diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b607a8c..3dc0ead 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -409,7 +409,7 @@ EASYRSA_PKI env-var undefined" } # => vars_source_check() # Verify supplied curve exists and generate curve file if needed -verify_curve() { +verify_curve_ec() { if ! "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" > /dev/null; then die "\ Curve $EASYRSA_CURVE not found. Run openssl ecparam -list_curves to show a @@ -432,6 +432,16 @@ $out" return 0 } +# Verify if Edward Curve exists +verify_curve_ed() { + if [ "ed25519" = "$EASYRSA_CURVE" ] && "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 > /dev/null; then + return 0 + elif [ "ed448" = "$EASYRSA_CURVE" ] && "$EASYRSA_OPENSSL" genpkey -algorithm ED448 > /dev/null; then + return 0 + fi + die "Curve $EASYRSA_CURVE not found." +} + verify_ssl_lib () { # Verify EASYRSA_OPENSSL command gives expected output if [ -z "$EASYRSA_SSL_OK" ]; then @@ -578,7 +588,8 @@ build_ca() { done verify_pki_init - [ "$EASYRSA_ALGO" = "ec" ] && verify_curve + [ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec + [ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed # setup for the simpler intermediate CA situation and overwrite with root-CA if needed: out_file="$EASYRSA_PKI/reqs/ca.req" @@ -655,6 +666,14 @@ current CA keypair. If you intended to start a new CA, run init-pki first." "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \ "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || \ die "Failed create CA private key" + elif [ "ed" = "$EASYRSA_ALGO" ]; then + if [ "ed25519" = "$EASYRSA_CURVE" ]; then + "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 -out $out_key_tmp || \ + die "Failed create CA private key" + elif [ "ed448" = "$EASYRSA_CURVE" ]; then + "$EASYRSA_OPENSSL" genpkey -algorithm ED448 -out $out_key_tmp || \ + die "Failed create CA private key" + fi fi # create the CA keypair: @@ -723,7 +742,8 @@ Run easyrsa without commands for usage and commands." done verify_pki_init - [ "$EASYRSA_ALGO" = "ec" ] && verify_curve + [ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec + [ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed # don't wipe out an existing private key without confirmation [ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\ @@ -760,7 +780,11 @@ $EASYRSA_EXTRA_EXTS" # generate request [ $EASYRSA_BATCH ] && opts="$opts -batch" # shellcheck disable=2086,2148 - easyrsa_openssl req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \ + algo_opts="" + if [ "ed" != $EASYRSA_ALGO ];then + algo_opts=" -newkey $EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS " + fi + easyrsa_openssl req -utf8 -new $algo_opts \ -keyout "$key_out_tmp" -out "$req_out_tmp" $opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} \ || die "Failed to generate request" mv "$key_out_tmp" "$key_out" @@ -1670,8 +1694,8 @@ Note: using Easy-RSA configuration from: $vars" EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" elif [ "rsa" = "$EASYRSA_ALGO" ]; then EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}" - else - die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa' or 'ec'" + elif [ "ed" != "$EASYRSA_ALGO" ]; then + die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed' " fi # Assign value to $EASYRSA_TEMP_DIR_session and work around Windows mktemp bug when parent dir is missing diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example index c324897..8ebbc1e 100644 --- a/easyrsa3/vars.example +++ b/easyrsa3/vars.example @@ -112,10 +112,11 @@ fi # Choices for crypto alg are: (each in lower-case) # * rsa # * ec +# * ed #set_var EASYRSA_ALGO rsa -# Define the named curve, used in ec mode only: +# Define the named curve, used in ec & ed modes: #set_var EASYRSA_CURVE secp384r1