Update rsa-helper

Add read limit for key loader in signer

go.mod

@@ -5,7 +5,7 @@ go 1.22
 toolchain go1.22.3
 
 require (
-	github.com/1f349/rsa-helper v0.0.1
+	github.com/1f349/rsa-helper v0.0.2
 	github.com/becheran/wildmatch-go v1.0.0
 	github.com/golang-jwt/jwt/v4 v4.5.0
 	github.com/google/subcommands v1.2.0

go.sum

@@ -1,5 +1,5 @@
-github.com/1f349/rsa-helper v0.0.1 h1:Ec/MXHR2eIpLgIR69eqhCV2o8OOBs2JZNAkEhW7HQks=
+github.com/1f349/rsa-helper v0.0.2 h1:N/fLQqg5wrjIzG6G4zdwa5Xcv9/jIPutCls9YekZr9U=
-github.com/1f349/rsa-helper v0.0.1/go.mod h1:VUQ++1tYYhYrXeOmVFkQ82BegR24HQEJHl5lHbjg7yg=
+github.com/1f349/rsa-helper v0.0.2/go.mod h1:VUQ++1tYYhYrXeOmVFkQ82BegR24HQEJHl5lHbjg7yg=
 github.com/becheran/wildmatch-go v1.0.0 h1:mE3dGGkTmpKtT4Z+88t8RStG40yN9T+kFEGj2PZFSzA=
 github.com/becheran/wildmatch-go v1.0.0/go.mod h1:gbMvj0NtVdJ15Mg/mH9uxk2R1QCistMyU7d9KFzroX4=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=

signer.go

@@ -11,6 +11,8 @@ import (
 	"time"
 )
 
+const readLimit = 10240 // 10 KiB
+
 var ErrNoPrivateKeyFound = errors.New("no private key found")
 
 // defaultMJwtSigner implements Signer and uses an rsa.PrivateKey and issuer name
@@ -181,15 +183,22 @@ func readOrCreatePrivateKey(file string, random io.Reader, bits int) (*rsa.Priva
 	}
 }
 
-// readOrEmptyFile returns bytes and errors from os.ReadFile or (nil, nil) if the
+// readOrEmptyFile returns bytes and errors from os.OpenFile or (nil, nil) if the
 // file does not exist.
 func readOrEmptyFile(file string) ([]byte, error) {
-	raw, err := os.ReadFile(file)
+	fp, err := os.Open(file)
-	if err == nil {
+	if err != nil {
-		return raw, nil
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, err
 	}
-	if os.IsNotExist(err) {
+	defer func() { _ = fp.Close() }()
-		return nil, nil
+	// add hard limit
+	limitReader := io.LimitReader(fp, readLimit)
+	raw, err := io.ReadAll(limitReader)
+	if err != nil {
+		return nil, err
 	}
-	return nil, err
+	return raw, nil
 }