From edbc59c97312c45a04e4a9bf853b3817226117b2 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Thu, 11 Feb 2021 07:32:27 -0500 Subject: [PATCH] Default to 2048-bit RSA now 1024-bit RSA has been disallowed by our underlying libraries for a while now. We should choose a better default. Currently 2048-bit works with DEFAULT and FIPS, but FUTURE is defaulting to 3072. It isn't immediately clear when FUTURE will become default, but we can always update again later when that occurs. Signed-off-by: Alexander Scheel --- .../webapps/ca/ee/ca/ProfileSelect.template | 6 ++-- .../certsrv/key/AsymKeyGenerationRequest.java | 2 +- .../connector/GenerateKeyPairServlet.java | 2 +- base/tps/shared/conf/CS.cfg | 34 +++++++++---------- .../tps/processor/TPSEnrollProcessor.java | 2 +- docs/manuals/man1/KRATool.1.md | 2 +- docs/manuals/man5/pki-tps-profile.5.md | 4 +-- 7 files changed, 26 insertions(+), 26 deletions(-) diff --git a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template index be2caefb2a1..e9cf19cf0ac 100644 --- a/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template +++ b/base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template @@ -466,13 +466,13 @@ function validate() var signKeyType = "rsa-sign"; var dualKeyType = "rsa-dual-use"; var encKeyParams = null; - var encKeySize = 1024; + var encKeySize = 2048; var signKeyParams = null; - var signKeySize = 1024; + var signKeySize = 2048; var keyParams = null; // Give this default because the ECC crytpo codes requires and integer // for this value even if presenting ECC curve name parameter. - var keySize = 1024; + var keySize = 2048; try { if (dual == 'true') { diff --git a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java index 713122d383e..c21e2609768 100644 --- a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java +++ b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java @@ -105,7 +105,7 @@ public static List getValidUsagesList() { public static void main(String[] args) { AsymKeyGenerationRequest request = new AsymKeyGenerationRequest(); request.setKeyAlgorithm(KeyRequestResource.RSA_ALGORITHM); - request.setKeySize(1024); + request.setKeySize(2048); request.setClientKeyId("vek12345"); List usages = new ArrayList<>(); usages.add(AsymKeyGenerationRequest.ENCRYPT); diff --git a/base/kra/src/main/java/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java b/base/kra/src/main/java/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java index efc532887d4..ade7dd6902d 100644 --- a/base/kra/src/main/java/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java +++ b/base/kra/src/main/java/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java @@ -168,7 +168,7 @@ private void processServerSideKeyGen(HttpServletRequest req, // keysize is for non-EC (EC uses keycurve) if (!rKeytype.equals("EC") && ((rKeysize == null) || (rKeysize.equals("")))) { - rKeysize = "1024"; // default to 1024 + rKeysize = "2048"; // default to 2048 } if (rKeytype.equals("EC")) { diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg index 3774e10f72b..768c807efd7 100644 --- a/base/tps/shared/conf/CS.cfg +++ b/base/tps/shared/conf/CS.cfg @@ -322,7 +322,7 @@ op.enroll.delegateIEtoken.keyGen.authentication.certAttrId=c3 op.enroll.delegateIEtoken.keyGen.authentication.certId=C3 op.enroll.delegateIEtoken.keyGen.authentication.cuid_label=$cuid$ op.enroll.delegateIEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org -op.enroll.delegateIEtoken.keyGen.authentication.keySize=1024 +op.enroll.delegateIEtoken.keyGen.authentication.keySize=2048 op.enroll.delegateIEtoken.keyGen.authentication.keyUsage=0 op.enroll.delegateIEtoken.keyGen.authentication.keyUser=0 op.enroll.delegateIEtoken.keyGen.authentication.label=authentication key for $userid$ @@ -505,7 +505,7 @@ op.enroll.delegateISEtoken.keyGen.authentication.certAttrId=c3 op.enroll.delegateISEtoken.keyGen.authentication.certId=C3 op.enroll.delegateISEtoken.keyGen.authentication.cuid_label=$cuid$ op.enroll.delegateISEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org -op.enroll.delegateISEtoken.keyGen.authentication.keySize=1024 +op.enroll.delegateISEtoken.keyGen.authentication.keySize=2048 op.enroll.delegateISEtoken.keyGen.authentication.keyUsage=0 op.enroll.delegateISEtoken.keyGen.authentication.keyUser=0 op.enroll.delegateISEtoken.keyGen.authentication.label=authentication key for $userid$ @@ -572,7 +572,7 @@ op.enroll.delegateISEtoken.keyGen.encryption.certAttrId=c2 op.enroll.delegateISEtoken.keyGen.encryption.certId=C2 op.enroll.delegateISEtoken.keyGen.encryption.cuid_label=$cuid$ op.enroll.delegateISEtoken.keyGen.encryption.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org -op.enroll.delegateISEtoken.keyGen.encryption.keySize=1024 +op.enroll.delegateISEtoken.keyGen.encryption.keySize=2048 op.enroll.delegateISEtoken.keyGen.encryption.keyUsage=0 op.enroll.delegateISEtoken.keyGen.encryption.keyUser=0 op.enroll.delegateISEtoken.keyGen.encryption.label=encryption key for $userid$ @@ -647,7 +647,7 @@ op.enroll.delegateISEtoken.keyGen.signing.certAttrId=c1 op.enroll.delegateISEtoken.keyGen.signing.certId=C1 op.enroll.delegateISEtoken.keyGen.signing.cuid_label=$cuid$ op.enroll.delegateISEtoken.keyGen.signing.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org -op.enroll.delegateISEtoken.keyGen.signing.keySize=1024 +op.enroll.delegateISEtoken.keyGen.signing.keySize=2048 op.enroll.delegateISEtoken.keyGen.signing.keyUsage=0 op.enroll.delegateISEtoken.keyGen.signing.keyUser=0 op.enroll.delegateISEtoken.keyGen.signing.label=signing key for $userid$ @@ -916,7 +916,7 @@ op.enroll.externalRegISEtoken.keyGen.authentication.certAttrId=c3 op.enroll.externalRegISEtoken.keyGen.authentication.certId=C3 op.enroll.externalRegISEtoken.keyGen.authentication.cuid_label=$cuid$ op.enroll.externalRegISEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org -op.enroll.externalRegISEtoken.keyGen.authentication.keySize=1024 +op.enroll.externalRegISEtoken.keyGen.authentication.keySize=2048 op.enroll.externalRegISEtoken.keyGen.authentication.keyUsage=0 op.enroll.externalRegISEtoken.keyGen.authentication.keyUser=0 op.enroll.externalRegISEtoken.keyGen.authentication.label=authentication key for $userid$ @@ -983,7 +983,7 @@ op.enroll.externalRegISEtoken.keyGen.encryption.certAttrId=c2 op.enroll.externalRegISEtoken.keyGen.encryption.certId=C2 op.enroll.externalRegISEtoken.keyGen.encryption.cuid_label=$cuid$ op.enroll.externalRegISEtoken.keyGen.encryption.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org -op.enroll.externalRegISEtoken.keyGen.encryption.keySize=1024 +op.enroll.externalRegISEtoken.keyGen.encryption.keySize=2048 op.enroll.externalRegISEtoken.keyGen.encryption.keyUsage=0 op.enroll.externalRegISEtoken.keyGen.encryption.keyUser=0 op.enroll.externalRegISEtoken.keyGen.encryption.label=encryption key for $userid$ @@ -1062,7 +1062,7 @@ op.enroll.externalRegISEtoken.keyGen.signing.certAttrId=c1 op.enroll.externalRegISEtoken.keyGen.signing.certId=C1 op.enroll.externalRegISEtoken.keyGen.signing.cuid_label=$cuid$ op.enroll.externalRegISEtoken.keyGen.signing.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org -op.enroll.externalRegISEtoken.keyGen.signing.keySize=1024 +op.enroll.externalRegISEtoken.keyGen.signing.keySize=2048 op.enroll.externalRegISEtoken.keyGen.signing.keyUsage=0 op.enroll.externalRegISEtoken.keyGen.signing.keyUser=0 op.enroll.externalRegISEtoken.keyGen.signing.label=signing key for $userid$ @@ -1194,7 +1194,7 @@ op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollmen op.enroll.soKey.keyGen.encryption.certAttrId=c2 op.enroll.soKey.keyGen.encryption.certId=C2 op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$ -op.enroll.soKey.keyGen.encryption.keySize=1024 +op.enroll.soKey.keyGen.encryption.keySize=2048 op.enroll.soKey.keyGen.encryption.keyUsage=0 op.enroll.soKey.keyGen.encryption.keyUser=0 op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$ @@ -1267,7 +1267,7 @@ op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment op.enroll.soKey.keyGen.signing.certAttrId=c1 op.enroll.soKey.keyGen.signing.certId=C1 op.enroll.soKey.keyGen.signing.cuid_label=$cuid$ -op.enroll.soKey.keyGen.signing.keySize=1024 +op.enroll.soKey.keyGen.signing.keySize=2048 op.enroll.soKey.keyGen.signing.keyUsage=0 op.enroll.soKey.keyGen.signing.keyUser=0 op.enroll.soKey.keyGen.signing.label=signing key for $userid$ @@ -1345,7 +1345,7 @@ op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment op.enroll.soKeyTemporary.keyGen.auth.certAttrId=c0 op.enroll.soKeyTemporary.keyGen.auth.certId=C0 op.enroll.soKeyTemporary.keyGen.auth.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.auth.keySize=1024 +op.enroll.soKeyTemporary.keyGen.auth.keySize=2048 op.enroll.soKeyTemporary.keyGen.auth.keyUsage=0 op.enroll.soKeyTemporary.keyGen.auth.keyUser=15 op.enroll.soKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ @@ -1386,7 +1386,7 @@ op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptio op.enroll.soKeyTemporary.keyGen.encryption.certAttrId=c2 op.enroll.soKeyTemporary.keyGen.encryption.certId=C2 op.enroll.soKeyTemporary.keyGen.encryption.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024 +op.enroll.soKeyTemporary.keyGen.encryption.keySize=2048 op.enroll.soKeyTemporary.keyGen.encryption.keyUsage=0 op.enroll.soKeyTemporary.keyGen.encryption.keyUser=0 op.enroll.soKeyTemporary.keyGen.encryption.label=encryption key for $userid$ @@ -1437,7 +1437,7 @@ op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEn op.enroll.soKeyTemporary.keyGen.signing.certAttrId=c1 op.enroll.soKeyTemporary.keyGen.signing.certId=C1 op.enroll.soKeyTemporary.keyGen.signing.cuid_label=$cuid$ -op.enroll.soKeyTemporary.keyGen.signing.keySize=1024 +op.enroll.soKeyTemporary.keyGen.signing.keySize=2048 op.enroll.soKeyTemporary.keyGen.signing.keyUsage=0 op.enroll.soKeyTemporary.keyGen.signing.keyUser=0 op.enroll.soKeyTemporary.keyGen.signing.label=signing key for $userid$ @@ -1518,7 +1518,7 @@ op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollm op.enroll.userKey.keyGen.encryption.certAttrId=c2 op.enroll.userKey.keyGen.encryption.certId=C2 op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$ -op.enroll.userKey.keyGen.encryption.keySize=1024 +op.enroll.userKey.keyGen.encryption.keySize=2048 op.enroll.userKey.keyGen.encryption.keyUsage=0 op.enroll.userKey.keyGen.encryption.keyUser=0 op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$ @@ -1591,7 +1591,7 @@ op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment op.enroll.userKey.keyGen.signing.certAttrId=c1 op.enroll.userKey.keyGen.signing.certId=C1 op.enroll.userKey.keyGen.signing.cuid_label=$cuid$ -op.enroll.userKey.keyGen.signing.keySize=1024 +op.enroll.userKey.keyGen.signing.keySize=2048 op.enroll.userKey.keyGen.signing.keyUsage=0 op.enroll.userKey.keyGen.signing.keyUser=0 op.enroll.userKey.keyGen.signing.label=signing key for $userid$ @@ -1682,7 +1682,7 @@ op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollme op.enroll.userKeyTemporary.keyGen.auth.certAttrId=c0 op.enroll.userKeyTemporary.keyGen.auth.certId=C0 op.enroll.userKeyTemporary.keyGen.auth.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.auth.keySize=1024 +op.enroll.userKeyTemporary.keyGen.auth.keySize=2048 op.enroll.userKeyTemporary.keyGen.auth.keyUsage=0 op.enroll.userKeyTemporary.keyGen.auth.keyUser=15 op.enroll.userKeyTemporary.keyGen.auth.label=Temporary Key for $userid$ @@ -1723,7 +1723,7 @@ op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncrypt op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2 op.enroll.userKeyTemporary.keyGen.encryption.certId=C2 op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024 +op.enroll.userKeyTemporary.keyGen.encryption.keySize=2048 op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0 op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0 op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$ @@ -1774,7 +1774,7 @@ op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKey op.enroll.userKeyTemporary.keyGen.signing.certAttrId=c1 op.enroll.userKeyTemporary.keyGen.signing.certId=C1 op.enroll.userKeyTemporary.keyGen.signing.cuid_label=$cuid$ -op.enroll.userKeyTemporary.keyGen.signing.keySize=1024 +op.enroll.userKeyTemporary.keyGen.signing.keySize=2048 op.enroll.userKeyTemporary.keyGen.signing.keyUsage=0 op.enroll.userKeyTemporary.keyGen.signing.keyUser=0 op.enroll.userKeyTemporary.keyGen.signing.label=signing key for $userid$ diff --git a/base/tps/src/main/java/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/main/java/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index 5906ffe2776..3ebd0f3bf9e 100644 --- a/base/tps/src/main/java/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/main/java/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -2251,7 +2251,7 @@ private void generateCertificate(EnrolledCertsInfo certsInfo, SecureChannel chan logger.debug(method + ": publicKeyAttrId: " + publicKeyAttrId); configName = keyTypePrefix + ".keySize"; - int keySize = configStore.getInteger(configName, 1024); + int keySize = configStore.getInteger(configName, 2048); logger.debug(method + ": keySize: " + keySize); //Default RSA_CRT=2 diff --git a/docs/manuals/man1/KRATool.1.md b/docs/manuals/man1/KRATool.1.md index 494216af595..22fe844abdc 100644 --- a/docs/manuals/man1/KRATool.1.md +++ b/docs/manuals/man1/KRATool.1.md @@ -196,7 +196,7 @@ extdata-keyrecord: 1 extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6 F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79 extdata-userid: jmagne -extdata-keysize: 1024 +extdata-keysize: 2048 extdata-updatedby: TPS-alpha.example.com-7889 extdata-dbstatus: UPDATED extdata-cuid: 40906145C76224192D2B diff --git a/docs/manuals/man5/pki-tps-profile.5.md b/docs/manuals/man5/pki-tps-profile.5.md index b4ea3498531..fb46b6bb39e 100644 --- a/docs/manuals/man5/pki-tps-profile.5.md +++ b/docs/manuals/man5/pki-tps-profile.5.md @@ -17,7 +17,7 @@ Token profiles are defined using properties in the TPS configuration file. The following property sets the size of the key the token should generate: ``` -op.enroll..keyGen..keySize=1024 +op.enroll..keyGen..keySize=2048 ``` The maximum value is 1024. @@ -95,7 +95,7 @@ and which PIN user should be granted: ``` op.enroll..keyGen..alg=2 -op.enroll..keyGen..keySize=1024 +op.enroll..keyGen..keySize=2048 op.enroll..keyGen..keyUsage=0 op.enroll..keyGen..keyUser=0 ```