Add support for Edwards Curves

Closes #354 and #350 Merge branch 'siddharths2710-master' Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
2020-03-24 18:04:26 -05:00 · 2020-03-24 18:04:26 -05:00 · 56fada79d0
commit 56fada79d0
parent 8c54f192e0 2bca44ce61
2 changed files with 32 additions and 7 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -409,7 +409,7 @@ EASYRSA_PKI env-var undefined"
 } # => vars_source_check()

 # Verify supplied curve exists and generate curve file if needed
-verify_curve() {
+verify_curve_ec() {
 	if ! "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" > /dev/null; then
 		die "\
 Curve $EASYRSA_CURVE not found. Run openssl ecparam -list_curves to show a
@ -432,6 +432,16 @@ $out"
 	return 0
 }

+# Verify if Edward Curve exists
+verify_curve_ed() {
+	if [ "ed25519" = "$EASYRSA_CURVE" ] && "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 > /dev/null; then
+		return 0
+	elif [ "ed448" = "$EASYRSA_CURVE" ] && "$EASYRSA_OPENSSL" genpkey -algorithm ED448 > /dev/null; then
+		return 0
+	fi
+		die "Curve $EASYRSA_CURVE not found."
+}
+
 verify_ssl_lib () {
 	# Verify EASYRSA_OPENSSL command gives expected output
 	if [ -z "$EASYRSA_SSL_OK" ]; then
@ -578,7 +588,8 @@ build_ca() {
 	done

 	verify_pki_init
-	[ "$EASYRSA_ALGO" = "ec" ] && verify_curve
+	[ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec
+	[ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed

 	# setup for the simpler intermediate CA situation and overwrite with root-CA if needed:
 	out_file="$EASYRSA_PKI/reqs/ca.req"
@ -655,6 +666,14 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		"$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \
 			"$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || \
 			die "Failed create CA private key"
+	elif [ "ed" = "$EASYRSA_ALGO" ]; then
+		if [ "ed25519" = "$EASYRSA_CURVE" ]; then
+			"$EASYRSA_OPENSSL" genpkey -algorithm ED25519  -out $out_key_tmp || \
+			die "Failed create CA private key"
+		elif [ "ed448" = "$EASYRSA_CURVE" ]; then
+			"$EASYRSA_OPENSSL" genpkey -algorithm ED448 -out $out_key_tmp || \
+			die "Failed create CA private key"
+		fi
 	fi

 	# create the CA keypair:
@ -723,7 +742,8 @@ Run easyrsa without commands for usage and commands."
 	done

 	verify_pki_init
-	[ "$EASYRSA_ALGO" = "ec" ] && verify_curve
+	[ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec
+	[ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed

 	# don't wipe out an existing private key without confirmation
 	[ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\
@ -760,7 +780,11 @@ $EASYRSA_EXTRA_EXTS"
 	# generate request
 	[ $EASYRSA_BATCH ] && opts="$opts -batch"
 	# shellcheck disable=2086,2148
-	easyrsa_openssl req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
+	algo_opts=""
+	if [ "ed" != $EASYRSA_ALGO ];then
+		algo_opts=" -newkey $EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS "
+	fi
+	easyrsa_openssl req -utf8 -new $algo_opts \
 		-keyout "$key_out_tmp" -out "$req_out_tmp" $opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} \
 		|| die "Failed to generate request"
 	mv "$key_out_tmp" "$key_out"
@ -1670,8 +1694,8 @@ Note: using Easy-RSA configuration from: $vars"
 		EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem"
 	elif [ "rsa" = "$EASYRSA_ALGO" ]; then
 		EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}"
-	else
-		die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa' or 'ec'"
+	elif [ "ed" != "$EASYRSA_ALGO" ]; then
+		die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed' "
 	fi

 	# Assign value to $EASYRSA_TEMP_DIR_session and work around Windows mktemp bug when parent dir is missing
--- a/easyrsa3/vars.example
+++ b/easyrsa3/vars.example
@ -112,10 +112,11 @@ fi
 # Choices for crypto alg are: (each in lower-case)
 #  * rsa
 #  * ec
+#  * ed

 #set_var EASYRSA_ALGO		rsa

-# Define the named curve, used in ec mode only:
+# Define the named curve, used in ec & ed modes:

 #set_var EASYRSA_CURVE		secp384r1