Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython3 / e3228a3f44e382b6cdd2b5e001b651347013a7d3^! / .
commite3228a3f44e382b6cdd2b5e001b651347013a7d3[log] [tgz]
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>Tue Aug 14 10:52:27 2018 -0400
committerChristian Heimes <christian@python.org>Tue Aug 14 16:52:27 2018 +0200
treefb55d7ff5a4d550a4a2993e57af9e32f96141853
parent6c140609770ba161a5bb8aa36ecef0d38e6642df [diff]
bpo-34399: 2048 bits RSA keys and DH params (GH-8762) (GH-8763)

Downstream vendors have started to deprecate weak keys. Update all RSA keys
and DH params to use at least 2048 bits.

Finite field DH param file use RFC 7919 values, generated with

    certtool --get-dh-params --sec-param=high

Signed-off-by: Christian Heimes <christian@python.org>
(cherry picked from commit 88bfd0bce05043f658e50addd21366f317995e35)

Co-authored-by: Christian Heimes <christian@python.org>
diff --git a/Lib/test/dh1024.pem b/Lib/test/dh1024.pem
deleted file mode 100644
index a391176..0000000
--- a/Lib/test/dh1024.pem
+++ /dev/null

@@ -1,7 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIGHAoGBAIbzw1s9CT8SV5yv6L7esdAdZYZjPi3qWFs61CYTFFQnf2s/d09NYaJt
-rrvJhIzWavqnue71qXCf83/J3nz3FEwUU/L0mGyheVbsSHiI64wUo3u50wK5Igo0
-RNs/LD0irs7m0icZ//hijafTU+JOBiuA8zMI+oZfU7BGuc9XrUprAgEC
------END DH PARAMETERS-----
-
-Generated with: openssl dhparam -out dh1024.pem  1024

diff --git a/Lib/test/ffdh3072.pem b/Lib/test/ffdh3072.pem
new file mode 100644
index 0000000..ad69bac
--- /dev/null
+++ b/Lib/test/ffdh3072.pem

@@ -0,0 +1,41 @@
+    DH Parameters: (3072 bit)
+        prime:
+            00:ff:ff:ff:ff:ff:ff:ff:ff:ad:f8:54:58:a2:bb:
+            4a:9a:af:dc:56:20:27:3d:3c:f1:d8:b9:c5:83:ce:
+            2d:36:95:a9:e1:36:41:14:64:33:fb:cc:93:9d:ce:
+            24:9b:3e:f9:7d:2f:e3:63:63:0c:75:d8:f6:81:b2:
+            02:ae:c4:61:7a:d3:df:1e:d5:d5:fd:65:61:24:33:
+            f5:1f:5f:06:6e:d0:85:63:65:55:3d:ed:1a:f3:b5:
+            57:13:5e:7f:57:c9:35:98:4f:0c:70:e0:e6:8b:77:
+            e2:a6:89:da:f3:ef:e8:72:1d:f1:58:a1:36:ad:e7:
+            35:30:ac:ca:4f:48:3a:79:7a:bc:0a:b1:82:b3:24:
+            fb:61:d1:08:a9:4b:b2:c8:e3:fb:b9:6a:da:b7:60:
+            d7:f4:68:1d:4f:42:a3:de:39:4d:f4:ae:56:ed:e7:
+            63:72:bb:19:0b:07:a7:c8:ee:0a:6d:70:9e:02:fc:
+            e1:cd:f7:e2:ec:c0:34:04:cd:28:34:2f:61:91:72:
+            fe:9c:e9:85:83:ff:8e:4f:12:32:ee:f2:81:83:c3:
+            fe:3b:1b:4c:6f:ad:73:3b:b5:fc:bc:2e:c2:20:05:
+            c5:8e:f1:83:7d:16:83:b2:c6:f3:4a:26:c1:b2:ef:
+            fa:88:6b:42:38:61:1f:cf:dc:de:35:5b:3b:65:19:
+            03:5b:bc:34:f4:de:f9:9c:02:38:61:b4:6f:c9:d6:
+            e6:c9:07:7a:d9:1d:26:91:f7:f7:ee:59:8c:b0:fa:
+            c1:86:d9:1c:ae:fe:13:09:85:13:92:70:b4:13:0c:
+            93:bc:43:79:44:f4:fd:44:52:e2:d7:4d:d3:64:f2:
+            e2:1e:71:f5:4b:ff:5c:ae:82:ab:9c:9d:f6:9e:e8:
+            6d:2b:c5:22:36:3a:0d:ab:c5:21:97:9b:0d:ea:da:
+            1d:bf:9a:42:d5:c4:48:4e:0a:bc:d0:6b:fa:53:dd:
+            ef:3c:1b:20:ee:3f:d5:9d:7c:25:e4:1d:2b:66:c6:
+            2e:37:ff:ff:ff:ff:ff:ff:ff:ff
+        generator: 2 (0x2)
+        recommended-private-length: 276 bits
+-----BEGIN DH PARAMETERS-----
+MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
+N///////////AgECAgIBFA==
+-----END DH PARAMETERS-----

diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index d80e8d3..5c22630 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py

@@ -55,7 +55,6 @@
 BYTES_CAPATH = os.fsencode(CAPATH)
 CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
 CAFILE_CACERT = data_file("capath", "5ed36f99.0")
-WRONG_CERT = data_file("wrongcert.pem")
 
 CERTFILE_INFO = {
     'issuer': ((('countryName', 'XY'),),
@@ -118,7 +117,7 @@
 NOKIACERT = data_file("nokia.pem")
 NULLBYTECERT = data_file("nullbytecert.pem")
 
-DHFILE = data_file("dh1024.pem")
+DHFILE = data_file("ffdh3072.pem")
 BYTES_DHFILE = os.fsencode(DHFILE)
 
 # Not defined in all versions of OpenSSL
@@ -2846,8 +2845,8 @@
         connect to it with a wrong client certificate fails.
         """
         client_context, server_context, hostname = testing_context()
-        # load client cert
-        client_context.load_cert_chain(WRONG_CERT)
+        # load client cert that is not signed by trusted CA
+        client_context.load_cert_chain(CERTFILE)
         # require TLS client authentication
         server_context.verify_mode = ssl.CERT_REQUIRED
         # TLS 1.3 has different handshake
@@ -2879,7 +2878,8 @@
     @unittest.skipUnless(ssl.HAS_TLSv1_3, "Test needs TLS 1.3")
     def test_wrong_cert_tls13(self):
         client_context, server_context, hostname = testing_context()
-        client_context.load_cert_chain(WRONG_CERT)
+        # load client cert that is not signed by trusted CA
+        client_context.load_cert_chain(CERTFILE)
         server_context.verify_mode = ssl.CERT_REQUIRED
         server_context.minimum_version = ssl.TLSVersion.TLSv1_3
         client_context.minimum_version = ssl.TLSVersion.TLSv1_3

diff --git a/Lib/test/wrongcert.pem b/Lib/test/wrongcert.pem
deleted file mode 100644
index 5f92f9b..0000000
--- a/Lib/test/wrongcert.pem
+++ /dev/null

@@ -1,32 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnH
-FlbsVUg2Xtk6+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6T
-f9lnNTwpSoeK24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQAB
-AoGAQFko4uyCgzfxr4Ezb4Mp5pN3Npqny5+Jey3r8EjSAX9Ogn+CNYgoBcdtFgbq
-1yif/0sK7ohGBJU9FUCAwrqNBI9ZHB6rcy7dx+gULOmRBGckln1o5S1+smVdmOsW
-7zUVLBVByKuNWqTYFlzfVd6s4iiXtAE2iHn3GCyYdlICwrECQQDhMQVxHd3EFbzg
-SFmJBTARlZ2GKA3c1g/h9/XbkEPQ9/RwI3vnjJ2RaSnjlfoLl8TOcf0uOGbOEyFe
-19RvCLXjAkEA1s+UE5ziF+YVkW3WolDCQ2kQ5WG9+ccfNebfh6b67B7Ln5iG0Sbg
-ky9cjsO3jbMJQtlzAQnH1850oRD5Gi51dQJAIbHCDLDZU9Ok1TI+I2BhVuA6F666
-lEZ7TeZaJSYq34OaUYUdrwG9OdqwZ9sy9LUav4ESzu2lhEQchCJrKMn23QJAReqs
-ZLHUeTjfXkVk7dHhWPWSlUZ6AhmIlA/AQ7Payg2/8wM/JkZEJEPvGVykms9iPUrv
-frADRr+hAGe43IewnQJBAJWKZllPgKuEBPwoEldHNS8nRu61D7HzxEzQ2xnfj+Nk
-2fgf1MAzzTRsikfGENhVsVWeqOcijWb6g5gsyCmlRpc=
------END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIICsDCCAhmgAwIBAgIJAOqYOYFJfEEoMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
-BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
-aWRnaXRzIFB0eSBMdGQwHhcNMDgwNjI2MTgxNTUyWhcNMDkwNjI2MTgxNTUyWjBF
-MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
-gQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnHFlbsVUg2Xtk6
-+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6Tf9lnNTwpSoeK
-24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQABo4GnMIGkMB0G
-A1UdDgQWBBTctMtI3EO9OjLI0x9Zo2ifkwIiNjB1BgNVHSMEbjBsgBTctMtI3EO9
-OjLI0x9Zo2ifkwIiNqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
-U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAOqYOYFJ
-fEEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQwa7jya/DfhaDn7E
-usPkpgIX8WCL2B1SqnRTXEZfBPPVq/cUmFGyEVRVATySRuMwi8PXbVcOhXXuocA+
-43W+iIsD9pXapCZhhOerCq18TC1dWK98vLUsoK8PMjB6e5H/O8bqojv0EeC+fyCw
-eSHj5jpC8iZKjCHBn+mAi4cQ514=
------END CERTIFICATE-----

diff --git a/Misc/NEWS.d/next/Tests/2018-08-14-10-47-44.bpo-34399.D_jd1G.rst b/Misc/NEWS.d/next/Tests/2018-08-14-10-47-44.bpo-34399.D_jd1G.rst
new file mode 100644
index 0000000..8c5458f
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2018-08-14-10-47-44.bpo-34399.D_jd1G.rst

@@ -0,0 +1 @@
+Update all RSA keys and DH params to use at least 2048 bits.