Unable to use 8192 RSA certificate

[dns2utf8]

I found a strange problem: I can not load keys bigger than 4096.
For testing I used these commands

	# the 8k one does not run with rustls, but does with openssl
	#openssl req -x509 -sha256 -newkey rsa:8192 -keyout key.pem -out cert.pem -days 365
	openssl req -x509 -sha256 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
	openssl rsa -in key.pem -out key_decrypted.pem

and this rust code to load my key:

fn get_rustls_acceptor() -> Result<ServerConfig, rustls::TLSError> {
    use rustls::internal::pemfile::{certs, rsa_private_keys};
    use std::io::BufReader;

    let mut config = ServerConfig::new(NoClientAuth::new());

    let cert_file = &mut BufReader::new(File::open("cert.pem").expect("unable to read cert.pem"));
    let key_file = &mut BufReader::new(File::open("key_decrypted.pem").expect("unable to read key_decrypted.pem"));

    let cert_chain = certs(cert_file).expect("unable to construct certificate chain");

    let mut keys = rsa_private_keys(key_file).expect("unable to construct keys");

    config.set_single_cert(cert_chain, keys.pop().expect("no private keys found or unable to read, is it encrypted?"))?;

    Ok(config)
}

When I run it with the 8k key it panics:

thread 'main' panicked at 'unable to initialize TLS: General("invalid private key")'

Since the keys work with native-tls and openssl I am wondering if there is some sort of strange limit in rustls?

Best,
Stefan

[ctz]

As discussed on briansmith/ring#843 this is a restriction in ring (and, IMO, a reasonable one, since I think 8K RSA keys are not sensible given the security level/performance/size tradeoff)