Skip to content

Commit

Permalink
Default to 2048-bit RSA now
Browse files Browse the repository at this point in the history
1024-bit RSA has been disallowed by our underlying libraries for a while
now. We should choose a better default. Currently 2048-bit works with
DEFAULT and FIPS, but FUTURE is defaulting to 3072. It isn't immediately
clear when FUTURE will become default, but we can always update again
later when that occurs.

Signed-off-by: Alexander Scheel <[email protected]>
  • Loading branch information
cipherboy committed Jun 17, 2021
1 parent 81adace commit edbc59c
Show file tree
Hide file tree
Showing 7 changed files with 26 additions and 26 deletions.
6 changes: 3 additions & 3 deletions base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
Original file line number Diff line number Diff line change
Expand Up @@ -466,13 +466,13 @@ function validate()
var signKeyType = "rsa-sign";
var dualKeyType = "rsa-dual-use";
var encKeyParams = null;
var encKeySize = 1024;
var encKeySize = 2048;
var signKeyParams = null;
var signKeySize = 1024;
var signKeySize = 2048;
var keyParams = null;
// Give this default because the ECC crytpo codes requires and integer
// for this value even if presenting ECC curve name parameter.
var keySize = 1024;
var keySize = 2048;

try {
if (dual == 'true') {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ public static List<String> getValidUsagesList() {
public static void main(String[] args) {
AsymKeyGenerationRequest request = new AsymKeyGenerationRequest();
request.setKeyAlgorithm(KeyRequestResource.RSA_ALGORITHM);
request.setKeySize(1024);
request.setKeySize(2048);
request.setClientKeyId("vek12345");
List<String> usages = new ArrayList<>();
usages.add(AsymKeyGenerationRequest.ENCRYPT);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ private void processServerSideKeyGen(HttpServletRequest req,

// keysize is for non-EC (EC uses keycurve)
if (!rKeytype.equals("EC") && ((rKeysize == null) || (rKeysize.equals("")))) {
rKeysize = "1024"; // default to 1024
rKeysize = "2048"; // default to 2048
}

if (rKeytype.equals("EC")) {
Expand Down
34 changes: 17 additions & 17 deletions base/tps/shared/conf/CS.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -322,7 +322,7 @@ op.enroll.delegateIEtoken.keyGen.authentication.certAttrId=c3
op.enroll.delegateIEtoken.keyGen.authentication.certId=C3
op.enroll.delegateIEtoken.keyGen.authentication.cuid_label=$cuid$
op.enroll.delegateIEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org
op.enroll.delegateIEtoken.keyGen.authentication.keySize=1024
op.enroll.delegateIEtoken.keyGen.authentication.keySize=2048
op.enroll.delegateIEtoken.keyGen.authentication.keyUsage=0
op.enroll.delegateIEtoken.keyGen.authentication.keyUser=0
op.enroll.delegateIEtoken.keyGen.authentication.label=authentication key for $userid$
Expand Down Expand Up @@ -505,7 +505,7 @@ op.enroll.delegateISEtoken.keyGen.authentication.certAttrId=c3
op.enroll.delegateISEtoken.keyGen.authentication.certId=C3
op.enroll.delegateISEtoken.keyGen.authentication.cuid_label=$cuid$
op.enroll.delegateISEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org
op.enroll.delegateISEtoken.keyGen.authentication.keySize=1024
op.enroll.delegateISEtoken.keyGen.authentication.keySize=2048
op.enroll.delegateISEtoken.keyGen.authentication.keyUsage=0
op.enroll.delegateISEtoken.keyGen.authentication.keyUser=0
op.enroll.delegateISEtoken.keyGen.authentication.label=authentication key for $userid$
Expand Down Expand Up @@ -572,7 +572,7 @@ op.enroll.delegateISEtoken.keyGen.encryption.certAttrId=c2
op.enroll.delegateISEtoken.keyGen.encryption.certId=C2
op.enroll.delegateISEtoken.keyGen.encryption.cuid_label=$cuid$
op.enroll.delegateISEtoken.keyGen.encryption.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org
op.enroll.delegateISEtoken.keyGen.encryption.keySize=1024
op.enroll.delegateISEtoken.keyGen.encryption.keySize=2048
op.enroll.delegateISEtoken.keyGen.encryption.keyUsage=0
op.enroll.delegateISEtoken.keyGen.encryption.keyUser=0
op.enroll.delegateISEtoken.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -647,7 +647,7 @@ op.enroll.delegateISEtoken.keyGen.signing.certAttrId=c1
op.enroll.delegateISEtoken.keyGen.signing.certId=C1
op.enroll.delegateISEtoken.keyGen.signing.cuid_label=$cuid$
op.enroll.delegateISEtoken.keyGen.signing.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org
op.enroll.delegateISEtoken.keyGen.signing.keySize=1024
op.enroll.delegateISEtoken.keyGen.signing.keySize=2048
op.enroll.delegateISEtoken.keyGen.signing.keyUsage=0
op.enroll.delegateISEtoken.keyGen.signing.keyUser=0
op.enroll.delegateISEtoken.keyGen.signing.label=signing key for $userid$
Expand Down Expand Up @@ -916,7 +916,7 @@ op.enroll.externalRegISEtoken.keyGen.authentication.certAttrId=c3
op.enroll.externalRegISEtoken.keyGen.authentication.certId=C3
op.enroll.externalRegISEtoken.keyGen.authentication.cuid_label=$cuid$
op.enroll.externalRegISEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org
op.enroll.externalRegISEtoken.keyGen.authentication.keySize=1024
op.enroll.externalRegISEtoken.keyGen.authentication.keySize=2048
op.enroll.externalRegISEtoken.keyGen.authentication.keyUsage=0
op.enroll.externalRegISEtoken.keyGen.authentication.keyUser=0
op.enroll.externalRegISEtoken.keyGen.authentication.label=authentication key for $userid$
Expand Down Expand Up @@ -983,7 +983,7 @@ op.enroll.externalRegISEtoken.keyGen.encryption.certAttrId=c2
op.enroll.externalRegISEtoken.keyGen.encryption.certId=C2
op.enroll.externalRegISEtoken.keyGen.encryption.cuid_label=$cuid$
op.enroll.externalRegISEtoken.keyGen.encryption.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org
op.enroll.externalRegISEtoken.keyGen.encryption.keySize=1024
op.enroll.externalRegISEtoken.keyGen.encryption.keySize=2048
op.enroll.externalRegISEtoken.keyGen.encryption.keyUsage=0
op.enroll.externalRegISEtoken.keyGen.encryption.keyUser=0
op.enroll.externalRegISEtoken.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -1062,7 +1062,7 @@ op.enroll.externalRegISEtoken.keyGen.signing.certAttrId=c1
op.enroll.externalRegISEtoken.keyGen.signing.certId=C1
op.enroll.externalRegISEtoken.keyGen.signing.cuid_label=$cuid$
op.enroll.externalRegISEtoken.keyGen.signing.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org
op.enroll.externalRegISEtoken.keyGen.signing.keySize=1024
op.enroll.externalRegISEtoken.keyGen.signing.keySize=2048
op.enroll.externalRegISEtoken.keyGen.signing.keyUsage=0
op.enroll.externalRegISEtoken.keyGen.signing.keyUser=0
op.enroll.externalRegISEtoken.keyGen.signing.label=signing key for $userid$
Expand Down Expand Up @@ -1194,7 +1194,7 @@ op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollmen
op.enroll.soKey.keyGen.encryption.certAttrId=c2
op.enroll.soKey.keyGen.encryption.certId=C2
op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$
op.enroll.soKey.keyGen.encryption.keySize=1024
op.enroll.soKey.keyGen.encryption.keySize=2048
op.enroll.soKey.keyGen.encryption.keyUsage=0
op.enroll.soKey.keyGen.encryption.keyUser=0
op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -1267,7 +1267,7 @@ op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
op.enroll.soKey.keyGen.signing.certAttrId=c1
op.enroll.soKey.keyGen.signing.certId=C1
op.enroll.soKey.keyGen.signing.cuid_label=$cuid$
op.enroll.soKey.keyGen.signing.keySize=1024
op.enroll.soKey.keyGen.signing.keySize=2048
op.enroll.soKey.keyGen.signing.keyUsage=0
op.enroll.soKey.keyGen.signing.keyUser=0
op.enroll.soKey.keyGen.signing.label=signing key for $userid$
Expand Down Expand Up @@ -1345,7 +1345,7 @@ op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment
op.enroll.soKeyTemporary.keyGen.auth.certAttrId=c0
op.enroll.soKeyTemporary.keyGen.auth.certId=C0
op.enroll.soKeyTemporary.keyGen.auth.cuid_label=$cuid$
op.enroll.soKeyTemporary.keyGen.auth.keySize=1024
op.enroll.soKeyTemporary.keyGen.auth.keySize=2048
op.enroll.soKeyTemporary.keyGen.auth.keyUsage=0
op.enroll.soKeyTemporary.keyGen.auth.keyUser=15
op.enroll.soKeyTemporary.keyGen.auth.label=Temporary Key for $userid$
Expand Down Expand Up @@ -1386,7 +1386,7 @@ op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptio
op.enroll.soKeyTemporary.keyGen.encryption.certAttrId=c2
op.enroll.soKeyTemporary.keyGen.encryption.certId=C2
op.enroll.soKeyTemporary.keyGen.encryption.cuid_label=$cuid$
op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024
op.enroll.soKeyTemporary.keyGen.encryption.keySize=2048
op.enroll.soKeyTemporary.keyGen.encryption.keyUsage=0
op.enroll.soKeyTemporary.keyGen.encryption.keyUser=0
op.enroll.soKeyTemporary.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -1437,7 +1437,7 @@ op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEn
op.enroll.soKeyTemporary.keyGen.signing.certAttrId=c1
op.enroll.soKeyTemporary.keyGen.signing.certId=C1
op.enroll.soKeyTemporary.keyGen.signing.cuid_label=$cuid$
op.enroll.soKeyTemporary.keyGen.signing.keySize=1024
op.enroll.soKeyTemporary.keyGen.signing.keySize=2048
op.enroll.soKeyTemporary.keyGen.signing.keyUsage=0
op.enroll.soKeyTemporary.keyGen.signing.keyUser=0
op.enroll.soKeyTemporary.keyGen.signing.label=signing key for $userid$
Expand Down Expand Up @@ -1518,7 +1518,7 @@ op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollm
op.enroll.userKey.keyGen.encryption.certAttrId=c2
op.enroll.userKey.keyGen.encryption.certId=C2
op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$
op.enroll.userKey.keyGen.encryption.keySize=1024
op.enroll.userKey.keyGen.encryption.keySize=2048
op.enroll.userKey.keyGen.encryption.keyUsage=0
op.enroll.userKey.keyGen.encryption.keyUser=0
op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -1591,7 +1591,7 @@ op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
op.enroll.userKey.keyGen.signing.certAttrId=c1
op.enroll.userKey.keyGen.signing.certId=C1
op.enroll.userKey.keyGen.signing.cuid_label=$cuid$
op.enroll.userKey.keyGen.signing.keySize=1024
op.enroll.userKey.keyGen.signing.keySize=2048
op.enroll.userKey.keyGen.signing.keyUsage=0
op.enroll.userKey.keyGen.signing.keyUser=0
op.enroll.userKey.keyGen.signing.label=signing key for $userid$
Expand Down Expand Up @@ -1682,7 +1682,7 @@ op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollme
op.enroll.userKeyTemporary.keyGen.auth.certAttrId=c0
op.enroll.userKeyTemporary.keyGen.auth.certId=C0
op.enroll.userKeyTemporary.keyGen.auth.cuid_label=$cuid$
op.enroll.userKeyTemporary.keyGen.auth.keySize=1024
op.enroll.userKeyTemporary.keyGen.auth.keySize=2048
op.enroll.userKeyTemporary.keyGen.auth.keyUsage=0
op.enroll.userKeyTemporary.keyGen.auth.keyUser=15
op.enroll.userKeyTemporary.keyGen.auth.label=Temporary Key for $userid$
Expand Down Expand Up @@ -1723,7 +1723,7 @@ op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncrypt
op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2
op.enroll.userKeyTemporary.keyGen.encryption.certId=C2
op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$
op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024
op.enroll.userKeyTemporary.keyGen.encryption.keySize=2048
op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0
op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0
op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -1774,7 +1774,7 @@ op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKey
op.enroll.userKeyTemporary.keyGen.signing.certAttrId=c1
op.enroll.userKeyTemporary.keyGen.signing.certId=C1
op.enroll.userKeyTemporary.keyGen.signing.cuid_label=$cuid$
op.enroll.userKeyTemporary.keyGen.signing.keySize=1024
op.enroll.userKeyTemporary.keyGen.signing.keySize=2048
op.enroll.userKeyTemporary.keyGen.signing.keyUsage=0
op.enroll.userKeyTemporary.keyGen.signing.keyUser=0
op.enroll.userKeyTemporary.keyGen.signing.label=signing key for $userid$
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2251,7 +2251,7 @@ private void generateCertificate(EnrolledCertsInfo certsInfo, SecureChannel chan
logger.debug(method + ": publicKeyAttrId: " + publicKeyAttrId);

configName = keyTypePrefix + ".keySize";
int keySize = configStore.getInteger(configName, 1024);
int keySize = configStore.getInteger(configName, 2048);
logger.debug(method + ": keySize: " + keySize);

//Default RSA_CRT=2
Expand Down
2 changes: 1 addition & 1 deletion docs/manuals/man1/KRATool.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ extdata-keyrecord: 1
extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6
F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79
extdata-userid: jmagne
extdata-keysize: 1024
extdata-keysize: 2048
extdata-updatedby: TPS-alpha.example.com-7889
extdata-dbstatus: UPDATED
extdata-cuid: 40906145C76224192D2B
Expand Down
4 changes: 2 additions & 2 deletions docs/manuals/man5/pki-tps-profile.5.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Token profiles are defined using properties in the TPS configuration file.
The following property sets the size of the key the token should generate:

```
op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
op.enroll.<tokenType>.keyGen.<keyType>.keySize=2048
```

The maximum value is 1024.
Expand Down Expand Up @@ -95,7 +95,7 @@ and which PIN user should be granted:

```
op.enroll.<tokenType>.keyGen.<keyType>.alg=2
op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
op.enroll.<tokenType>.keyGen.<keyType>.keySize=2048
op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
```
Expand Down

0 comments on commit edbc59c

Please sign in to comment.