From 21e24264f413c47f7063bae19b1e4e88bb08b2f2 Mon Sep 17 00:00:00 2001 From: Alexis Date: Wed, 6 Dec 2023 13:00:55 -0800 Subject: [PATCH] Bump Hardcoded RSA Default in API (#9855) Rectifies: https://github.com/certbot/certbot/security/advisories/GHSA-pcq2-mjvr-m4jj --- certbot-nginx/certbot_nginx/_internal/configurator.py | 2 +- certbot/certbot/_internal/tests/crypto_util_test.py | 8 ++++---- certbot/certbot/crypto_util.py | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/certbot-nginx/certbot_nginx/_internal/configurator.py b/certbot-nginx/certbot_nginx/_internal/configurator.py index 968bc27bf..1fb47cf0c 100644 --- a/certbot-nginx/certbot_nginx/_internal/configurator.py +++ b/certbot-nginx/certbot_nginx/_internal/configurator.py @@ -701,7 +701,7 @@ class NginxConfigurator(common.Configurator): # TODO: generate only once tmp_dir = os.path.join(self.config.work_dir, "snakeoil") le_key = crypto_util.generate_key( - key_size=1024, key_dir=tmp_dir, keyname="key.pem", + key_size=2048, key_dir=tmp_dir, keyname="key.pem", strict_permissions=self.config.strict_permissions) assert le_key.file is not None key = OpenSSL.crypto.load_privatekey( diff --git a/certbot/certbot/_internal/tests/crypto_util_test.py b/certbot/certbot/_internal/tests/crypto_util_test.py index 49efef4ea..d1733ff48 100644 --- a/certbot/certbot/_internal/tests/crypto_util_test.py +++ b/certbot/certbot/_internal/tests/crypto_util_test.py @@ -168,7 +168,7 @@ class MakeKeyTest(unittest.TestCase): from certbot.crypto_util import make_key # Do not test larger keys as it takes too long. - OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, make_key(1024)) + OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM, make_key(2048)) def test_ec(self): # pylint: disable=no-self-use # ECDSA Key Type Tests @@ -185,8 +185,8 @@ class MakeKeyTest(unittest.TestCase): from certbot.crypto_util import make_key # Try a bad key size for RSA and ECDSA - with pytest.raises(errors.Error, match='Unsupported RSA key length: 512'): - make_key(bits=512, key_type='rsa') + with pytest.raises(errors.Error, match='Unsupported RSA key length: 1024'): + make_key(bits=1024, key_type='rsa') def test_bad_elliptic_curve_name(self): from certbot.crypto_util import make_key @@ -200,7 +200,7 @@ class MakeKeyTest(unittest.TestCase): with pytest.raises(errors.Error, match=re.escape('Invalid key_type specified: unf. Use [rsa|ecdsa]')): OpenSSL.crypto.load_privatekey( - OpenSSL.crypto.FILETYPE_PEM, make_key(1024, key_type='unf')) + OpenSSL.crypto.FILETYPE_PEM, make_key(2048, key_type='unf')) class VerifyCertSetup(unittest.TestCase): diff --git a/certbot/certbot/crypto_util.py b/certbot/certbot/crypto_util.py index d0240aefd..d5b5c7f30 100644 --- a/certbot/certbot/crypto_util.py +++ b/certbot/certbot/crypto_util.py @@ -208,11 +208,11 @@ def import_csr_file(csrfile: str, data: bytes) -> Tuple[int, util.CSR, List[str] return PEM, util.CSR(file=csrfile, data=data_pem, form="pem"), domains -def make_key(bits: int = 1024, key_type: str = "rsa", +def make_key(bits: int = 2048, key_type: str = "rsa", elliptic_curve: Optional[str] = None) -> bytes: """Generate PEM encoded RSA|EC key. - :param int bits: Number of bits if key_type=rsa. At least 1024 for RSA. + :param int bits: Number of bits if key_type=rsa. At least 2048 for RSA. :param str key_type: The type of key to generate, but be rsa or ecdsa :param str elliptic_curve: The elliptic curve to use. @@ -221,7 +221,7 @@ def make_key(bits: int = 1024, key_type: str = "rsa", :rtype: str """ if key_type == 'rsa': - if bits < 1024: + if bits < 2048: raise errors.Error("Unsupported RSA key length: {}".format(bits)) key = crypto.PKey()