diff options
author | Jack Lloyd <[email protected]> | 2016-12-30 19:59:15 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-12-30 19:59:15 -0500 |
commit | b910602f3af678fe02852cb83df95f0619efbf35 (patch) | |
tree | 2a7e512ef947f7b29161babb6cceae566db16b68 /src | |
parent | be0f1c1cabdbd787cf3ad65a0dfbc8fd4882bc3f (diff) | |
parent | 0e3d9acafc4cc06f6ab8d62b2510a57e8df852d6 (diff) |
Merge GH #785 Disable SHA-1 and weak RSA by default during cert validation
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/x509/x509path.h | 14 | ||||
-rw-r--r-- | src/tests/test_name_constraint.cpp | 4 | ||||
-rw-r--r-- | src/tests/test_x509_path.cpp | 8 | ||||
-rw-r--r-- | src/tests/unit_x509.cpp | 4 |
4 files changed, 17 insertions, 13 deletions
diff --git a/src/lib/x509/x509path.h b/src/lib/x509/x509path.h index 396e1fead..a193ebe55 100644 --- a/src/lib/x509/x509path.h +++ b/src/lib/x509/x509path.h @@ -36,18 +36,20 @@ class BOTAN_DLL Path_Validation_Restrictions public: /** * @param require_rev if true, revocation information is required + * @param minimum_key_strength is the minimum strength (in terms of - * operations, eg 80 means 2^80) of a signature. Signatures - * weaker than this are rejected. If more than 80, SHA-1 - * signatures are also rejected. + * operations, eg 80 means 2^80) of a signature. Signatures weaker than + * this are rejected. If more than 80, SHA-1 signatures are also + * rejected. If possible use at least setting 110. + * * 80 bit strength requires 1024 bit RSA - * 110 bit strength requires 2048 bit RSA - * Using 128 requires ECC (P-256) or ~3000 bit RSA keys. + * 110 bit strength requires 2k bit RSA + * 128 bit strength requires ~3k bit RSA or P-256 * @param ocsp_all_intermediates Make OCSP requests for all CAs as * well as end entity (if OCSP enabled in path validation request) */ Path_Validation_Restrictions(bool require_rev = false, - size_t minimum_key_strength = 80, + size_t minimum_key_strength = 110, bool ocsp_all_intermediates = false); /** diff --git a/src/tests/test_name_constraint.cpp b/src/tests/test_name_constraint.cpp index 01bdfc3ef..95cb9f229 100644 --- a/src/tests/test_name_constraint.cpp +++ b/src/tests/test_name_constraint.cpp @@ -63,7 +63,7 @@ class Name_Constraint_Tests : public Test "Certificate does not pass name constraint"), }; std::vector<Test::Result> results; - const Botan::Path_Validation_Restrictions default_restrictions; + const Botan::Path_Validation_Restrictions restrictions(false, 80); for(const auto& t: test_cases) { @@ -74,7 +74,7 @@ class Name_Constraint_Tests : public Test trusted.add_certificate(root); Botan::Path_Validation_Result path_result = Botan::x509_path_validate( - sub, default_restrictions, trusted, std::get<2>(t), Botan::Usage_Type::TLS_SERVER_AUTH); + sub, restrictions, trusted, std::get<2>(t), Botan::Usage_Type::TLS_SERVER_AUTH); if(path_result.successful_validation() && path_result.trust_root() != root) path_result = Botan::Path_Validation_Result(Botan::Certificate_Status_Code::CANNOT_ESTABLISH_TRUST); diff --git a/src/tests/test_x509_path.cpp b/src/tests/test_x509_path.cpp index e897d3e01..ff402bfa4 100644 --- a/src/tests/test_x509_path.cpp +++ b/src/tests/test_x509_path.cpp @@ -65,7 +65,8 @@ class X509test_Path_Validation_Tests : public Test std::map<std::string, std::string> expected = read_results(Test::data_file("x509test/expected.txt")); - const Botan::Path_Validation_Restrictions default_restrictions; + // Current tests use SHA-1 + const Botan::Path_Validation_Restrictions restrictions(false, 80); Botan::X509_Certificate root(Test::data_file("x509test/root.pem")); Botan::Certificate_Store_In_Memory trusted; @@ -87,7 +88,7 @@ class X509test_Path_Validation_Tests : public Test throw Test_Error("Failed to read certs from " + filename); Botan::Path_Validation_Result path_result = Botan::x509_path_validate( - certs, default_restrictions, trusted, + certs, restrictions, trusted, "www.tls.test", Botan::Usage_Type::TLS_SERVER_AUTH, validation_time); @@ -205,7 +206,8 @@ std::vector<Test::Result> NIST_Path_Validation_Tests::run() Botan::X509_Certificate end_user(test_dir + "/end.crt"); - Botan::Path_Validation_Restrictions restrictions(true); + // 1024 bit root cert + Botan::Path_Validation_Restrictions restrictions(true, 80); Botan::Path_Validation_Result validation_result = Botan::x509_path_validate(end_user, diff --git a/src/tests/unit_x509.cpp b/src/tests/unit_x509.cpp index 26ccfedc0..28cd46db7 100644 --- a/src/tests/unit_x509.cpp +++ b/src/tests/unit_x509.cpp @@ -359,7 +359,7 @@ Test::Result test_x509_cert(const std::string& sig_algo, const std::string& hash Botan::X509_CRL crl1 = ca.new_crl(Test::rng()); /* Verify the certs */ - Botan::Path_Validation_Restrictions restrictions(false); + Botan::Path_Validation_Restrictions restrictions(false, 80); Botan::Certificate_Store_In_Memory store; // First try with an empty store @@ -558,7 +558,7 @@ Test::Result test_self_issued(const std::string& sig_algo, const std::string& ha // check that this chain can can be verified successfully Botan::Certificate_Store_In_Memory trusted(ca.ca_certificate()); - Botan::Path_Validation_Restrictions restrictions; + Botan::Path_Validation_Restrictions restrictions(false, 80); Botan::Path_Validation_Result validation_result = Botan::x509_path_validate(self_issued_cert, |