Increase envoy key size to 3072 bits

depot/containerstore/credmanager.go

@@ -31,6 +31,7 @@ const (
 	C2CCredCreationSucceededCount    = "C2CCredCreationSucceededCount"
 	C2CCredCreationSucceededDuration = "C2CCredCreationSucceededDuration"
 	C2CCredCreationFailedCount       = "C2CCredCreationFailedCount"
+	RSAPrivateKeySize                = 3072
 )
 
 type Credentials struct {
@@ -351,7 +352,7 @@ func (c *credManager) generateC2cCred(logger lager.Logger, container executor.Co
 
 func (c *credManager) generateCredForSAN(logger lager.Logger, certSAN certificateSAN, certGUID string) (Credential, error) {
 	logger.Debug("generating-private-key")
-	privateKey, err := rsa.GenerateKey(c.entropyReader, 2048)
+	privateKey, err := rsa.GenerateKey(c.entropyReader, RSAPrivateKeySize)
 	if err != nil {
 		return Credential{}, err
 	}

depot/containerstore/credmanager_test.go

@@ -556,6 +556,11 @@ var _ = Describe("CredManager", func() {
 						Expect(cert.ExtKeyUsage).To(ContainElement(x509.ExtKeyUsageServerAuth))
 						Expect(cert.KeyUsage).To(Equal(x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement))
 
+						By("has the expected key length")
+						rsaKey, ok := cert.PublicKey.(*rsa.PublicKey)
+						Expect(ok).To(BeTrue(), "expected RSA public key")
+						Expect(rsaKey.N.BitLen()).To(Equal(containerstore.RSAPrivateKeySize))
+
 						By("signed by the rep intermediate CA")
 						CaCertPool := x509.NewCertPool()
 						CaCertPool.AddCert(CaCert)