Changeset df7c1c6 for core/java


Ignore:
Timestamp:
May 6, 2018 1:21:22 PM (2 years ago)
Author:
zzz <zzz@…>
Branches:
master
Children:
288a6b0
Parents:
598a177
Message:

Certs: Change default from RSA to EC for CA certs

File:
1 edited

Legend:

Unmodified
Added
Removed
  • core/java/src/net/i2p/crypto/KeyStoreUtil.java

    r598a177 rdf7c1c6  
    5050    private static final String DEFAULT_KEY_ALGORITHM = "RSA";
    5151    private static final int DEFAULT_KEY_SIZE = 2048;
     52    private static final String DEFAULT_CA_KEY_ALGORITHM = "EC";
     53    private static final int DEFAULT_CA_KEY_SIZE = 256;
    5254    private static final int DEFAULT_KEY_VALID_DAYS = 3652;  // 10 years
    5355
     
    571573     *  Use default keystore password, valid days, algorithm, and key size.
    572574     *
     575     *  As of 0.9.35, default algorithm and size depends on cname. If it appears to be
     576     *  a CA, it will use EC/256. Otherwise, it will use RSA/2048.
     577     *
    573578     *  Warning, may take a long time.
    574579     *
     
    584589    public static boolean createKeys(File ks, String alias, String cname, String ou,
    585590                                     String keyPW) {
     591        final boolean isCA = !cname.contains("@") && !cname.endsWith(".family.i2p.net") &&
     592                             SigType.ECDSA_SHA256_P256.isAvailable();
     593        final String alg = isCA ? DEFAULT_CA_KEY_ALGORITHM : DEFAULT_KEY_ALGORITHM;
     594        final int sz = isCA ? DEFAULT_CA_KEY_SIZE : DEFAULT_KEY_SIZE;
    586595        return createKeys(ks, DEFAULT_KEYSTORE_PASSWORD, alias, cname, null, ou,
    587                           DEFAULT_KEY_VALID_DAYS, DEFAULT_KEY_ALGORITHM, DEFAULT_KEY_SIZE, keyPW);
     596                          DEFAULT_KEY_VALID_DAYS, alg, sz, keyPW);
    588597    }
    589598
     
    591600     *  Create a keypair and store it in the keystore at ks, creating it if necessary.
    592601     *  Use default keystore password, valid days, algorithm, and key size.
     602     *
     603     *  As of 0.9.35, default algorithm and size depends on cname. If it appears to be
     604     *  a CA, it will use EC/256. Otherwise, it will use RSA/2048.
    593605     *
    594606     *  Warning, may take a long time.
     
    607619    public static boolean createKeys(File ks, String alias, String cname, Set<String> altNames, String ou,
    608620                                     String keyPW) {
     621        final boolean isCA = !cname.contains("@") && !cname.endsWith(".family.i2p.net") &&
     622                             SigType.ECDSA_SHA256_P256.isAvailable();
     623        final String alg = isCA ? DEFAULT_CA_KEY_ALGORITHM : DEFAULT_KEY_ALGORITHM;
     624        final int sz = isCA ? DEFAULT_CA_KEY_SIZE : DEFAULT_KEY_SIZE;
    609625        return createKeys(ks, DEFAULT_KEYSTORE_PASSWORD, alias, cname, altNames, ou,
    610                           DEFAULT_KEY_VALID_DAYS, DEFAULT_KEY_ALGORITHM, DEFAULT_KEY_SIZE, keyPW);
     626                          DEFAULT_KEY_VALID_DAYS, alg, sz, keyPW);
    611627    }
    612628
Note: See TracChangeset for help on using the changeset viewer.