mirror of
https://github.com/optim-enterprises-bv/vault.git
synced 2025-11-02 03:27:54 +00:00
8833875b10
* Modernize SSH key lengths No default change was made in this commit; note that the code already enforced a default of 2048 bits. ssh-keygen and Go's RSA key generation allows for key sizes including 3072, 4096, 8192; update the values of SSH key generation to match PKI's allowed RSA key sizes (from certutil.ValidateKeyTypeLength(...)). We still allow the legacy SSH key size of 1024; in the near future we should likely remove it. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Ensure minimum of 2048-bit PKI RSA keys While the stated path is a false-positive, verifying all paths is non-trivial. We largely validate API call lengths using certutil.ValidateKeyTypeLength(...), but ensuring no other path calls certutil.generatePrivateKey(...) --- directly or indirectly --- is non-trivial. Thus enforcing a minimum in this method sounds like a sane compromise. Resolves: https://github.com/hashicorp/vault/security/code-scanning/55 Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>