1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-17 14:07:03 +01:00

gpgsm: default to 3072-bit keys.

* doc/gpgsm.texi, doc/howto-create-a-server-cert.texi: : update
default to 3072 bits.
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): update default to
3072 bits.
* sm/certreqgen.c (proc_parameters): update default to 3072 bits.
* sm/gpgsm.c (main): print correct default_pubkey_algo.

--

3072-bit RSA is widely considered to be 128-bit-equivalent security.
This is a sensible default in 2017.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Gbp-Pq: Topic update-defaults
Gbp-Pq: Name 0014-gpgsm-default-to-3072-bit-keys.patch
This commit is contained in:
Daniel Kahn Gillmor 2017-09-07 18:39:37 -04:00
parent 17f764dd49
commit 7955262151
5 changed files with 12 additions and 12 deletions

View File

@ -1073,7 +1073,7 @@ key. The algorithm must be capable of signing. This is a required
parameter. The only supported value for @var{algo} is @samp{rsa}. parameter. The only supported value for @var{algo} is @samp{rsa}.
@item Key-Length: @var{nbits} @item Key-Length: @var{nbits}
The requested length of a generated key in bits. Defaults to 2048. The requested length of a generated key in bits. Defaults to 3072.
@item Key-Grip: @var{hexstring} @item Key-Grip: @var{hexstring}
This is optional and used to generate a CSR or certificate for an This is optional and used to generate a CSR or certificate for an

View File

@ -31,14 +31,14 @@ Let's continue:
@cartouche @cartouche
@example @example
What keysize do you want? (2048) What keysize do you want? (3072)
Requested keysize is 2048 bits Requested keysize is 3072 bits
@end example @end example
@end cartouche @end cartouche
Hitting enter chooses the default RSA key size of 2048 bits. Smaller Hitting enter chooses the default RSA key size of 3072 bits. Keys
keys are too weak on the modern Internet. If you choose a larger smaller than 2048 bits are too weak on the modern Internet. If you
(stronger) key, your server will need to do more work. choose a larger (stronger) key, your server will need to do more work.
@cartouche @cartouche
@example @example
@ -124,7 +124,7 @@ request:
@example @example
These parameters are used: These parameters are used:
Key-Type: RSA Key-Type: RSA
Key-Length: 2048 Key-Length: 3072
Key-Usage: sign, encrypt Key-Usage: sign, encrypt
Name-DN: CN=example.com Name-DN: CN=example.com
Name-DNS: example.com Name-DNS: example.com
@ -224,7 +224,7 @@ To see the content of your certificate, you may now enter:
aka: (dns-name example.com) aka: (dns-name example.com)
aka: (dns-name www.example.com) aka: (dns-name www.example.com)
validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51 validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
key type: 2048 bit RSA key type: 3072 bit RSA
key usage: digitalSignature keyEncipherment key usage: digitalSignature keyEncipherment
ext key usage: clientAuth (suggested), serverAuth (suggested), [...] ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57 fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57

View File

@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estream_t output_stream)
unsigned int nbits; unsigned int nbits;
int minbits = 1024; int minbits = 1024;
int maxbits = 4096; int maxbits = 4096;
int defbits = 2048; int defbits = 3072;
const char *keyusage; const char *keyusage;
char *subject_name; char *subject_name;
membuf_t mb_email, mb_dns, mb_uri, mb_result; membuf_t mb_email, mb_dns, mb_uri, mb_result;

View File

@ -26,7 +26,7 @@
$ cat >foo <<EOF $ cat >foo <<EOF
%echo Generating a standard key %echo Generating a standard key
Key-Type: RSA Key-Type: RSA
Key-Length: 2048 Key-Length: 3072
Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
Name-Email: joe@foo.bar Name-Email: joe@foo.bar
# Do a commit here, so that we can later print a "done" # Do a commit here, so that we can later print a "done"
@ -468,7 +468,7 @@ proc_parameters (ctrl_t ctrl, struct para_data_s *para,
/* Check the keylength. NOTE: If you change this make sure that it /* Check the keylength. NOTE: If you change this make sure that it
macthes the gpgconflist item in gpgsm.c */ macthes the gpgconflist item in gpgsm.c */
if (!get_parameter (para, pKEYLENGTH, 0)) if (!get_parameter (para, pKEYLENGTH, 0))
nbits = 2048; nbits = 3072;
else else
nbits = get_parameter_uint (para, pKEYLENGTH); nbits = get_parameter_uint (para, pKEYLENGTH);
if ((nbits < 1024 || nbits > 4096) && !cardkeyid) if ((nbits < 1024 || nbits > 4096) && !cardkeyid)

View File

@ -1785,7 +1785,7 @@ main ( int argc, char **argv)
/* The next one is an info only item and should match what /* The next one is an info only item and should match what
proc_parameters actually implements. */ proc_parameters actually implements. */
es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT, es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT,
"RSA-2048"); "RSA-3072");
} }
break; break;