URL: https://github.com/freeipa/freeipa/pull/2291 Author: abbra Title: #2291: Update CA signing certificate default key size to 4096 Action: opened
PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2291/head:pr2291 git checkout pr2291
From 2451b0ca357c6493c22b63ccb139f0a6dd0a89eb Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Tue, 28 Aug 2018 00:10:11 +0300 Subject: [PATCH 1/3] Abstract out external CA test to reuse our CA defaults Right now CA signing certificate choice is hard-coded. To allow its change, we need to change external CA test first to pick up the defaults instead of hard-coded setup in the test which may (and will) be different if Dogtag or CA instance defaults will be changed. Related: https://pagure.io/freeipa/issue/6790 --- ipalib/constants.py | 2 ++ ipatests/create_external_ca.py | 11 +++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index 41da33cf4c..e0e9c89fe5 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -279,6 +279,8 @@ DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' +PKI_CA_SIGNING_KEY_SIZE = '2048' +PKI_CA_SIGNING_ALGO = 'SHA256withRSA' IPA_CA_CN = u'ipa' IPA_CA_RECORD = "ipa-ca" IPA_CA_NICKNAME = 'caSigningCert cert-pki-ca' diff --git a/ipatests/create_external_ca.py b/ipatests/create_external_ca.py index dc93975517..e2a27a1aab 100644 --- a/ipatests/create_external_ca.py +++ b/ipatests/create_external_ca.py @@ -24,12 +24,18 @@ from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization +import ipalib.constants import datetime import six ISSUER_CN = 'example.test' +MAP_SIGNING_ALGORITHM = { + 'SHA256withRSA': hashes.SHA256, + 'SHA512withRSA': hashes.SHA512, +} + class ExternalCA(object): """ Provide external CA for testing @@ -45,7 +51,7 @@ def create_ca(self, cn=ISSUER_CN): """ self.ca_key = rsa.generate_private_key( public_exponent=65537, - key_size=2048, + key_size=int(ipalib.constants.PKI_CA_SIGNING_KEY_SIZE), backend=default_backend(), ) @@ -95,7 +101,8 @@ def create_ca(self, cn=ISSUER_CN): critical=False, ) - cert = builder.sign(self.ca_key, hashes.SHA256(), default_backend()) + algo = MAP_SIGNING_ALGORITHM[ipalib.constants.PKI_CA_SIGNING_ALGO]() + cert = builder.sign(self.ca_key, algo, default_backend()) return cert.public_bytes(serialization.Encoding.PEM) From 2fbb71f634d24c7c5dada1a4008503075b4c6e6e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Tue, 28 Aug 2018 00:12:52 +0300 Subject: [PATCH 2/3] Replace hard-coded value for CA signing algorithm with a constant Related: https://pagure.io/freeipa/issue/6790 --- ipaserver/install/cainstance.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c90940d73d..c5a93110c0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -370,7 +370,7 @@ def configure_instance(self, host_name, dm_password, admin_password, ca_subject or installutils.default_ca_subject_dn(self.subject_base) if ca_signing_algorithm is None: - self.ca_signing_algorithm = 'SHA256withRSA' + self.ca_signing_algorithm = ipalib.constants.PKI_CA_SIGNING_ALGO else: self.ca_signing_algorithm = ca_signing_algorithm if ca_type is not None: From b53c0d349c290ef99b10ee108f74d8bd134a8545 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Tue, 28 Aug 2018 00:13:27 +0300 Subject: [PATCH 3/3] Change CA signing certificate key size to 4096 We are not yet making possible to change a CA signing certificate key size at install time. Instead, this commit updates CA signing certificate key size to a reasonable default for 2018. Related: https://pagure.io/freeipa/issue/6790 --- ipalib/constants.py | 2 +- ipaserver/install/cainstance.py | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ipalib/constants.py b/ipalib/constants.py index e0e9c89fe5..31678d9c58 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -279,7 +279,7 @@ DOMAIN_SUFFIX_NAME = 'domain' CA_SUFFIX_NAME = 'ca' PKI_GSSAPI_SERVICE_NAME = 'dogtag' -PKI_CA_SIGNING_KEY_SIZE = '2048' +PKI_CA_SIGNING_KEY_SIZE = '4096' PKI_CA_SIGNING_ALGO = 'SHA256withRSA' IPA_CA_CN = u'ipa' IPA_CA_RECORD = "ipa-ca" diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c5a93110c0..b88c646da1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -573,6 +573,10 @@ def __spawn_instance(self): # CA key algorithm config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm) + # CA default key size + config.set("CA", "pki_ca_signing_key_size", + ipalib.constants.PKI_CA_SIGNING_KEY_SIZE) + if not (os.path.isdir(paths.PKI_TOMCAT_ALIAS_DIR) and os.path.isfile(paths.PKI_TOMCAT_PASSWORD_CONF)): # generate pin which we know can be used for FIPS NSS database
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org