Backport Add missing recommended key lengths/digest to Cert system

Original pull request to master was #2944

4 files changed, 11 insertions, 6 deletions

diff --git a/src/etc/inc/certs.inc b/src/etc/inc/certs.inc
index a4a91a1..ad64cd6 100644
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -57,7 +57,7 @@ define("OPEN_SSL_CONF_PATH", "/etc/ssl/openssl.cnf");
 require_once("functions.inc");
 
 global $openssl_digest_algs;
-$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");
+$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512", "whirlpool");
 
 global $openssl_crl_status;
 $openssl_crl_status = array(
diff --git a/src/usr/local/www/system_camanager.php b/src/usr/local/www/system_camanager.php
index ed6f6f8..cbfc5c0 100644
--- a/src/usr/local/www/system_camanager.php
+++ b/src/usr/local/www/system_camanager.php
@@ -67,8 +67,8 @@ $ca_methods = array(
 	"internal" => gettext("Create an internal Certificate Authority"),
 	"intermediate" => gettext("Create an intermediate Certificate Authority"));
 
-$ca_keylens = array("512", "1024", "2048", "4096");
-$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");
+$ca_keylens = array("512", "1024", "2048", "3072", "4096", "7680", "8192", "15360", "16384");
+$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512", "whirlpool");
 
 if (is_numericint($_GET['id'])) {
 	$id = $_GET['id'];
diff --git a/src/usr/local/www/system_certmanager.php b/src/usr/local/www/system_certmanager.php
index 311bf37..64b1f73 100644
--- a/src/usr/local/www/system_certmanager.php
+++ b/src/usr/local/www/system_certmanager.php
@@ -68,13 +68,13 @@ $cert_methods = array(
 	"external" => gettext("Create a Certificate Signing Request"),
 );
 
-$cert_keylens = array("512", "1024", "2048", "4096");
+$cert_keylens = array("512", "1024", "2048", "3072", "4096", "7680", "8192", "15360", "16384");
 $cert_types = array(
 	"server" => "Server Certificate",
 	"user" => "User Certificate");
 
 $altname_types = array("DNS", "IP", "email", "URI");
-$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");
+$openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512", "whirlpool");
 
 if (is_numericint($_GET['userid'])) {
 	$userid = $_GET['userid'];
diff --git a/src/usr/local/www/system_usermanager.php b/src/usr/local/www/system_usermanager.php
index f33a1f9..271aa7f 100644
--- a/src/usr/local/www/system_usermanager.php
+++ b/src/usr/local/www/system_usermanager.php
@@ -921,9 +921,14 @@ if ($act == "new" || $act == "edit" || $input_errors):
 					512 => '512 bits',
 					1024 => '1024 bits',
 					2048 => '2048 bits',
+					3072 => '3072 bits',
 					4096 => '4096 bits',
+					7680 => '7680 bits',
+					8192 => '8192 bits',
+					15360 => '15360 bits',
+					16384 => '16384 bits'
 				)
-			));
+			))->setHelp('The larger the key, the more security it offers, but larger keys take considerably more time to generate, and take slightly longer to validate leading to a slight slowdown in setting up new sessions (not always noticeable). As of 2016, 2048 bit is the minimum and most common selection and 4096 is the maximum in common use. For more information see <a href="https://keylength.com">keylength.com</a>.');
 
 			$section->addInput(new Form_Input(
 				'lifetime',