4 files changed, 17 insertions, 13 deletions

diff --git a/src/lib/x509/x509path.h b/src/lib/x509/x509path.h
index 396e1fead..a193ebe55 100644
--- a/src/lib/x509/x509path.h
+++ b/src/lib/x509/x509path.h
@@ -36,18 +36,20 @@ class BOTAN_DLL Path_Validation_Restrictions
    public:
       /**
       * @param require_rev if true, revocation information is required
+
       * @param minimum_key_strength is the minimum strength (in terms of
-      *        operations, eg 80 means 2^80) of a signature. Signatures
-      *        weaker than this are rejected. If more than 80, SHA-1
-      *        signatures are also rejected.
+      *    operations, eg 80 means 2^80) of a signature. Signatures weaker than
+      *    this are rejected. If more than 80, SHA-1 signatures are also
+      *    rejected. If possible use at least setting 110.
+      *
       *        80 bit strength requires 1024 bit RSA
-      *        110 bit strength requires 2048 bit RSA
-      *        Using 128 requires ECC (P-256) or ~3000 bit RSA keys.
+      *        110 bit strength requires 2k bit RSA
+      *        128 bit strength requires ~3k bit RSA or P-256
       * @param ocsp_all_intermediates Make OCSP requests for all CAs as
       * well as end entity (if OCSP enabled in path validation request)
       */
       Path_Validation_Restrictions(bool require_rev = false,
-                                   size_t minimum_key_strength = 80,
+                                   size_t minimum_key_strength = 110,
                                    bool ocsp_all_intermediates = false);
 
       /**
diff --git a/src/tests/test_name_constraint.cpp b/src/tests/test_name_constraint.cpp
index 01bdfc3ef..95cb9f229 100644
--- a/src/tests/test_name_constraint.cpp
+++ b/src/tests/test_name_constraint.cpp
@@ -63,7 +63,7 @@ class Name_Constraint_Tests : public Test
             "Certificate does not pass name constraint"),
          };
          std::vector<Test::Result> results;
-         const Botan::Path_Validation_Restrictions default_restrictions;
+         const Botan::Path_Validation_Restrictions restrictions(false, 80);
 
          for(const auto& t: test_cases)
             {
@@ -74,7 +74,7 @@ class Name_Constraint_Tests : public Test
 
             trusted.add_certificate(root);
             Botan::Path_Validation_Result path_result = Botan::x509_path_validate(
-               sub, default_restrictions, trusted, std::get<2>(t), Botan::Usage_Type::TLS_SERVER_AUTH);
+               sub, restrictions, trusted, std::get<2>(t), Botan::Usage_Type::TLS_SERVER_AUTH);
 
             if(path_result.successful_validation() && path_result.trust_root() != root)
                path_result = Botan::Path_Validation_Result(Botan::Certificate_Status_Code::CANNOT_ESTABLISH_TRUST);
diff --git a/src/tests/test_x509_path.cpp b/src/tests/test_x509_path.cpp
index e897d3e01..ff402bfa4 100644
--- a/src/tests/test_x509_path.cpp
+++ b/src/tests/test_x509_path.cpp
@@ -65,7 +65,8 @@ class X509test_Path_Validation_Tests : public Test
          std::map<std::string, std::string> expected =
             read_results(Test::data_file("x509test/expected.txt"));
 
-         const Botan::Path_Validation_Restrictions default_restrictions;
+         // Current tests use SHA-1
+         const Botan::Path_Validation_Restrictions restrictions(false, 80);
 
          Botan::X509_Certificate root(Test::data_file("x509test/root.pem"));
          Botan::Certificate_Store_In_Memory trusted;
@@ -87,7 +88,7 @@ class X509test_Path_Validation_Tests : public Test
                throw Test_Error("Failed to read certs from " + filename);
 
             Botan::Path_Validation_Result path_result = Botan::x509_path_validate(
-               certs, default_restrictions, trusted,
+               certs, restrictions, trusted,
                "www.tls.test", Botan::Usage_Type::TLS_SERVER_AUTH,
                validation_time);
 
@@ -205,7 +206,8 @@ std::vector<Test::Result> NIST_Path_Validation_Tests::run()
 
       Botan::X509_Certificate end_user(test_dir + "/end.crt");
 
-      Botan::Path_Validation_Restrictions restrictions(true);
+      // 1024 bit root cert
+      Botan::Path_Validation_Restrictions restrictions(true, 80);
 
       Botan::Path_Validation_Result validation_result =
          Botan::x509_path_validate(end_user,
diff --git a/src/tests/unit_x509.cpp b/src/tests/unit_x509.cpp
index 26ccfedc0..28cd46db7 100644
--- a/src/tests/unit_x509.cpp
+++ b/src/tests/unit_x509.cpp
@@ -359,7 +359,7 @@ Test::Result test_x509_cert(const std::string& sig_algo, const std::string& hash
    Botan::X509_CRL crl1 = ca.new_crl(Test::rng());
 
    /* Verify the certs */
-   Botan::Path_Validation_Restrictions restrictions(false);
+   Botan::Path_Validation_Restrictions restrictions(false, 80);
    Botan::Certificate_Store_In_Memory store;
 
    // First try with an empty store
@@ -558,7 +558,7 @@ Test::Result test_self_issued(const std::string& sig_algo, const std::string& ha
    // check that this chain can can be verified successfully
    Botan::Certificate_Store_In_Memory trusted(ca.ca_certificate());
 
-   Botan::Path_Validation_Restrictions restrictions;
+   Botan::Path_Validation_Restrictions restrictions(false, 80);
 
    Botan::Path_Validation_Result validation_result =
          Botan::x509_path_validate(self_issued_cert,