pve5to6: cert: check certificates key size

[pve-manager.git] / PVE / CLI / pve5to6.pm

diff --git a/PVE/CLI/pve5to6.pm b/PVE/CLI/pve5to6.pm
index 618f20aaecd584cf380ed98210839ec7b77dfaf8..57198a3d749edc3e42000ec8e2337c9dc7b70c9f 100644 (file)
--- a/PVE/CLI/pve5to6.pm
+++ b/PVE/CLI/pve5to6.pm
@@ -7,6 +7,7 @@ use PVE::API2::APT;
 use PVE::API2::Ceph;
 use PVE::API2::LXC;
 use PVE::API2::Qemu;
+use PVE::API2::Certificates;
 
 use PVE::Ceph::Tools;
 use PVE::Cluster;
@@ -690,6 +691,23 @@ sub check_misc {
        }
     }
 
+    log_info("Check certifiacte's RSA key size");
+    my $certs = PVE::API2::Certificates->info({ node => $nodename });
+    my $cert_nok;
+    foreach my $c (@$certs) {
+       if (($c->{'public-key-type'} eq 'rsaEncryption') && ($c->{'public-key-bits'} < 2048)) {
+           log_fail("$c->{filename}, certificate's RSA public key size is less than 2048 bit");
+           $cert_nok = 1;
+       } elsif (($c->{'public-key-type'} eq 'id-ecPublicKey') && ($c->{'public-key-bits'} < 224)) {
+           log_fail("$c->{filename}, certificate's ECC public key size is less than 224 bit");
+           $cert_nok = 1;
+       } elsif (($c->{'public-key-type'} ne 'rsaEncryption') && ($c->{'public-key-type'} ne 'id-ecPublicKey')) {
+           log_warn("$c->{filename}, certificate's public key type unkown, check Debian Busters release notes");
+           $cert_nok = 1;
+       }
+    }
+    log_pass("Certificates pass Debian Busters security level for TLS connections") if !defined($cert_nok);
+
     check_kvm_nested();
 }