pve5to6: cert: check certificates key size

Debian Buster raised the default security level (1 -> 2) for TLS
connections.

This moves from the 80 bit security level to the 112 bit security level
and will require 2048 bit or larger RSA and DHE keys, 224 bit or larger
ECC keys, and SHA-2.

Signed-off-by: Alwin Antreich <a.antreich@proxmox.com>

diff --git a/PVE/CLI/pve5to6.pm b/PVE/CLI/pve5to6.pm
index d3c8e2db910773fe9679f204786d0da12dd0f31c..faa30673e824dfd354dfdd25c8dde334f1c408db 100644 (file)
--- a/PVE/CLI/pve5to6.pm
+++ b/PVE/CLI/pve5to6.pm
@@ -7,6 +7,7 @@ use PVE::API2::APT;
 use PVE::API2::Ceph;
 use PVE::API2::LXC;
 use PVE::API2::Qemu;
+use PVE::API2::Certificates;
 
 use PVE::Ceph::Tools;
 use PVE::Cluster;
@@ -627,6 +628,23 @@ sub check_misc {
        }
     }
 
+    log_info("Check certifiacte's RSA key size");
+    my $certs = PVE::API2::Certificates->info({ node => $nodename });
+    my $cert_nok;
+    foreach my $c (@$certs) {
+       if (($c->{'public-key-type'} eq 'rsaEncryption') && ($c->{'public-key-bits'} < 2048)) {
+           log_fail("$c->{filename}, certificate's RSA public key size is less than 2048 bit");
+           $cert_nok = 1;
+       } elsif (($c->{'public-key-type'} eq 'id-ecPublicKey') && ($c->{'public-key-bits'} < 224)) {
+           log_fail("$c->{filename}, certificate's ECC public key size is less than 224 bit");
+           $cert_nok = 1;
+       } elsif (($c->{'public-key-type'} ne 'rsaEncryption') && ($c->{'public-key-type'} ne 'id-ecPublicKey')) {
+           log_warn("$c->{filename}, certificate's public key type unkown, check Debian Busters release notes");
+           $cert_nok = 1;
+       }
+    }
+    log_pass("Certificates pass Debian Busters security level for TLS connections") if !defined($cert_nok);
+
     check_kvm_nested();
 }