summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVernon Mauery <vernon.mauery@linux.intel.com>2020-03-09 20:41:31 +0300
committerVernon Mauery <vernon.mauery@linux.intel.com>2020-03-09 20:41:31 +0300
commitaaf3206f0ef74a02b22c3e563a0babc3af4b2e3a (patch)
treebe91ab36fcc05ce32be880ea2d322515889aac8d
parent397fd61f34fab6922cdf84c4f411a2b1bd174a1f (diff)
downloadbmcweb-aaf3206f0ef74a02b22c3e563a0babc3af4b2e3a.tar.xz
Change the default EC key to secp384r1
prime256v1 is okay for now, but secp384r1 is more future-proof (gives us a couple more years) and in this case does not really have any drawbacks. Tested: Checked to see that a new secp384r1 key is generated on first boot and the generate CSR redfish option works. Change-Id: I334fc56db3dd55058a4c6780f8966bcc48d8f816 Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
-rw-r--r--README.md2
-rw-r--r--include/ssl_key_handler.hpp2
-rw-r--r--redfish-core/lib/certificate_service.hpp2
3 files changed, 3 insertions, 3 deletions
diff --git a/README.md b/README.md
index 93660ed655..301fd29b3d 100644
--- a/README.md
+++ b/README.md
@@ -27,7 +27,7 @@ usable, it generates a new configuration.
When BMCWeb SSL support is enabled and a usable certificate is not
found, it will generate a self-sign a certificate before launching the
-server. The keys are generated by the `prime256v1` algorithm. The
+server. The keys are generated by the `secp384r1` algorithm. The
certificate
- is issued by `C=US, O=OpenBMC, CN=testhost`,
- is valid for 10 years,
diff --git a/include/ssl_key_handler.hpp b/include/ssl_key_handler.hpp
index fab31eae0a..0240712735 100644
--- a/include/ssl_key_handler.hpp
+++ b/include/ssl_key_handler.hpp
@@ -255,7 +255,7 @@ EVP_PKEY *createEcKey()
{
EVP_PKEY *pKey = nullptr;
int eccgrp = 0;
- eccgrp = OBJ_txt2nid("prime256v1");
+ eccgrp = OBJ_txt2nid("secp384r1");
EC_KEY *myecc = EC_KEY_new_by_curve_name(eccgrp);
if (myecc != nullptr)
diff --git a/redfish-core/lib/certificate_service.hpp b/redfish-core/lib/certificate_service.hpp
index 6cb5b868ff..66ddab8a68 100644
--- a/redfish-core/lib/certificate_service.hpp
+++ b/redfish-core/lib/certificate_service.hpp
@@ -285,7 +285,7 @@ class CertificateActionGenerateCSR : public Node
std::optional<std::string> optGivenName = "";
std::optional<std::string> optInitials = "";
std::optional<int64_t> optKeyBitLength = RSA_KEY_BIT_LENGTH;
- std::optional<std::string> optKeyCurveId = "prime256v1";
+ std::optional<std::string> optKeyCurveId = "secp384r1";
std::optional<std::string> optKeyPairAlgorithm = "EC";
std::optional<std::vector<std::string>> optKeyUsage =
std::vector<std::string>();