From fa54cbf4c0a9320c9d6cda2b20c2431e0bbe6f43 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Aug 06 2021 14:13:44 +0000 Subject: [PATCH 1/2] Increase minimum allowed RSA key size to 1024 Better late than never. https://pagure.io/certmonger/issue/211 Signed-off-by: Rob Crittenden --- diff --git a/configure.ac b/configure.ac index 8bfa3fa..7b6e65f 100644 --- a/configure.ac +++ b/configure.ac @@ -717,7 +717,7 @@ if ! ${configure_dist_target_only:-false} ; then CM_DEFAULT_PUBKEY_SIZE=2048 AC_DEFINE_UNQUOTED(CM_DEFAULT_PUBKEY_SIZE,$CM_DEFAULT_PUBKEY_SIZE,[Define to the default public key size.]) AC_SUBST(CM_DEFAULT_PUBKEY_SIZE) - CM_MINIMUM_RSA_KEY_SIZE=512 + CM_MINIMUM_RSA_KEY_SIZE=1024 CM_MINIMUM_DSA_KEY_SIZE=512 CM_MINIMUM_EC_KEY_SIZE=256 AC_DEFINE_UNQUOTED(CM_MINIMUM_RSA_KEY_SIZE,$CM_MINIMUM_RSA_KEY_SIZE,[Define to the minimum key size when generating RSA keys. Requests to generate smaller keys will be forced to this key size.]) From c50fa8609169ee886c4b278a8c2702a5c4409d97 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Aug 06 2021 14:13:44 +0000 Subject: [PATCH 2/2] Make the default RSA key size configurable There is still a compiled-in default (currently 2048) but this can be overridden in certmonger.conf with the rsa_key_size setting in the default section. This will allow users to increase the minimum size without changing the default behavior for others. https://pagure.io/certmonger/issue/211 Signed-off-by: Rob Crittenden --- diff --git a/configure.ac b/configure.ac index 7b6e65f..0f857a6 100644 --- a/configure.ac +++ b/configure.ac @@ -718,6 +718,7 @@ if ! ${configure_dist_target_only:-false} ; then AC_DEFINE_UNQUOTED(CM_DEFAULT_PUBKEY_SIZE,$CM_DEFAULT_PUBKEY_SIZE,[Define to the default public key size.]) AC_SUBST(CM_DEFAULT_PUBKEY_SIZE) CM_MINIMUM_RSA_KEY_SIZE=1024 + AC_SUBST(CM_MINIMUM_RSA_KEY_SIZE) CM_MINIMUM_DSA_KEY_SIZE=512 CM_MINIMUM_EC_KEY_SIZE=256 AC_DEFINE_UNQUOTED(CM_MINIMUM_RSA_KEY_SIZE,$CM_MINIMUM_RSA_KEY_SIZE,[Define to the minimum key size when generating RSA keys. Requests to generate smaller keys will be forced to this key size.]) diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in index 80de748..6a42d3c 100644 --- a/src/certmonger.conf.5.in +++ b/src/certmonger.conf.5.in @@ -49,6 +49,12 @@ signing requests, and used when self\-signing certificates. @MAN_EC@\fIEC\fR (also known as \fIECDSA\fR) is also supported. The default is \fIRSA\fP. +.IP rsa_key_size +This is the size of an RSA key if the value is not included in +a certificate request. If this value is not set then the default is +@CM_DEFAULT_PUBKEY_SIZE@. The minimum value allowed +is @CM_MINIMUM_RSA_KEY_SIZE@. + .IP symmetric_cipher This is the symmetric cipher which will be used to encrypt private keys stored in OpenSSL's PEM format. Recognized values include \fIaes128\fP and diff --git a/src/getcert-request.1.in b/src/getcert-request.1.in index f089665..de286ba 100644 --- a/src/getcert-request.1.in +++ b/src/getcert-request.1.in @@ -61,7 +61,8 @@ type of the keys to be generated. If not specified, a reasonable default \fB\-g\fR \fIBITS\fR, \fB\-\-key\-size\fR=\fIBITS\fR In case a new key pair needs to be generated, this option specifies the size of the key. If not specified, a reasonable default (currently -@CM_DEFAULT_PUBKEY_SIZE@ bits) will be used. +@CM_DEFAULT_PUBKEY_SIZE@ bits) will be used. See \fBcertmonger.conf\fR(5) +for configuration of the default. .SH TRACKING OPTIONS .TP diff --git a/src/prefs.c b/src/prefs.c index ab363bb..669e8f1 100644 --- a/src/prefs.c +++ b/src/prefs.c @@ -520,6 +520,23 @@ cm_prefs_preferred_key_algorithm(void) return CM_DEFAULT_PUBKEY_TYPE; } +int +cm_prefs_preferred_rsa_key_size(void) +{ + char *keysize; + keysize = cm_prefs_config(NULL, "rsa_key_size"); + int size = CM_DEFAULT_PUBKEY_SIZE; + + if (keysize != NULL) { + size = atoi(keysize); + if ((size == 0) || (size < CM_MINIMUM_RSA_KEY_SIZE)) { + size = CM_DEFAULT_PUBKEY_SIZE; + } + free(keysize); + } + return size; +} + const char * cm_prefs_nss_ca_trust(void) { diff --git a/src/prefs.h b/src/prefs.h index 349ec64..248e101 100644 --- a/src/prefs.h +++ b/src/prefs.h @@ -43,6 +43,7 @@ enum cm_key_storage_type; enum cm_cert_storage_type; enum cm_key_algorithm cm_prefs_preferred_key_algorithm(void); +int cm_prefs_preferred_rsa_key_size(void); enum cm_prefs_cipher cm_prefs_preferred_cipher(void); enum cm_prefs_digest cm_prefs_preferred_digest(void); int cm_prefs_notify_ttls(const time_t **ttls, unsigned int *n_ttls); diff --git a/src/tdbush.c b/src/tdbush.c index 6fc1b4b..1c74a4d 100644 --- a/src/tdbush.c +++ b/src/tdbush.c @@ -1330,7 +1330,7 @@ base_add_request(DBusConnection *conn, DBusMessage *msg, if (param != NULL) { new_entry->cm_key_type.cm_key_gen_size = param->value.n; } else { - new_entry->cm_key_type.cm_key_gen_size = CM_DEFAULT_PUBKEY_SIZE; + new_entry->cm_key_type.cm_key_gen_size = cm_prefs_preferred_rsa_key_size(); } switch (new_entry->cm_key_type.cm_key_gen_algorithm) { case cm_key_rsa: diff --git a/tests/014-prefs/expected.out b/tests/014-prefs/expected.out index cc747bd..7f92185 100644 --- a/tests/014-prefs/expected.out +++ b/tests/014-prefs/expected.out @@ -4,28 +4,40 @@ digest: SHA256 notify_ttls: 3600, 7200, 21600, 43200, 86400, 172800, 259200, 604800, 2419200 enroll_ttls: 3600, 7200, 21600, 43200, 86400, 172800, 259200, 604800, 2419200 notification: SYSLOG:daemon.notice +RSA key size: default [Empty defaults.] cipher: AES128 digest: SHA256 notify_ttls: 3600, 7200, 21600, 43200, 86400, 172800, 259200, 604800, 2419200 enroll_ttls: 3600, 7200, 21600, 43200, 86400, 172800, 259200, 604800, 2419200 notification: SYSLOG:daemon.notice +RSA key size: default [Other settings.] cipher: AES128 digest: SHA1 notify_ttls: 30, 60, 90 enroll_ttls: 30, 60, 90 notification: MAILTO:root +RSA key size: default [Other settings.] cipher: AES128 digest: SHA512 notify_ttls: 86400, 604800, 1209600, 2419200, 31536000 enroll_ttls: 86400, 604800, 1209600, 2419200, 31536000 notification: MAILTO:root +RSA key size: default [TTL settings compatibility and notification commands.] cipher: AES128 digest: SHA256 notify_ttls: 86400, 604800, 1209600 enroll_ttls: 86400, 604800, 1209600, 2419200 notification: COMMAND:logger "The sky is falling!" +RSA key size: default +[RSA key size default.] +cipher: AES128 +digest: SHA256 +notify_ttls: 3600, 7200, 21600, 43200, 86400, 172800, 259200, 604800, 2419200 +enroll_ttls: 3600, 7200, 21600, 43200, 86400, 172800, 259200, 604800, 2419200 +notification: SYSLOG:daemon.notice +RSA key size: 4096 [Test complete.] diff --git a/tests/014-prefs/run.sh b/tests/014-prefs/run.sh index 1b8a4c5..5ea54cc 100755 --- a/tests/014-prefs/run.sh +++ b/tests/014-prefs/run.sh @@ -50,4 +50,11 @@ notification_destination = logger "The sky is falling!" EOF $toolsdir/prefs +echo '['RSA key size default.']' +cat > certmonger.conf << EOF +[defaults] +rsa_key_size = 4096 +EOF +$toolsdir/prefs + echo '['Test complete.']' diff --git a/tests/tools/prefs.c b/tests/tools/prefs.c index 9e9f136..63c6f7f 100644 --- a/tests/tools/prefs.c +++ b/tests/tools/prefs.c @@ -110,6 +110,12 @@ main(int argc, char **argv) printf("notification: COMMAND:%s\n", dest); break; } + if (cm_prefs_preferred_rsa_key_size() == CM_DEFAULT_PUBKEY_SIZE) { + // So we don't have to dynamically update expected.out + printf("RSA key size: default\n"); + } else { + printf("RSA key size: %d\n", cm_prefs_preferred_rsa_key_size()); + } return 0; }