toString() : Integer.toString(kc.getSigTypeCode());
                             if (_log.shouldLog(Log.WARN))