[pve-devel] [PATCH manager 3/3] pve5to6: cert: check certificates key size

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Jul 23 08:15:37 CEST 2019 

On 7/22/19 5:11 PM, Alwin Antreich wrote:
> Debian Buster raised the default security level (1 -> 2) for TLS
> connections.
> 
> This moves from the 80 bit security level to the 112 bit security level
> and will require 2048 bit or larger RSA and DHE keys, 224 bit or larger
> ECC keys, and SHA-2.
> 
> Signed-off-by: Alwin Antreich <a.antreich at proxmox.com>
> ---
>  PVE/CLI/pve5to6.pm | 18 ++++++++++++++++++
>  1 file changed, 18 insertions(+)
> 
> diff --git a/PVE/CLI/pve5to6.pm b/PVE/CLI/pve5to6.pm
> index d3c8e2db..faa30673 100644
> --- a/PVE/CLI/pve5to6.pm
> +++ b/PVE/CLI/pve5to6.pm
> @@ -7,6 +7,7 @@ use PVE::API2::APT;
>  use PVE::API2::Ceph;
>  use PVE::API2::LXC;
>  use PVE::API2::Qemu;
> +use PVE::API2::Certificates;
>  
>  use PVE::Ceph::Tools;
>  use PVE::Cluster;
> @@ -627,6 +628,23 @@ sub check_misc {
>  	}
>      }
>  
> +    log_info("Check certifiacte's RSA key size");
> +    my $certs = PVE::API2::Certificates->info({ node => $nodename });
> +    my $cert_nok;
> +    foreach my $c (@$certs) {

potential cleanup to reduce noise in belows if/else:

my ($type, $size, $fn) = $c->@{qw(public-key-type public-key-bits filename)};

and respective replacements of variables and reduction of one level of
parenthesis: EXPR1 && EXPR2 vs (EXPR1) && (EXPR2)

Looks OK besides that (did not test it)

> +	if (($c->{'public-key-type'} eq 'rsaEncryption') && ($c->{'public-key-bits'} < 2048)) {
> +	    log_fail("$c->{filename}, certificate's RSA public key size is less than 2048 bit");
> +	    $cert_nok = 1;
> +	} elsif (($c->{'public-key-type'} eq 'id-ecPublicKey') && ($c->{'public-key-bits'} < 224)) {
> +	    log_fail("$c->{filename}, certificate's ECC public key size is less than 224 bit");
> +	    $cert_nok = 1;
> +	} elsif (($c->{'public-key-type'} ne 'rsaEncryption') && ($c->{'public-key-type'} ne 'id-ecPublicKey')) {
> +	    log_warn("$c->{filename}, certificate's public key type unkown, check Debian Busters release notes");
> +	    $cert_nok = 1;
> +	}
> +    }
> +    log_pass("Certificates pass Debian Busters security level for TLS connections") if !defined($cert_nok);
> +
>      check_kvm_nested();
>  }
>  
>

More information about the pve-devel mailing list