Raise key length defaults

Extend RSA keylength to 2048 bits by default,
as the previous default of 1024 bit is considered
weak since 12/31/2010.

Also unify the message_md to the openssl builtin default.

Fixes bug 1103002

Change-Id: I70e90b7696f8a56073c3d6bdc9ed5d30cfa3401f

doc/source/configuration.rst

@@ -168,7 +168,7 @@ The values that specify where to read the certificates are under the
 * ``keyfile`` - Location of private key used to sign tokens.  Default is ``/etc/keystone/ssl/private/signing_key.pem``
 * ``ca_certs`` - Location of certificate for the authority that issued the above certificate. Default is ``/etc/keystone/ssl/certs/ca.pem``
 * ``ca_key`` - Default is ``/etc/keystone/ssl/certs/cakey.pem``
-* ``key_size`` - Default is ``1024``
+* ``key_size`` - Default is ``2048``
 * ``valid_days`` - Default is ``3650``
 * ``ca_password``  - Password required to read the ca_file. Default is None
 
@@ -202,9 +202,9 @@ generate a PKCS #10 Certificate Request Syntax (CRS) using OpenSSL CLI.
 First create a certificate request configuration file (e.g. ``cert_req.conf``)::
 
     [ req ]
-    default_bits            = 1024
+    default_bits            = 2048
     default_keyfile         = keystonekey.pem
-    default_md              = sha1
+    default_md              = default
 
     prompt                  = no
     distinguished_name      = distinguished_name
@@ -223,7 +223,7 @@ key. Must use the -nodes option.**
 
 For example::
 
-    openssl req -newkey rsa:1024 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes
+    openssl req -newkey rsa:2048 -keyout signing_key.pem -keyform PEM -out signing_cert_req.pem -outform PEM -config cert_req.conf -nodes
 
 
 If everything is successfully, you should end up with ``signing_cert_req.pem``

etc/keystone.conf.sample

@@ -146,7 +146,7 @@
 #certfile = /etc/keystone/ssl/certs/signing_cert.pem
 #keyfile = /etc/keystone/ssl/private/signing_key.pem
 #ca_certs = /etc/keystone/ssl/certs/ca.pem
-#key_size = 1024
+#key_size = 2048
 #valid_days = 3650
 #ca_password = None
 #cert_subject = /C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com

examples/pki/gen_pki.sh

@@ -40,9 +40,9 @@ function cleanup {
 function generate_ca_conf {
   echo '
 [ req ]
-default_bits            = 1024
+default_bits            = 2048
 default_keyfile         = cakey.pem
-default_md              = sha1
+default_md              = default
 
 prompt                  = no
 distinguished_name      = ca_distinguished_name
@@ -67,9 +67,9 @@ basicConstraints        = critical,CA:true
 function generate_ssl_req_conf {
   echo '
 [ req ]
-default_bits            = 1024
+default_bits            = 2048
 default_keyfile         = keystonekey.pem
-default_md              = sha1
+default_md              = default
 
 prompt                  = no
 distinguished_name      = distinguished_name
@@ -88,9 +88,9 @@ emailAddress            = keystone@openstack.org
 function generate_cms_signing_req_conf {
   echo '
 [ req ]
-default_bits            = 1024
+default_bits            = 2048
 default_keyfile         = keystonekey.pem
-default_md              = sha1
+default_md              = default
 
 prompt                  = no
 distinguished_name      = distinguished_name
@@ -122,7 +122,7 @@ private_key     = $dir/private/cakey.pem
 
 default_days            = 21360
 default_crl_days        = 30
-default_md              = sha1
+default_md              = default
 
 policy                  = policy_any
 
@@ -157,22 +157,22 @@ function check_error {
 
 function generate_ca {
   echo 'Generating New CA Certificate ...'
-  openssl req -x509 -newkey rsa:1024 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
+  openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
   check_error $?
 }
 
 function ssl_cert_req {
   echo 'Generating SSL Certificate Request ...'
   generate_ssl_req_conf
-  openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
+  openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
   check_error $?
   #openssl req -in req.pem -text -noout
 }
 
 function cms_signing_cert_req {
   echo 'Generating CMS Signing Certificate Request ...'
   generate_cms_signing_req_conf
-  openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
+  openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
   check_error $?
   #openssl req -in req.pem -text -noout
 }

keystone/common/config.py

@@ -245,7 +245,7 @@ def configure():
         default="/etc/keystone/ssl/certs/ca.pem")
     register_str('ca_key', group='signing',
                  default="/etc/keystone/ssl/certs/cakey.pem")
-    register_int('key_size', group='signing', default=1024)
+    register_int('key_size', group='signing', default=2048)
     register_int('valid_days', group='signing', default=3650)
     register_str('ca_password', group='signing', default=None)
     register_str('cert_subject', group='signing',

keystone/common/openssl.py

@@ -197,7 +197,7 @@ def __init__(self, keystone_user, keystone_group):
 serial            = $dir/serial
 database          = $dir/index.txt
 default_days      = 365
-default_md        = sha1
+default_md        = default # use public key default MD
 preserve          = no
 email_in_dn       = no
 nameopt           = default_ca
@@ -215,7 +215,7 @@ def __init__(self, keystone_user, keystone_group):
 emailAddress            = optional
 
 [ req ]
-default_bits       = 1024 # Size of keys
+default_bits       = 2048 # Size of keys
 default_keyfile    = key.pem # name of generated keys
 default_md         = default # message digest algorithm
 string_mask        = nombstr # permitted characters