Expanded minimum RSA Keylength to 3072 (#26604)
German Federal Office for Information Security requests in its technical guideline BSI TR-02102-1 RSA Keylength not shorter than 3000bits starting 2024, in the year 2023 3000bits as a recommendation. Gitea should request longer RSA Keys by default in favor of security and drop old clients which do not support longer keys. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile&v=9 - Page 19, Table 1.2 --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
parent
2401e6e121
commit
c533991519
@ -43,7 +43,7 @@ Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
|
|||||||
},
|
},
|
||||||
&cli.IntFlag{
|
&cli.IntFlag{
|
||||||
Name: "rsa-bits",
|
Name: "rsa-bits",
|
||||||
Value: 2048,
|
Value: 3072,
|
||||||
Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",
|
Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",
|
||||||
},
|
},
|
||||||
&cli.StringFlag{
|
&cli.StringFlag{
|
||||||
|
@ -1339,7 +1339,7 @@ LEVEL = Info
|
|||||||
;; Define allowed algorithms and their minimum key length (use -1 to disable a type)
|
;; Define allowed algorithms and their minimum key length (use -1 to disable a type)
|
||||||
;ED25519 = 256
|
;ED25519 = 256
|
||||||
;ECDSA = 256
|
;ECDSA = 256
|
||||||
;RSA = 2047 ; we allow 2047 here because an otherwise valid 2048 bit RSA key can be reported as having 2047 bit length
|
;RSA = 3071 ; we allow 3071 here because an otherwise valid 3072 bit RSA key can be reported as having 3071 bit length
|
||||||
;DSA = -1 ; set to 1024 to switch on
|
;DSA = -1 ; set to 1024 to switch on
|
||||||
|
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
@ -11,7 +11,7 @@ fi
|
|||||||
|
|
||||||
if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
|
if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
|
||||||
echo "Generating /data/ssh/ssh_host_rsa_key..."
|
echo "Generating /data/ssh/ssh_host_rsa_key..."
|
||||||
ssh-keygen -t rsa -b 2048 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
|
ssh-keygen -t rsa -b 3072 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then
|
if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then
|
||||||
|
@ -313,7 +313,7 @@ directory and will overwrite any existing files.
|
|||||||
- `--ecdsa-curve value`: ECDSA curve to use to generate a key. Optional. Valid options
|
- `--ecdsa-curve value`: ECDSA curve to use to generate a key. Optional. Valid options
|
||||||
are P224, P256, P384, P521.
|
are P224, P256, P384, P521.
|
||||||
- `--rsa-bits value`: Size of RSA key to generate. Optional. Ignored if --ecdsa-curve is
|
- `--rsa-bits value`: Size of RSA key to generate. Optional. Ignored if --ecdsa-curve is
|
||||||
set. (default: 2048).
|
set. (default: 3072).
|
||||||
- `--start-date value`: Creation date. Optional. (format: `Jan 1 15:04:05 2011`).
|
- `--start-date value`: Creation date. Optional. (format: `Jan 1 15:04:05 2011`).
|
||||||
- `--duration value`: Duration which the certificate is valid for. Optional. (default: 8760h0m0s)
|
- `--duration value`: Duration which the certificate is valid for. Optional. (default: 8760h0m0s)
|
||||||
- `--ca`: If provided, this cert generates it's own certificate authority. Optional.
|
- `--ca`: If provided, this cert generates it's own certificate authority. Optional.
|
||||||
|
@ -295,7 +295,7 @@ menu:
|
|||||||
- 选项:
|
- 选项:
|
||||||
- `--host value`:逗号分隔的主机名和IP地址列表,此证书适用于这些主机。支持使用通配符。必填。
|
- `--host value`:逗号分隔的主机名和IP地址列表,此证书适用于这些主机。支持使用通配符。必填。
|
||||||
- `--ecdsa-curve value`:用于生成密钥的ECDSA曲线。可选。有效选项为P224、P256、P384、P521。
|
- `--ecdsa-curve value`:用于生成密钥的ECDSA曲线。可选。有效选项为P224、P256、P384、P521。
|
||||||
- `--rsa-bits value`:要生成的RSA密钥的大小。可选。如果设置了--ecdsa-curve,则忽略此选项。(默认值:2048)。
|
- `--rsa-bits value`:要生成的RSA密钥的大小。可选。如果设置了--ecdsa-curve,则忽略此选项。(默认值:3072)。
|
||||||
- `--start-date value`:证书的创建日期。可选。(格式:`Jan 1 15:04:05 2011`)。
|
- `--start-date value`:证书的创建日期。可选。(格式:`Jan 1 15:04:05 2011`)。
|
||||||
- `--duration value`:证书有效期。可选。(默认值:8760h0m0s)
|
- `--duration value`:证书有效期。可选。(默认值:8760h0m0s)
|
||||||
- `--ca`:如果提供此选项,则证书将生成自己的证书颁发机构。可选。
|
- `--ca`:如果提供此选项,则证书将生成自己的证书颁发机构。可选。
|
||||||
|
@ -681,7 +681,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
|
|||||||
|
|
||||||
- `ED25519`: **256**
|
- `ED25519`: **256**
|
||||||
- `ECDSA`: **256**
|
- `ECDSA`: **256**
|
||||||
- `RSA`: **2047**: We set 2047 here because an otherwise valid 2048 RSA key can be reported as 2047 length.
|
- `RSA`: **3071**: We set 3071 here because an otherwise valid 3072 RSA key can be reported as 3071 length.
|
||||||
- `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider
|
- `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider
|
||||||
|
|
||||||
## Webhook (`webhook`)
|
## Webhook (`webhook`)
|
||||||
|
@ -648,7 +648,7 @@ Gitea 创建以下非唯一队列:
|
|||||||
|
|
||||||
- `ED25519`:**256**
|
- `ED25519`:**256**
|
||||||
- `ECDSA`:**256**
|
- `ECDSA`:**256**
|
||||||
- `RSA`:**2047**:我们在这里设置为2047,因为一个其他方面有效的2048 RSA密钥可能被报告为2047长度。
|
- `RSA`:**3071**:我们在这里设置为2047,因为一个其他方面有效的3072 RSA密钥可能被报告为3071长度。
|
||||||
- `DSA`:**-1**:默认情况下禁用DSA。设置为**1024**以重新启用,但请注意可能需要重新配置您的SSHD提供者
|
- `DSA`:**-1**:默认情况下禁用DSA。设置为**1024**以重新启用,但请注意可能需要重新配置您的SSHD提供者
|
||||||
|
|
||||||
## Webhook (`webhook`)
|
## Webhook (`webhook`)
|
||||||
|
@ -8,7 +8,7 @@ import (
|
|||||||
"code.gitea.io/gitea/modules/util"
|
"code.gitea.io/gitea/modules/util"
|
||||||
)
|
)
|
||||||
|
|
||||||
const rsaBits = 2048
|
const rsaBits = 3072
|
||||||
|
|
||||||
// GetKeyPair function returns a user's private and public keys
|
// GetKeyPair function returns a user's private and public keys
|
||||||
func GetKeyPair(user *user_model.User) (pub, priv string, err error) {
|
func GetKeyPair(user *user_model.User) (pub, priv string, err error) {
|
||||||
|
@ -60,7 +60,7 @@ var SSH = struct {
|
|||||||
ServerMACs: []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1"},
|
ServerMACs: []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1"},
|
||||||
KeygenPath: "",
|
KeygenPath: "",
|
||||||
MinimumKeySizeCheck: true,
|
MinimumKeySizeCheck: true,
|
||||||
MinimumKeySizes: map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 2047},
|
MinimumKeySizes: map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 3071},
|
||||||
ServerHostKeys: []string{"ssh/gitea.rsa", "ssh/gogs.rsa"},
|
ServerHostKeys: []string{"ssh/gitea.rsa", "ssh/gogs.rsa"},
|
||||||
AuthorizedKeysCommandTemplate: "{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}",
|
AuthorizedKeysCommandTemplate: "{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}",
|
||||||
PerWriteTimeout: PerWriteTimeout,
|
PerWriteTimeout: PerWriteTimeout,
|
||||||
|
@ -11,7 +11,9 @@ import (
|
|||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
auth_model "code.gitea.io/gitea/models/auth"
|
auth_model "code.gitea.io/gitea/models/auth"
|
||||||
|
"code.gitea.io/gitea/modules/setting"
|
||||||
api "code.gitea.io/gitea/modules/structs"
|
api "code.gitea.io/gitea/modules/structs"
|
||||||
|
"code.gitea.io/gitea/modules/test"
|
||||||
"code.gitea.io/gitea/tests"
|
"code.gitea.io/gitea/tests"
|
||||||
|
|
||||||
"github.com/go-fed/httpsig"
|
"github.com/go-fed/httpsig"
|
||||||
@ -52,6 +54,7 @@ fhTNAzWwZoQ91aHdAAAAFHUwMDIyMTQ2QGljdHMtcC1ueC03AQIDBAUG
|
|||||||
func TestHTTPSigPubKey(t *testing.T) {
|
func TestHTTPSigPubKey(t *testing.T) {
|
||||||
// Add our public key to user1
|
// Add our public key to user1
|
||||||
defer tests.PrepareTestEnv(t)()
|
defer tests.PrepareTestEnv(t)()
|
||||||
|
defer test.MockVariableValue(&setting.SSH.MinimumKeySizeCheck, false)()
|
||||||
session := loginUser(t, "user1")
|
session := loginUser(t, "user1")
|
||||||
token := url.QueryEscape(getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser))
|
token := url.QueryEscape(getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser))
|
||||||
keysURL := fmt.Sprintf("/api/v1/user/keys?token=%s", token)
|
keysURL := fmt.Sprintf("/api/v1/user/keys?token=%s", token)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user