From 9fd384f2276c2df72ed97098746072526f874bd1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 5 Aug 2019 12:14:13 +1000 Subject: [PATCH] LWCA key gen: use parent key size LWCA keys are currently hardcoded to 2048-bit RSA. This could be less than the parent CA key, which is not desirable. Update LWCA key generation to use the same key size as the parent. If the parent is not an RSA key, default to 3072-bit RSA. Part of: https://pagure.io/dogtagpki/issue/1589 --- .../src/com/netscape/ca/CertificateAuthority.java | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index e470ccef273..6371fb62314 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -30,6 +30,7 @@ import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.security.Signature; +import java.security.interfaces.RSAKey; import java.security.cert.CRLException; import java.security.cert.CertificateException; import java.security.cert.CertificateParsingException; @@ -2861,9 +2862,19 @@ public ICertificateAuthority createSubCA( CryptoManager cryptoManager = CryptoManager.getInstance(); // TODO read PROP_TOKEN_NAME config CryptoToken token = cryptoManager.getInternalKeyStorageToken(); - // TODO algorithm parameter + + // Key size of sub-CA shall be key size of this CA. + // If the key is not RSA (e.g. EC) default to 3072 bits. + // + // TODO key generation parameters KeyPairGenerator gen = token.getKeyPairGenerator(KeyPairAlgorithm.RSA); - gen.initialize(2048); + int keySize = 3072; + PublicKey thisPub = mSigningUnit.getPublicKey(); + if (thisPub instanceof RSAKey) { + keySize = ((RSAKey) thisPub).getModulus().bitLength(); + } + gen.initialize(keySize); + KeyPair keypair = gen.genKeyPair(); PublicKey pub = keypair.getPublic(); X509Key x509key = CryptoUtil.convertPublicKeyToX509Key(pub);