Enforce 2048-bit RSA key minimum on UKf-registered entities.

InCommon · Dec 12, 2013 · cb9cf09 · cb9cf09
1 parent a348ec9
commit cb9cf09
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 13 deletions.
diff --git a/mdx/uk/beans.xml b/mdx/uk/beans.xml
@@ -424,17 +424,26 @@
                     p:id="checkCertificates">
                     <property name="validators">
                         <list>
-                            <!-- Error on RSA key length less than 1024 bits. -->
+                            <!-- Error on RSA key length less than 2048 bits. -->
                             <bean parent="X509CertificateRSAKeyLengthValidator"
-                                p:warningBoundary="0" p:errorBoundary="1024"/>
+                                p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on small RSA public exponents. -->
                             <bean parent="X509CertificateRSAExponentValidator"/>
-                            <!-- Debian weak key blacklists. -->
-                            <ref bean="debian.1024"/>
+
+                            <!--
+                                Debian weak key blacklists.
+                                
+                                Don't need to check for keys below our minimum key size.
+                            -->
                             <ref bean="debian.2048"/>
                             <ref bean="debian.4096"/>
-                            <!-- Compromised key blacklists. -->
-                            <ref bean="compromised.1024"/>
+
+                            <!--
+                                Compromised key blacklists.
+                                
+                                Again, don't need to check for keys below our minimum key size.
+                                This currently means there are no compromised keys to check for.
+                            -->
                         </list>
                     </property>
                 </bean>

diff --git a/mdx/uk/verbs.xml b/mdx/uk/verbs.xml
@@ -179,9 +179,6 @@
                     p:id="checkCertificates">
                     <property name="validators">
                         <list>
-                            <!-- Error on RSA key length less than 2048 bits. -->
-                            <bean parent="X509CertificateRSAKeyLengthValidator"
-                                p:warningBoundary="0" p:errorBoundary="2048"/>
                             <!-- Error on inconsistent subjectAltNames. -->
                             <bean parent="X509CertificateConsistentNameValidator"/>
                         </list>
@@ -312,12 +309,21 @@
                             <bean parent="X509CertificateRSAExponentValidator"/>
                             <!-- Error on inconsistent subjectAltNames. -->
                             <bean parent="X509CertificateConsistentNameValidator"/>
-                            <!-- Debian weak key blacklists. -->
-                            <ref bean="debian.1024"/>
+
+                            <!--
+                                Debian weak key blacklists.
+                                
+                                Don't need to check for keys below our minimum key size.
+                            -->
                             <ref bean="debian.2048"/>
                             <ref bean="debian.4096"/>
-                            <!-- Compromised key blacklists. -->
-                            <ref bean="compromised.1024"/>
+
+                            <!--
+                                Compromised key blacklists.
+                                
+                                Again, don't need to check for keys below our minimum key size.
+                                This currently means there are no compromised keys to check for.
+                            -->
                         </list>
                     </property>
                 </bean>