From: Nikos Mavrogiannopoulos Date: Sun, 4 May 2014 11:54:58 +0000 (+0200) Subject: When generating ECDSA keys, generate 256-bit keys by default. X-Git-Tag: gnutls_3_3_2~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3bc05da5314d1b73d20bd9749d86520041ec1db;p=thirdparty%2Fgnutls.git When generating ECDSA keys, generate 256-bit keys by default. Curves with less than 256 bits (i.e., SECP192R1 and SECP224R1) are not widely supported. --- diff --git a/src/certtool-common.c b/src/certtool-common.c index d1e3212a31..31b5529746 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -629,15 +629,17 @@ get_bits(gnutls_pk_algorithm_t key_type, int info_bits, } bits = info_bits; } else { - if (info_sec_param) { - bits = - gnutls_sec_param_to_pk_bits(key_type, - str_to_sec_param - (info_sec_param)); - } else - bits = - gnutls_sec_param_to_pk_bits(key_type, - GNUTLS_SEC_PARAM_MEDIUM); + if (info_sec_param == 0) { + /* For ECDSA keys use 256 bits or better, as they are widely supported */ + if (key_type == GNUTLS_PK_EC) + info_sec_param = "HIGH"; + else + info_sec_param = "MEDIUM"; + } + bits = + gnutls_sec_param_to_pk_bits(key_type, + str_to_sec_param + (info_sec_param)); } return bits; diff --git a/src/certtool.c b/src/certtool.c index d4e165cade..a5b5e9f262 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -116,6 +116,10 @@ generate_private_key_int(common_info_st * cinfo) fprintf(stderr, "Generating a %d bit %s private key...\n", bits, gnutls_pk_algorithm_get_name(key_type)); + if (bits < 256 && key_type == GNUTLS_PK_EC) + fprintf(stderr, + "Note that ECDSA keys with size less than 256 are not widely supported.\n\n"); + if (bits > 1024 && key_type == GNUTLS_PK_DSA) fprintf(stderr, "Note that DSA keys with size over 1024 may cause incompatibility problems when used with earlier than TLS 1.2 versions.\n\n");