From bb38632949519fa89284431091b906154458913a Mon Sep 17 00:00:00 2001 From: Plamen Bardarov Date: Fri, 21 Nov 2025 13:42:57 +0200 Subject: [PATCH] increase envoy key size to 3072 bits --- depot/containerstore/credmanager.go | 3 ++- depot/containerstore/credmanager_test.go | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/depot/containerstore/credmanager.go b/depot/containerstore/credmanager.go index fe91ff12..ee34aeaa 100644 --- a/depot/containerstore/credmanager.go +++ b/depot/containerstore/credmanager.go @@ -31,6 +31,7 @@ const ( C2CCredCreationSucceededCount = "C2CCredCreationSucceededCount" C2CCredCreationSucceededDuration = "C2CCredCreationSucceededDuration" C2CCredCreationFailedCount = "C2CCredCreationFailedCount" + RSAPrivateKeySize = 3072 ) type Credentials struct { @@ -351,7 +352,7 @@ func (c *credManager) generateC2cCred(logger lager.Logger, container executor.Co func (c *credManager) generateCredForSAN(logger lager.Logger, certSAN certificateSAN, certGUID string) (Credential, error) { logger.Debug("generating-private-key") - privateKey, err := rsa.GenerateKey(c.entropyReader, 2048) + privateKey, err := rsa.GenerateKey(c.entropyReader, RSAPrivateKeySize) if err != nil { return Credential{}, err } diff --git a/depot/containerstore/credmanager_test.go b/depot/containerstore/credmanager_test.go index af0bf7e7..dbb9bff3 100644 --- a/depot/containerstore/credmanager_test.go +++ b/depot/containerstore/credmanager_test.go @@ -556,6 +556,11 @@ var _ = Describe("CredManager", func() { Expect(cert.ExtKeyUsage).To(ContainElement(x509.ExtKeyUsageServerAuth)) Expect(cert.KeyUsage).To(Equal(x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement)) + By("has the expected key length") + rsaKey, ok := cert.PublicKey.(*rsa.PublicKey) + Expect(ok).To(BeTrue(), "expected RSA public key") + Expect(rsaKey.N.BitLen()).To(Equal(containerstore.RSAPrivateKeySize)) + By("signed by the rep intermediate CA") CaCertPool := x509.NewCertPool() CaCertPool.AddCert(CaCert)