[PATCH] virnettlshelpers: Update private key

Michal Privoznik posted 1 patch 4 years, 4 months ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/a890d5f8c036adb253095e4e5559c72364a504e9.1593595221.git.mprivozn@redhat.com
There is a newer version of this series
tests/virnettlshelpers.c | 20 ++++----------------
1 file changed, 4 insertions(+), 16 deletions(-)
[PATCH] virnettlshelpers: Update private key
Posted by Michal Privoznik 4 years, 4 months ago
With the recent update of Fedora rawhide I've noticed
virnettlssessiontest and virnettlscontexttest failing with:

  Our own certificate servercertreq-ctx.pem failed validation
  against cacertreq-ctx.pem: The certificate uses an insecure
  algorithm

This is result of Fedora changes to support strong crypto [1]. RSA
with 1024 bit key is viewed as legacy and thus insecure. Generate
a new private key then. Moreover, switch to EC which is not only
shorter but also not deprecated that often as RSA. Generated
using the following command:

  openssl genpkey --outform PEM --out privkey.pem \
  --algorithm EC --pkeyopt ec_paramgen_curve:P-384 \
  --pkeyopt ec_param_enc:named_curve

1: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---

According to our CI all systems support ecliptic curves:

  https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/161932641

but maybe this should be merged only after the release?

 tests/virnettlshelpers.c | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/tests/virnettlshelpers.c b/tests/virnettlshelpers.c
index e2b8e8359a..979afed307 100644
--- a/tests/virnettlshelpers.c
+++ b/tests/virnettlshelpers.c
@@ -47,22 +47,10 @@ extern const ASN1_ARRAY_TYPE pkix_asn1_tab[];
 gnutls_x509_privkey_t privkey;
 # define PRIVATE_KEY \
     "-----BEGIN PRIVATE KEY-----\n" \
-    "MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALVcr\n" \
-    "BL40Tm6yq88FBhJNw1aaoCjmtg0l4dWQZ/e9Fimx4ARxFpT+ji4FE\n" \
-    "Cgl9s/SGqC+1nvlkm9ViSo0j7MKDbnDB+VRHDvMAzQhA2X7e8M0n9\n" \
-    "rPolUY2lIVC83q0BBaOBkCj2RSmT2xTEbbC2xLukSrg2WP/ihVOxc\n" \
-    "kXRuyFtzAgMBAAECgYB7slBexDwXrtItAMIH6m/U+LUpNe0Xx48OL\n" \
-    "IOn4a4whNgO/o84uIwygUK27ZGFZT0kAGAk8CdF9hA6ArcbQ62s1H\n" \
-    "myxrUbF9/mrLsQw1NEqpuUk9Ay2Tx5U/wPx35S3W/X2AvR/ZpTnCn\n" \
-    "2q/7ym9fyiSoj86drD7BTvmKXlOnOwQJBAPOFMp4mMa9NGpGuEssO\n" \
-    "m3Uwbp6lhcP0cA9MK+iOmeANpoKWfBdk5O34VbmeXnGYWEkrnX+9J\n" \
-    "bM4wVhnnBWtgBMCQQC+qAEmvwcfhauERKYznMVUVksyeuhxhCe7EK\n" \
-    "mPh+U2+g0WwdKvGDgO0PPt1gq0ILEjspMDeMHVdTwkaVBo/uMhAkA\n" \
-    "Z5SsZyCP2aTOPFDypXRdI4eqRcjaEPOUBq27r3uYb/jeboVb2weLa\n" \
-    "L1MmVuHiIHoa5clswPdWVI2y0em2IGoDAkBPSp/v9VKJEZabk9Frd\n" \
-    "a+7u4fanrM9QrEjY3KhduslSilXZZSxrWjjAJPyPiqFb3M8XXA26W\n" \
-    "nz1KYGnqYKhLcBAkB7dt57n9xfrhDpuyVEv+Uv1D3VVAhZlsaZ5Pp\n" \
-    "dcrhrkJn2sa/+O8OKvdrPSeeu/N5WwYhJf61+CPoenMp7IFci\n" \
+    "MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD39t6GRLeEmsYjRGR6\n" \
+    "iQiIN2S4zXsgLGS/2GloXdG7K+i/3vEJDt9celZ0DfCLcG6hZANiAAQTJIe13jy7\n" \
+    "k4KTXMkHQHEJa/asH263JaPL5kTbfRa6tMq3DS3pzWlOj+NHY/9JzthrKD+Ece+g\n" \
+    "2g/POHa0gfXRYXGiHTs8mY0AHFqNNmF38eIVGjOqobIi90MkyI3wx4g=\n" \
     "-----END PRIVATE KEY-----\n"
 
 /*
-- 
2.26.2

Re: [PATCH] virnettlshelpers: Update private key
Posted by Daniel P. Berrangé 4 years, 4 months ago
On Wed, Jul 01, 2020 at 11:45:15AM +0200, Michal Privoznik wrote:
> With the recent update of Fedora rawhide I've noticed
> virnettlssessiontest and virnettlscontexttest failing with:
> 
>   Our own certificate servercertreq-ctx.pem failed validation
>   against cacertreq-ctx.pem: The certificate uses an insecure
>   algorithm
> 
> This is result of Fedora changes to support strong crypto [1]. RSA
> with 1024 bit key is viewed as legacy and thus insecure. Generate
> a new private key then. Moreover, switch to EC which is not only
> shorter but also not deprecated that often as RSA. Generated
> using the following command:
> 
>   openssl genpkey --outform PEM --out privkey.pem \
>   --algorithm EC --pkeyopt ec_paramgen_curve:P-384 \
>   --pkeyopt ec_param_enc:named_curve
> 
> 1: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
> 
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
> 
> According to our CI all systems support ecliptic curves:
> 
>   https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/161932641
> 
> but maybe this should be merged only after the release?

It'd be nicer to merge for release actually, because otherwise we're
going to hit the failing test when we pull the new release into
Fedora rawhide.

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [PATCH] virnettlshelpers: Update private key
Posted by Michal Privoznik 4 years, 4 months ago
On 7/1/20 1:13 PM, Daniel P. Berrangé wrote:
> On Wed, Jul 01, 2020 at 11:45:15AM +0200, Michal Privoznik wrote:
>> With the recent update of Fedora rawhide I've noticed
>> virnettlssessiontest and virnettlscontexttest failing with:
>>
>>    Our own certificate servercertreq-ctx.pem failed validation
>>    against cacertreq-ctx.pem: The certificate uses an insecure
>>    algorithm
>>
>> This is result of Fedora changes to support strong crypto [1]. RSA
>> with 1024 bit key is viewed as legacy and thus insecure. Generate
>> a new private key then. Moreover, switch to EC which is not only
>> shorter but also not deprecated that often as RSA. Generated
>> using the following command:
>>
>>    openssl genpkey --outform PEM --out privkey.pem \
>>    --algorithm EC --pkeyopt ec_paramgen_curve:P-384 \
>>    --pkeyopt ec_param_enc:named_curve
>>
>> 1: https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
>>
>> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
>> ---
>>
>> According to our CI all systems support ecliptic curves:
>>
>>    https://gitlab.com/MichalPrivoznik/libvirt/-/pipelines/161932641
>>
>> but maybe this should be merged only after the release?
> 
> It'd be nicer to merge for release actually, because otherwise we're
> going to hit the failing test when we pull the new release into
> Fedora rawhide.
> 
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Alright, I've merged it.

Michal