Overview

File crypto-policies-BSI-switch-to-3072-minimum-RSA-key-size.patch of Package crypto-policies.39697

From 322f0ba4be71ef2dca9f9502a10221807bb2645e Mon Sep 17 00:00:00 2001
From: Alexander Sosedkin <asosedkin@redhat.com>
Date: Thu, 27 Jun 2024 14:23:40 +0200
Subject: [PATCH 579/664] BSI: switch to 3072 minimum RSA key size

Resolves: #50

Index: fedora-crypto-policies-20230920.570ea89/policies/BSI.pol
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/policies/BSI.pol
+++ fedora-crypto-policies-20230920.570ea89/policies/BSI.pol
@@ -70,8 +70,7 @@ protocol@IKE = IKEv2
 # BSI TR 02102-2 / revision 2023.1: 3k recommended (actually BSI refers to 3000, but lets make it a 2 exponent)
 min_dh_size = 3072
 min_dsa_size = 3072
-# BSI TR 02102-2 / revision 2023.1: RSA 2k still allowed until end of 2023, after that 3k.
-min_rsa_size = 2048
+min_rsa_size = 3072
 
 # GnuTLS only for now
 sha1_in_certs = 0
Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-gnutls.txt
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-gnutls.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-gnutls.txt
@@ -79,7 +79,7 @@ tls-enabled-kx = DHE-RSA
 enabled-version = TLS1.3
 enabled-version = TLS1.2
 enabled-version = DTLS1.2
-min-verification-profile = medium
+min-verification-profile = high
 
 
 [priorities]
Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-java.txt
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-java.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-java.txt
@@ -1,3 +1,3 @@
-jdk.certpath.disabledAlgorithms=MD2, SHA224, SHA1, MD5, DSA, RSA keySize < 2048
+jdk.certpath.disabledAlgorithms=MD2, SHA224, SHA1, MD5, DSA, RSA keySize < 3072
 jdk.tls.disabledAlgorithms=DH keySize < 3072, TLSv1.1, TLSv1, SSLv3, SSLv2, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, DHE_DSS, RSA_EXPORT, DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_DSS_EXPORT, DH_RSA_EXPORT, DH_anon, ECDH_anon, DH_RSA, DH_DSS, ECDH, 3DES_EDE_CBC, DES_CBC, RC4_40, RC4_128, DES40_CBC, RC2, HmacSHA1, HmacMD5
 jdk.tls.legacyAlgorithms=
Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-nss.txt
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-nss.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-nss.txt
@@ -1,6 +1,6 @@
 library=
 name=Policy
 NSS=flags=policyOnly,moduleDB
-config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=2048"
+config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072"
 
 
Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-openssh.txt
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-openssh.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-openssh.txt
@@ -5,4 +5,4 @@ KexAlgorithms ecdh-sha2-nistp256,ecdh-sh
 PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
 HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
 CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
-RequiredRSASize 2048
+RequiredRSASize 3072
Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensshserver.txt
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-opensshserver.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensshserver.txt
@@ -6,4 +6,4 @@ HostKeyAlgorithms ecdsa-sha2-nistp256,ec
 PubkeyAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
 HostbasedAcceptedAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com
 CASignatureAlgorithms ecdsa-sha2-nistp256,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-256,rsa-sha2-512
-RequiredRSASize 2048
+RequiredRSASize 3072
Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-openssl.txt
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-openssl.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-openssl.txt
@@ -1 +1 @@
-@SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-CHACHA20:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+@SECLEVEL=3:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-CHACHA20:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-opensslcnf.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-opensslcnf.txt
@@ -1,4 +1,4 @@
-CipherString = @SECLEVEL=2:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-CHACHA20:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
+CipherString = @SECLEVEL=3:kEECDH:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-kRSA:-aDSS:-CHACHA20:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:-SHA1:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
 TLS.MinProtocol = TLSv1.2
 TLS.MaxProtocol = TLSv1.3
Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-rpm-sequoia.txt
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-rpm-sequoia.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-rpm-sequoia.txt
@@ -31,7 +31,7 @@ default_disposition = "never"
 
 [asymmetric_algorithms]
 rsa1024 = "never"
-rsa2048 = "always"
+rsa2048 = "never"
 rsa3072 = "always"
 rsa4096 = "always"
 dsa1024 = "never"
Index: fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-sequoia.txt
===================================================================
--- fedora-crypto-policies-20230920.570ea89.orig/tests/outputs/BSI-sequoia.txt
+++ fedora-crypto-policies-20230920.570ea89/tests/outputs/BSI-sequoia.txt
@@ -31,7 +31,7 @@ default_disposition = "never"
 
 [asymmetric_algorithms]
 rsa1024 = "never"
-rsa2048 = "always"
+rsa2048 = "never"
 rsa3072 = "always"
 rsa4096 = "always"
 dsa1024 = "never"
openSUSE Build Service is sponsored by
Places