Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default to 2048-bit RSA now #3455

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions base/ca/shared/webapps/ca/ee/ca/ProfileSelect.template
Original file line number Diff line number Diff line change
Expand Up @@ -466,13 +466,13 @@ function validate()
var signKeyType = "rsa-sign";
var dualKeyType = "rsa-dual-use";
var encKeyParams = null;
var encKeySize = 1024;
var encKeySize = 2048;
var signKeyParams = null;
var signKeySize = 1024;
var signKeySize = 2048;
var keyParams = null;
// Give this default because the ECC crytpo codes requires and integer
// for this value even if presenting ECC curve name parameter.
var keySize = 1024;
var keySize = 2048;

try {
if (dual == 'true') {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ public static List<String> getValidUsagesList() {
public static void main(String[] args) {
AsymKeyGenerationRequest request = new AsymKeyGenerationRequest();
request.setKeyAlgorithm(KeyRequestResource.RSA_ALGORITHM);
request.setKeySize(1024);
request.setKeySize(2048);
request.setClientKeyId("vek12345");
List<String> usages = new ArrayList<>();
usages.add(AsymKeyGenerationRequest.ENCRYPT);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,7 @@ private void processServerSideKeyGen(HttpServletRequest req,

// keysize is for non-EC (EC uses keycurve)
if (!rKeytype.equals("EC") && ((rKeysize == null) || (rKeysize.equals("")))) {
rKeysize = "1024"; // default to 1024
rKeysize = "2048"; // default to 2048
}

if (rKeytype.equals("EC")) {
Expand Down
34 changes: 17 additions & 17 deletions base/tps/shared/conf/CS.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -322,7 +322,7 @@ op.enroll.delegateIEtoken.keyGen.authentication.certAttrId=c3
op.enroll.delegateIEtoken.keyGen.authentication.certId=C3
op.enroll.delegateIEtoken.keyGen.authentication.cuid_label=$cuid$
op.enroll.delegateIEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org
op.enroll.delegateIEtoken.keyGen.authentication.keySize=1024
op.enroll.delegateIEtoken.keyGen.authentication.keySize=2048
op.enroll.delegateIEtoken.keyGen.authentication.keyUsage=0
op.enroll.delegateIEtoken.keyGen.authentication.keyUser=0
op.enroll.delegateIEtoken.keyGen.authentication.label=authentication key for $userid$
Expand Down Expand Up @@ -505,7 +505,7 @@ op.enroll.delegateISEtoken.keyGen.authentication.certAttrId=c3
op.enroll.delegateISEtoken.keyGen.authentication.certId=C3
op.enroll.delegateISEtoken.keyGen.authentication.cuid_label=$cuid$
op.enroll.delegateISEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org
op.enroll.delegateISEtoken.keyGen.authentication.keySize=1024
op.enroll.delegateISEtoken.keyGen.authentication.keySize=2048
op.enroll.delegateISEtoken.keyGen.authentication.keyUsage=0
op.enroll.delegateISEtoken.keyGen.authentication.keyUser=0
op.enroll.delegateISEtoken.keyGen.authentication.label=authentication key for $userid$
Expand Down Expand Up @@ -572,7 +572,7 @@ op.enroll.delegateISEtoken.keyGen.encryption.certAttrId=c2
op.enroll.delegateISEtoken.keyGen.encryption.certId=C2
op.enroll.delegateISEtoken.keyGen.encryption.cuid_label=$cuid$
op.enroll.delegateISEtoken.keyGen.encryption.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org
op.enroll.delegateISEtoken.keyGen.encryption.keySize=1024
op.enroll.delegateISEtoken.keyGen.encryption.keySize=2048
op.enroll.delegateISEtoken.keyGen.encryption.keyUsage=0
op.enroll.delegateISEtoken.keyGen.encryption.keyUser=0
op.enroll.delegateISEtoken.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -647,7 +647,7 @@ op.enroll.delegateISEtoken.keyGen.signing.certAttrId=c1
op.enroll.delegateISEtoken.keyGen.signing.certId=C1
op.enroll.delegateISEtoken.keyGen.signing.cuid_label=$cuid$
op.enroll.delegateISEtoken.keyGen.signing.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org
op.enroll.delegateISEtoken.keyGen.signing.keySize=1024
op.enroll.delegateISEtoken.keyGen.signing.keySize=2048
op.enroll.delegateISEtoken.keyGen.signing.keyUsage=0
op.enroll.delegateISEtoken.keyGen.signing.keyUser=0
op.enroll.delegateISEtoken.keyGen.signing.label=signing key for $userid$
Expand Down Expand Up @@ -916,7 +916,7 @@ op.enroll.externalRegISEtoken.keyGen.authentication.certAttrId=c3
op.enroll.externalRegISEtoken.keyGen.authentication.certId=C3
op.enroll.externalRegISEtoken.keyGen.authentication.cuid_label=$cuid$
op.enroll.externalRegISEtoken.keyGen.authentication.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org
op.enroll.externalRegISEtoken.keyGen.authentication.keySize=1024
op.enroll.externalRegISEtoken.keyGen.authentication.keySize=2048
op.enroll.externalRegISEtoken.keyGen.authentication.keyUsage=0
op.enroll.externalRegISEtoken.keyGen.authentication.keyUser=0
op.enroll.externalRegISEtoken.keyGen.authentication.label=authentication key for $userid$
Expand Down Expand Up @@ -983,7 +983,7 @@ op.enroll.externalRegISEtoken.keyGen.encryption.certAttrId=c2
op.enroll.externalRegISEtoken.keyGen.encryption.certId=C2
op.enroll.externalRegISEtoken.keyGen.encryption.cuid_label=$cuid$
op.enroll.externalRegISEtoken.keyGen.encryption.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org
op.enroll.externalRegISEtoken.keyGen.encryption.keySize=1024
op.enroll.externalRegISEtoken.keyGen.encryption.keySize=2048
op.enroll.externalRegISEtoken.keyGen.encryption.keyUsage=0
op.enroll.externalRegISEtoken.keyGen.encryption.keyUser=0
op.enroll.externalRegISEtoken.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -1062,7 +1062,7 @@ op.enroll.externalRegISEtoken.keyGen.signing.certAttrId=c1
op.enroll.externalRegISEtoken.keyGen.signing.certId=C1
op.enroll.externalRegISEtoken.keyGen.signing.cuid_label=$cuid$
op.enroll.externalRegISEtoken.keyGen.signing.dnpattern=cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org
op.enroll.externalRegISEtoken.keyGen.signing.keySize=1024
op.enroll.externalRegISEtoken.keyGen.signing.keySize=2048
op.enroll.externalRegISEtoken.keyGen.signing.keyUsage=0
op.enroll.externalRegISEtoken.keyGen.signing.keyUser=0
op.enroll.externalRegISEtoken.keyGen.signing.label=signing key for $userid$
Expand Down Expand Up @@ -1194,7 +1194,7 @@ op.enroll.soKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollmen
op.enroll.soKey.keyGen.encryption.certAttrId=c2
op.enroll.soKey.keyGen.encryption.certId=C2
op.enroll.soKey.keyGen.encryption.cuid_label=$cuid$
op.enroll.soKey.keyGen.encryption.keySize=1024
op.enroll.soKey.keyGen.encryption.keySize=2048
op.enroll.soKey.keyGen.encryption.keyUsage=0
op.enroll.soKey.keyGen.encryption.keyUser=0
op.enroll.soKey.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -1267,7 +1267,7 @@ op.enroll.soKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
op.enroll.soKey.keyGen.signing.certAttrId=c1
op.enroll.soKey.keyGen.signing.certId=C1
op.enroll.soKey.keyGen.signing.cuid_label=$cuid$
op.enroll.soKey.keyGen.signing.keySize=1024
op.enroll.soKey.keyGen.signing.keySize=2048
op.enroll.soKey.keyGen.signing.keyUsage=0
op.enroll.soKey.keyGen.signing.keyUser=0
op.enroll.soKey.keyGen.signing.label=signing key for $userid$
Expand Down Expand Up @@ -1345,7 +1345,7 @@ op.enroll.soKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollment
op.enroll.soKeyTemporary.keyGen.auth.certAttrId=c0
op.enroll.soKeyTemporary.keyGen.auth.certId=C0
op.enroll.soKeyTemporary.keyGen.auth.cuid_label=$cuid$
op.enroll.soKeyTemporary.keyGen.auth.keySize=1024
op.enroll.soKeyTemporary.keyGen.auth.keySize=2048
op.enroll.soKeyTemporary.keyGen.auth.keyUsage=0
op.enroll.soKeyTemporary.keyGen.auth.keyUser=15
op.enroll.soKeyTemporary.keyGen.auth.label=Temporary Key for $userid$
Expand Down Expand Up @@ -1386,7 +1386,7 @@ op.enroll.soKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncryptio
op.enroll.soKeyTemporary.keyGen.encryption.certAttrId=c2
op.enroll.soKeyTemporary.keyGen.encryption.certId=C2
op.enroll.soKeyTemporary.keyGen.encryption.cuid_label=$cuid$
op.enroll.soKeyTemporary.keyGen.encryption.keySize=1024
op.enroll.soKeyTemporary.keyGen.encryption.keySize=2048
op.enroll.soKeyTemporary.keyGen.encryption.keyUsage=0
op.enroll.soKeyTemporary.keyGen.encryption.keyUser=0
op.enroll.soKeyTemporary.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -1437,7 +1437,7 @@ op.enroll.soKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKeyEn
op.enroll.soKeyTemporary.keyGen.signing.certAttrId=c1
op.enroll.soKeyTemporary.keyGen.signing.certId=C1
op.enroll.soKeyTemporary.keyGen.signing.cuid_label=$cuid$
op.enroll.soKeyTemporary.keyGen.signing.keySize=1024
op.enroll.soKeyTemporary.keyGen.signing.keySize=2048
op.enroll.soKeyTemporary.keyGen.signing.keyUsage=0
op.enroll.soKeyTemporary.keyGen.signing.keyUser=0
op.enroll.soKeyTemporary.keyGen.signing.label=signing key for $userid$
Expand Down Expand Up @@ -1518,7 +1518,7 @@ op.enroll.userKey.keyGen.encryption.ca.profileId=caTokenUserEncryptionKeyEnrollm
op.enroll.userKey.keyGen.encryption.certAttrId=c2
op.enroll.userKey.keyGen.encryption.certId=C2
op.enroll.userKey.keyGen.encryption.cuid_label=$cuid$
op.enroll.userKey.keyGen.encryption.keySize=1024
op.enroll.userKey.keyGen.encryption.keySize=2048
op.enroll.userKey.keyGen.encryption.keyUsage=0
op.enroll.userKey.keyGen.encryption.keyUser=0
op.enroll.userKey.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -1591,7 +1591,7 @@ op.enroll.userKey.keyGen.signing.ca.profileId=caTokenUserSigningKeyEnrollment
op.enroll.userKey.keyGen.signing.certAttrId=c1
op.enroll.userKey.keyGen.signing.certId=C1
op.enroll.userKey.keyGen.signing.cuid_label=$cuid$
op.enroll.userKey.keyGen.signing.keySize=1024
op.enroll.userKey.keyGen.signing.keySize=2048
op.enroll.userKey.keyGen.signing.keyUsage=0
op.enroll.userKey.keyGen.signing.keyUser=0
op.enroll.userKey.keyGen.signing.label=signing key for $userid$
Expand Down Expand Up @@ -1682,7 +1682,7 @@ op.enroll.userKeyTemporary.keyGen.auth.ca.profileId=caTempTokenDeviceKeyEnrollme
op.enroll.userKeyTemporary.keyGen.auth.certAttrId=c0
op.enroll.userKeyTemporary.keyGen.auth.certId=C0
op.enroll.userKeyTemporary.keyGen.auth.cuid_label=$cuid$
op.enroll.userKeyTemporary.keyGen.auth.keySize=1024
op.enroll.userKeyTemporary.keyGen.auth.keySize=2048
op.enroll.userKeyTemporary.keyGen.auth.keyUsage=0
op.enroll.userKeyTemporary.keyGen.auth.keyUser=15
op.enroll.userKeyTemporary.keyGen.auth.label=Temporary Key for $userid$
Expand Down Expand Up @@ -1723,7 +1723,7 @@ op.enroll.userKeyTemporary.keyGen.encryption.ca.profileId=caTempTokenUserEncrypt
op.enroll.userKeyTemporary.keyGen.encryption.certAttrId=c2
op.enroll.userKeyTemporary.keyGen.encryption.certId=C2
op.enroll.userKeyTemporary.keyGen.encryption.cuid_label=$cuid$
op.enroll.userKeyTemporary.keyGen.encryption.keySize=1024
op.enroll.userKeyTemporary.keyGen.encryption.keySize=2048
op.enroll.userKeyTemporary.keyGen.encryption.keyUsage=0
op.enroll.userKeyTemporary.keyGen.encryption.keyUser=0
op.enroll.userKeyTemporary.keyGen.encryption.label=encryption key for $userid$
Expand Down Expand Up @@ -1774,7 +1774,7 @@ op.enroll.userKeyTemporary.keyGen.signing.ca.profileId=caTempTokenUserSigningKey
op.enroll.userKeyTemporary.keyGen.signing.certAttrId=c1
op.enroll.userKeyTemporary.keyGen.signing.certId=C1
op.enroll.userKeyTemporary.keyGen.signing.cuid_label=$cuid$
op.enroll.userKeyTemporary.keyGen.signing.keySize=1024
op.enroll.userKeyTemporary.keyGen.signing.keySize=2048
op.enroll.userKeyTemporary.keyGen.signing.keyUsage=0
op.enroll.userKeyTemporary.keyGen.signing.keyUser=0
op.enroll.userKeyTemporary.keyGen.signing.label=signing key for $userid$
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2251,7 +2251,7 @@ private void generateCertificate(EnrolledCertsInfo certsInfo, SecureChannel chan
logger.debug(method + ": publicKeyAttrId: " + publicKeyAttrId);

configName = keyTypePrefix + ".keySize";
int keySize = configStore.getInteger(configName, 1024);
int keySize = configStore.getInteger(configName, 2048);
logger.debug(method + ": keySize: " + keySize);

//Default RSA_CRT=2
Expand Down
2 changes: 1 addition & 1 deletion docs/manuals/man1/KRATool.1.md
Original file line number Diff line number Diff line change
Expand Up @@ -196,7 +196,7 @@ extdata-keyrecord: 1
extdata-wrappeduserprivate: %94%C1%36%D3%EA%4E%36%B5%42%91%AB%47%34%C0%35%A3%6
F%E8%10%A9%B1%25%F4%BE%9C%11%D1%B3%3D%90%AB%79
extdata-userid: jmagne
extdata-keysize: 1024
extdata-keysize: 2048
extdata-updatedby: TPS-alpha.example.com-7889
extdata-dbstatus: UPDATED
extdata-cuid: 40906145C76224192D2B
Expand Down
4 changes: 2 additions & 2 deletions docs/manuals/man5/pki-tps-profile.5.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ Token profiles are defined using properties in the TPS configuration file.
The following property sets the size of the key the token should generate:

```
op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
op.enroll.<tokenType>.keyGen.<keyType>.keySize=2048
```

The maximum value is 1024.
Copy link
Contributor

@edewata edewata Jun 17, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not familiar with this, but if the maximum value is referring to the keySize parameter, would they be contradictory now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it depends on the key type? DSA has a strict 1024-bit maximum, ECDSA obviously differs based on curve type/size and isn't user controllable, and for RSA, most implementations top out around 8192-bit ish.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The valid algorithms are:

  • 2 - RSA
  • 5 - ECC
    For ECC, the valid key sizes are 256 and 384.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe this line should just be removed, and let the actual maximum be determined by the crypto library.

Expand Down Expand Up @@ -95,7 +95,7 @@ and which PIN user should be granted:

```
op.enroll.<tokenType>.keyGen.<keyType>.alg=2
op.enroll.<tokenType>.keyGen.<keyType>.keySize=1024
op.enroll.<tokenType>.keyGen.<keyType>.keySize=2048
op.enroll.<tokenType>.keyGen.<keyType>.keyUsage=0
op.enroll.<tokenType>.keyGen.<keyType>.keyUser=0
```
Expand Down