open-vault

History

Alexander Scheel 6e069e94ca Fix PKI Weak Cryptographic Key Lenghths Warning (#12886 ) * Modernize SSH key lengths No default change was made in this commit; note that the code already enforced a default of 2048 bits. ssh-keygen and Go's RSA key generation allows for key sizes including 3072, 4096, 8192; update the values of SSH key generation to match PKI's allowed RSA key sizes (from certutil.ValidateKeyTypeLength(...)). We still allow the legacy SSH key size of 1024; in the near future we should likely remove it. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Ensure minimum of 2048-bit PKI RSA keys While the stated path is a false-positive, verifying all paths is non-trivial. We largely validate API call lengths using certutil.ValidateKeyTypeLength(...), but ensuring no other path calls certutil.generatePrivateKey(...) --- directly or indirectly --- is non-trivial. Thus enforcing a minimum in this method sounds like a sane compromise. Resolves: https://github.com/hashicorp/vault/security/code-scanning/55 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>		2021-10-26 09:30:09 -04:00
..
certutil_test.go	Add a TRACE log with TLS connection details on replication connections (#12754 )	2021-10-07 14:17:31 -05:00
helpers.go	Fix PKI Weak Cryptographic Key Lenghths Warning (#12886 )	2021-10-26 09:30:09 -04:00
types.go