New certificates use 4096bit keys per default and break Database Limit
Closed this issue · 1 comments
Describe the bug
Newly created certificates seem to default to 4096 bit RSA keys. This leads to signatures which are longer than the column limit on diagnosiskey.uploader_information_batch_signature. This means that every upload to theEFGS fails, due to constraint violation.
Expected behaviour
The EFGS should handle certificates that use 4096bit keys.
Steps to reproduce the issue
Use a certificate with a key size of 4096 bits, and try to upload to the EFGS.
Technical details
The signature format used in the EFGS is a container format, not only containing the signature but also the certificate corresponding to the private key used to calculate the signature. Hence, the "signature" increases in size if the certificate itself gets longer (e.g. larger key sizes, lots of information in the DN and so on).
Possible Fix
We suggest a change of the said column to varchar(8000).
Additional context
Thanks for the input. The PR is approved and will be merged as soon as the OWASP issue is fixed.