Increase default key size for CA to 3072 bits

The signing key for IPA's CA certificate now uses a 3072 bit RSA key by default. According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4 recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit strength. Fixes: https://pagure.io/freeipa/issue/6790 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-11 00:31:56 -06:00 · 2019-04-15 14:37:25 +02:00 · 2019-04-15 14:37:25 +02:00 · 45b8cc1d83
commit 45b8cc1d83
parent 80928ba6f5
4 changed files with 71 additions and 1 deletions
--- a/install/share/ipaca_customize.ini
+++ b/install/share/ipaca_customize.ini
@ -29,7 +29,7 @@ ipa_signing_algorithm=SHA256withRSA
 # Used for IPA CA
 # signing algorithm can be overriden on command line
 ipa_ca_signing_algorithm=%(ipa_key_algorithm)s
-ipa_ca_key_size=%(ipa_key_size)s
+ipa_ca_key_size=3072
 ipa_ca_key_type=%(ipa_key_type)s

 # HSM support
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@ -27,6 +27,18 @@ jobs:
        timeout: 1800
        topology: *build

+  fedora-29/test_installation_TestInstallMaster:
+    requires: [fedora-29/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-29/build_url}'
+        test_suite: test_integration/test_installation.py::TestInstallMaster
+        template: *ci-master-f29
+        timeout: 3600
+        topology: *master_1repl
+
  fedora-29/simple_replication:
    requires: [fedora-29/build]
    priority: 50
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@ -35,6 +35,7 @@ import dns
 from ldif import LDIFWriter
 import pytest
 from SSSDConfig import SSSDConfig
+from cryptography import x509
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.backends import default_backend
@ -1522,6 +1523,23 @@ def certutil_certs_keys(host, reqdir, pwd_file, token_name=None):
    return certs, keys


+def certutil_fetch_cert(host, reqdir, pwd_file, nickname, token_name=None):
+    """Run certutil and retrieve a cert as cryptography.x509 object
+    """
+    args = ['-f', pwd_file, '-L', '-a', '-n']
+    if token_name is not None:
+        args.extend([
+            '{}:{}'.format(token_name, nickname),
+            '-h', token_name
+        ])
+    else:
+        args.append(nickname)
+    result = run_certutil(host, args, reqdir)
+    return x509.load_pem_x509_certificate(
+        result.stdout_bytes, default_backend()
+    )
+
+
 def upload_temp_contents(host, contents, encoding='utf-8'):
    """Upload contents to a temporary file

--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@ -12,7 +12,10 @@ from __future__ import absolute_import
 import os
 from datetime import datetime, timedelta
 import time
+
+from cryptography.hazmat.primitives import hashes
 import pytest
+
 from ipalib.constants import DOMAIN_LEVEL_0
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
@ -428,6 +431,43 @@ class TestInstallMaster(IntegrationTest):
        exp_str = ("ipa: ERROR: No YubiKey found")
        assert exp_str in cmd.stderr_text

+    def test_pki_certs(self):
+        certs, keys = tasks.certutil_certs_keys(
+            self.master,
+            paths.PKI_TOMCAT_ALIAS_DIR,
+            paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT
+        )
+
+        expected_certs = {
+            # CA
+            'caSigningCert cert-pki-ca': 'CTu,Cu,Cu',
+            'ocspSigningCert cert-pki-ca': 'u,u,u',
+            'subsystemCert cert-pki-ca': 'u,u,u',
+            'auditSigningCert cert-pki-ca': 'u,u,Pu',  # why P?
+            # KRA
+            'transportCert cert-pki-kra': 'u,u,u',
+            'storageCert cert-pki-kra': 'u,u,u',
+            'auditSigningCert cert-pki-kra': 'u,u,Pu',
+            # server
+            'Server-Cert cert-pki-ca': 'u,u,u',
+        }
+        assert certs == expected_certs
+        assert len(certs) == len(keys)
+
+        for nickname in sorted(certs):
+            cert = tasks.certutil_fetch_cert(
+                self.master,
+                paths.PKI_TOMCAT_ALIAS_DIR,
+                paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
+                nickname
+            )
+            key_size = cert.public_key().key_size
+            if nickname == 'caSigningCert cert-pki-ca':
+                assert key_size == 3072
+            else:
+                assert key_size == 2048
+            assert cert.signature_hash_algorithm.name == hashes.SHA256.name
+

 class TestInstallMasterKRA(IntegrationTest):