oppi.li / perf-test
loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Expanded minimum RSA Keylength to 3072 (#26604)

German Federal Office for Information Security requests in its technical
guideline BSI TR-02102-1 RSA Keylength not shorter than 3000bits
starting 2024, in the year 2023 3000bits as a recommendation. Gitea
should request longer RSA Keys by default in favor of security and drop
old clients which do not support longer keys.


https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile&v=9
- Page 19, Table 1.2

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

authored by

mainboarder
wxiaoguang and committed by
GitHub c5339915 2401e6e1

+12 -9
+1 -1
cmd/cert.go
··· 43 43 }, 44 44 &cli.IntFlag{ 45 45 Name: "rsa-bits", 46 - Value: 2048, 46 + Value: 3072, 47 47 Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set", 48 48 }, 49 49 &cli.StringFlag{
+1 -1
custom/conf/app.example.ini
··· 1339 1339 ;; Define allowed algorithms and their minimum key length (use -1 to disable a type) 1340 1340 ;ED25519 = 256 1341 1341 ;ECDSA = 256 1342 - ;RSA = 2047 ; we allow 2047 here because an otherwise valid 2048 bit RSA key can be reported as having 2047 bit length 1342 + ;RSA = 3071 ; we allow 3071 here because an otherwise valid 3072 bit RSA key can be reported as having 3071 bit length 1343 1343 ;DSA = -1 ; set to 1024 to switch on 1344 1344 1345 1345 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+1 -1
docker/root/etc/s6/openssh/setup
··· 11 11 12 12 if [ ! -f /data/ssh/ssh_host_rsa_key ]; then 13 13 echo "Generating /data/ssh/ssh_host_rsa_key..." 14 - ssh-keygen -t rsa -b 2048 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null 14 + ssh-keygen -t rsa -b 3072 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null 15 15 fi 16 16 17 17 if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then
+1 -1
docs/content/administration/command-line.en-us.md
··· 313 313 - `--ecdsa-curve value`: ECDSA curve to use to generate a key. Optional. Valid options 314 314 are P224, P256, P384, P521. 315 315 - `--rsa-bits value`: Size of RSA key to generate. Optional. Ignored if --ecdsa-curve is 316 - set. (default: 2048). 316 + set. (default: 3072). 317 317 - `--start-date value`: Creation date. Optional. (format: `Jan 1 15:04:05 2011`). 318 318 - `--duration value`: Duration which the certificate is valid for. Optional. (default: 8760h0m0s) 319 319 - `--ca`: If provided, this cert generates it's own certificate authority. Optional.
+1 -1
docs/content/administration/command-line.zh-cn.md
··· 295 295 - 选项: 296 296 - `--host value`:逗号分隔的主机名和IP地址列表,此证书适用于这些主机。支持使用通配符。必填。 297 297 - `--ecdsa-curve value`:用于生成密钥的ECDSA曲线。可选。有效选项为P224、P256、P384、P521。 298 - - `--rsa-bits value`:要生成的RSA密钥的大小。可选。如果设置了--ecdsa-curve,则忽略此选项。(默认值:2048)。 298 + - `--rsa-bits value`:要生成的RSA密钥的大小。可选。如果设置了--ecdsa-curve,则忽略此选项。(默认值:3072)。 299 299 - `--start-date value`:证书的创建日期。可选。(格式:`Jan 1 15:04:05 2011`)。 300 300 - `--duration value`:证书有效期。可选。(默认值:8760h0m0s) 301 301 - `--ca`:如果提供此选项,则证书将生成自己的证书颁发机构。可选。
+1 -1
docs/content/administration/config-cheat-sheet.en-us.md
··· 681 681 682 682 - `ED25519`: **256** 683 683 - `ECDSA`: **256** 684 - - `RSA`: **2047**: We set 2047 here because an otherwise valid 2048 RSA key can be reported as 2047 length. 684 + - `RSA`: **3071**: We set 3071 here because an otherwise valid 3072 RSA key can be reported as 3071 length. 685 685 - `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider 686 686 687 687 ## Webhook (`webhook`)
+1 -1
docs/content/administration/config-cheat-sheet.zh-cn.md
··· 648 648 649 649 - `ED25519`:**256** 650 650 - `ECDSA`:**256** 651 - - `RSA`:**2047**:我们在这里设置为2047,因为一个其他方面有效的2048 RSA密钥可能被报告为2047长度。 651 + - `RSA`:**3071**:我们在这里设置为2047,因为一个其他方面有效的3072 RSA密钥可能被报告为3071长度。 652 652 - `DSA`:**-1**:默认情况下禁用DSA。设置为**1024**以重新启用,但请注意可能需要重新配置您的SSHD提供者 653 653 654 654 ## Webhook (`webhook`)
+1 -1
modules/activitypub/user_settings.go
··· 8 8 "code.gitea.io/gitea/modules/util" 9 9 ) 10 10 11 - const rsaBits = 2048 11 + const rsaBits = 3072 12 12 13 13 // GetKeyPair function returns a user's private and public keys 14 14 func GetKeyPair(user *user_model.User) (pub, priv string, err error) {
+1 -1
modules/setting/ssh.go
··· 60 60 ServerMACs: []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1"}, 61 61 KeygenPath: "", 62 62 MinimumKeySizeCheck: true, 63 - MinimumKeySizes: map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 2047}, 63 + MinimumKeySizes: map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 3071}, 64 64 ServerHostKeys: []string{"ssh/gitea.rsa", "ssh/gogs.rsa"}, 65 65 AuthorizedKeysCommandTemplate: "{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}", 66 66 PerWriteTimeout: PerWriteTimeout,
+3
tests/integration/api_httpsig_test.go
··· 11 11 "testing" 12 12 13 13 auth_model "code.gitea.io/gitea/models/auth" 14 + "code.gitea.io/gitea/modules/setting" 14 15 api "code.gitea.io/gitea/modules/structs" 16 + "code.gitea.io/gitea/modules/test" 15 17 "code.gitea.io/gitea/tests" 16 18 17 19 "github.com/go-fed/httpsig" ··· 52 54 func TestHTTPSigPubKey(t *testing.T) { 53 55 // Add our public key to user1 54 56 defer tests.PrepareTestEnv(t)() 57 + defer test.MockVariableValue(&setting.SSH.MinimumKeySizeCheck, false)() 55 58 session := loginUser(t, "user1") 56 59 token := url.QueryEscape(getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)) 57 60 keysURL := fmt.Sprintf("/api/v1/user/keys?token=%s", token)