[pve-devel] [PATCH manager 3/3] pve5to6: cert: check certificates key size

[Alwin Antreich]

Debian Buster raised the default security level (1 -> 2) for TLS
connections.

This moves from the 80 bit security level to the 112 bit security level
and will require 2048 bit or larger RSA and DHE keys, 224 bit or larger
ECC keys, and SHA-2.

Signed-off-by: Alwin Antreich <a.antreich at proxmox.com>
---
 PVE/CLI/pve5to6.pm | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/PVE/CLI/pve5to6.pm b/PVE/CLI/pve5to6.pm
index d3c8e2db..faa30673 100644
--- a/PVE/CLI/pve5to6.pm
+++ b/PVE/CLI/pve5to6.pm
@@ -7,6 +7,7 @@ use PVE::API2::APT;
 use PVE::API2::Ceph;
 use PVE::API2::LXC;
 use PVE::API2::Qemu;
+use PVE::API2::Certificates;
 
 use PVE::Ceph::Tools;
 use PVE::Cluster;
@@ -627,6 +628,23 @@ sub check_misc {
 	}
     }
 
+    log_info("Check certifiacte's RSA key size");
+    my $certs = PVE::API2::Certificates->info({ node => $nodename });
+    my $cert_nok;
+    foreach my $c (@$certs) {
+	if (($c->{'public-key-type'} eq 'rsaEncryption') && ($c->{'public-key-bits'} < 2048)) {
+	    log_fail("$c->{filename}, certificate's RSA public key size is less than 2048 bit");
+	    $cert_nok = 1;
+	} elsif (($c->{'public-key-type'} eq 'id-ecPublicKey') && ($c->{'public-key-bits'} < 224)) {
+	    log_fail("$c->{filename}, certificate's ECC public key size is less than 224 bit");
+	    $cert_nok = 1;
+	} elsif (($c->{'public-key-type'} ne 'rsaEncryption') && ($c->{'public-key-type'} ne 'id-ecPublicKey')) {
+	    log_warn("$c->{filename}, certificate's public key type unkown, check Debian Busters release notes");
+	    $cert_nok = 1;
+	}
+    }
+    log_pass("Certificates pass Debian Busters security level for TLS connections") if !defined($cert_nok);
+
     check_kvm_nested();
 }
 
-- 
2.20.1