Increase default key size for CA to 3072 bits

The signing key for IPA's CA certificate now uses a 3072 bit RSA key by default. According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4 recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit strength. Fixes: https://pagure.io/freeipa/issue/6790 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-04-15 14:37:25 +02:00
parent 80928ba6f5
commit 45b8cc1d83
4 changed files with 71 additions and 1 deletions
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -12,7 +12,10 @@ from __future__ import absolute_import
 import os
 from datetime import datetime, timedelta
 import time
+
+from cryptography.hazmat.primitives import hashes
 import pytest
+
 from ipalib.constants import DOMAIN_LEVEL_0
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
@@ -428,6 +431,43 @@ class TestInstallMaster(IntegrationTest):
        exp_str = ("ipa: ERROR: No YubiKey found")
        assert exp_str in cmd.stderr_text

+    def test_pki_certs(self):
+        certs, keys = tasks.certutil_certs_keys(
+            self.master,
+            paths.PKI_TOMCAT_ALIAS_DIR,
+            paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT
+        )
+
+        expected_certs = {
+            # CA
+            'caSigningCert cert-pki-ca': 'CTu,Cu,Cu',
+            'ocspSigningCert cert-pki-ca': 'u,u,u',
+            'subsystemCert cert-pki-ca': 'u,u,u',
+            'auditSigningCert cert-pki-ca': 'u,u,Pu',  # why P?
+            # KRA
+            'transportCert cert-pki-kra': 'u,u,u',
+            'storageCert cert-pki-kra': 'u,u,u',
+            'auditSigningCert cert-pki-kra': 'u,u,Pu',
+            # server
+            'Server-Cert cert-pki-ca': 'u,u,u',
+        }
+        assert certs == expected_certs
+        assert len(certs) == len(keys)
+
+        for nickname in sorted(certs):
+            cert = tasks.certutil_fetch_cert(
+                self.master,
+                paths.PKI_TOMCAT_ALIAS_DIR,
+                paths.PKI_TOMCAT_ALIAS_PWDFILE_TXT,
+                nickname
+            )
+            key_size = cert.public_key().key_size
+            if nickname == 'caSigningCert cert-pki-ca':
+                assert key_size == 3072
+            else:
+                assert key_size == 2048
+            assert cert.signature_hash_algorithm.name == hashes.SHA256.name
+

 class TestInstallMasterKRA(IntegrationTest):