From 7f54fad9c80e865a92a4496a85812946fc039255 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 18:14:43 +0200
Subject: Setting default RSA key length to 4096 in gpgsm.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../0001-gpgsm-default-to-4096-bit-keys.patch      | 97 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 2 files changed, 98 insertions(+)
 create mode 100644 debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch

diff --git a/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch b/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch
new file mode 100644
index 0000000..4187e6e
--- /dev/null
+++ b/debian/patches/progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch
@@ -0,0 +1,97 @@
+Author: Daniel Baumann <daniel.baumann@progress-linux.org>
+Subject: gpgsm: default to 4096-bit keys.
+
+diff -Naurp gnupg2.orig/doc/gpgsm.texi gnupg2/doc/gpgsm.texi
+--- gnupg2.orig/doc/gpgsm.texi
++++ gnupg2/doc/gpgsm.texi
+@@ -1124,7 +1124,7 @@ key. The algorithm must be capable of si
+ parameter.  The only supported value for @var{algo} is @samp{rsa}.
+ 
+ @item Key-Length: @var{nbits}
+-The requested length of a generated key in bits.  Defaults to 3072.
++The requested length of a generated key in bits.  Defaults to 4096.
+ 
+ @item Key-Grip: @var{hexstring}
+ This is optional and used to generate a CSR or certificate for an
+diff -Naurp gnupg2.orig/doc/howto-create-a-server-cert.texi gnupg2/doc/howto-create-a-server-cert.texi
+--- gnupg2.orig/doc/howto-create-a-server-cert.texi
++++ gnupg2/doc/howto-create-a-server-cert.texi
+@@ -31,12 +31,12 @@ Let's continue:
+ 
+ @cartouche
+ @example
+-  What keysize do you want? (3072)
+-  Requested keysize is 3072 bits
++  What keysize do you want? (4096)
++  Requested keysize is 4096 bits
+ @end example
+ @end cartouche
+ 
+-Hitting enter chooses the default RSA key size of 3072 bits.  Keys
++Hitting enter chooses the default RSA key size of 4096 bits.  Keys
+ smaller than 2048 bits are too weak on the modern Internet.  If you
+ choose a larger (stronger) key, your server will need to do more work.
+ 
+@@ -124,7 +124,7 @@ request:
+ @example
+   These parameters are used:
+       Key-Type: RSA
+-      Key-Length: 3072
++      Key-Length: 4096
+       Key-Usage: sign, encrypt
+       Name-DN: CN=example.com
+       Name-DNS: example.com
+@@ -224,7 +224,7 @@ To see the content of your certificate,
+             aka: (dns-name example.com)
+             aka: (dns-name www.example.com)
+        validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
+-       key type: 3072 bit RSA
++       key type: 4096 bit RSA
+       key usage: digitalSignature keyEncipherment
+   ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
+     fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
+diff -Naurp gnupg2.orig/sm/certreqgen.c gnupg2/sm/certreqgen.c
+--- gnupg2.orig/sm/certreqgen.c
++++ gnupg2/sm/certreqgen.c
+@@ -26,7 +26,7 @@
+      $ cat >foo <<EOF
+      %echo Generating a standard key
+      Key-Type: RSA
+-     Key-Length: 3072
++     Key-Length: 4096
+      Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
+      Name-Email: joe@foo.bar
+      # Do a commit here, so that we can later print a "done"
+@@ -471,7 +471,7 @@ proc_parameters (ctrl_t ctrl, struct par
+   /* Check the keylength.  NOTE: If you change this make sure that it
+      macthes the gpgconflist item in gpgsm.c  */
+   if (!get_parameter (para, pKEYLENGTH, 0))
+-    nbits = 3072;
++    nbits = 4096;
+   else
+     nbits = get_parameter_uint (para, pKEYLENGTH);
+   if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
+diff -Naurp gnupg2.orig/sm/certreqgen-ui.c gnupg2/sm/certreqgen-ui.c
+--- gnupg2.orig/sm/certreqgen-ui.c
++++ gnupg2/sm/certreqgen-ui.c
+@@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estre
+   unsigned int nbits;
+   int minbits = 1024;
+   int maxbits = 4096;
+-  int defbits = 3072;
++  int defbits = 4096;
+   const char *keyusage;
+   char *subject_name;
+   membuf_t mb_email, mb_dns, mb_uri, mb_result;
+diff -Naurp gnupg2.orig/sm/gpgsm.c gnupg2/sm/gpgsm.c
+--- gnupg2.orig/sm/gpgsm.c
++++ gnupg2/sm/gpgsm.c
+@@ -1737,7 +1737,7 @@ main ( int argc, char **argv)
+         /* The next one is an info only item and should match what
+            proc_parameters actually implements.  */
+         es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT,
+-                   "RSA-3072");
++                   "RSA-4096");
+       }
+       break;
+     case aGPGConfTest:
diff --git a/debian/patches/series b/debian/patches/series
index edeee22..5b3442b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,4 @@ from-upstream/gpg-Report-an-error-for-receiving-key-from-agent.patch
 from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS.patch
 from-upstream/dirmngr-Fix-build-with-no-LDAP-support.patch
 from-upstream/gpg-Move-NETLIBS-after-GPG_ERROR_LIBS-another.patch
+progress-linux/0001-gpgsm-default-to-4096-bit-keys.patch
-- 
cgit v1.2.3