search

eu-federation-gateway-service / efgs-federation-gateway

The goal of this project is to develop the official European solution for the interoperability between national backend servers of decentralised contact tracing applications to combat COVID-19.
Apache License 2.0
59 stars 25 forks source link

New certificates use 4096bit keys per default and break Database Limit #276

Closed ubamrein closed 3 years ago

ubamrein commented 3 years ago

Describe the bug

Newly created certificates seem to default to 4096 bit RSA keys. This leads to signatures which are longer than the column limit on diagnosiskey.uploader_information_batch_signature. This means that every upload to theEFGS fails, due to constraint violation.

Expected behaviour

The EFGS should handle certificates that use 4096bit keys.

Steps to reproduce the issue

Use a certificate with a key size of 4096 bits, and try to upload to the EFGS.

Technical details

The signature format used in the EFGS is a container format, not only containing the signature but also the certificate corresponding to the private key used to calculate the signature. Hence, the "signature" increases in size if the certificate itself gets longer (e.g. larger key sizes, lots of information in the DN and so on).

Possible Fix

We suggest a change of the said column to varchar(8000).

Additional context

f11h commented 3 years ago

Thanks for the input. The PR is approved and will be merged as soon as the OWASP issue is fixed.