From ce858f56c521a42e81c5b8a5129e815917ebc0d9 Mon Sep 17 00:00:00 2001 From: root <13200018+siddharths2710@users.noreply.github.com> Date: Sun, 19 Jan 2020 07:54:24 +0100 Subject: [PATCH 1/6] Added ED curve support --- easyrsa3/easyrsa | 32 ++++++++++++++++++++++++++------ easyrsa3/vars.example | 3 ++- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b607a8c..06c560c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -393,6 +393,7 @@ easyrsa_openssl() { cp "$easyrsa_openssl_conf" "$EASYRSA_SAFE_CONF" err=$? else + echo "$EASYRSA_OPENSSL" "$openssl_command" -config "$easyrsa_openssl_conf" "$@" "$EASYRSA_OPENSSL" "$openssl_command" -config "$easyrsa_openssl_conf" "$@" err=$? fi @@ -409,7 +410,8 @@ EASYRSA_PKI env-var undefined" } # => vars_source_check() # Verify supplied curve exists and generate curve file if needed -verify_curve() { +verify_curve_ec() { + if ! "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" > /dev/null; then die "\ Curve $EASYRSA_CURVE not found. Run openssl ecparam -list_curves to show a @@ -432,6 +434,13 @@ $out" return 0 } +verify_curve_ed() { + if [ "ed25519" = "$EASYRSA_CURVE" ] || [ "ed448" = "$EASYRSA_CURVE" ] ; then + return 0 + fi + return 1 +} + verify_ssl_lib () { # Verify EASYRSA_OPENSSL command gives expected output if [ -z "$EASYRSA_SSL_OK" ]; then @@ -578,7 +587,8 @@ build_ca() { done verify_pki_init - [ "$EASYRSA_ALGO" = "ec" ] && verify_curve + [ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec + [ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed # setup for the simpler intermediate CA situation and overwrite with root-CA if needed: out_file="$EASYRSA_PKI/reqs/ca.req" @@ -655,6 +665,11 @@ current CA keypair. If you intended to start a new CA, run init-pki first." "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \ "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || \ die "Failed create CA private key" + elif [ "ed" = "$EASYRSA_ALGO" ]; then + CURVE_CAPS=$(echo $EASYRSA_CURVE | tr '[a-z]' '[A-Z]') + echo "$EASYRSA_OPENSSL genpkey -algorithm $CURVE_CAPS -out $out_key_tmp" + "$EASYRSA_OPENSSL" genpkey -algorithm $CURVE_CAPS -out $out_key_tmp || \ + die "Failed create CA private key" fi # create the CA keypair: @@ -723,7 +738,8 @@ Run easyrsa without commands for usage and commands." done verify_pki_init - [ "$EASYRSA_ALGO" = "ec" ] && verify_curve + [ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec + [ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed # don't wipe out an existing private key without confirmation [ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\ @@ -760,7 +776,11 @@ $EASYRSA_EXTRA_EXTS" # generate request [ $EASYRSA_BATCH ] && opts="$opts -batch" # shellcheck disable=2086,2148 - easyrsa_openssl req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \ + algo_opts="" + if [ "ed" != $EASYRSA_ALGO ];then + algo_opts=' -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" ' + fi + easyrsa_openssl req -utf8 -new $algo_opts \ -keyout "$key_out_tmp" -out "$req_out_tmp" $opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} \ || die "Failed to generate request" mv "$key_out_tmp" "$key_out" @@ -1670,8 +1690,8 @@ Note: using Easy-RSA configuration from: $vars" EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" elif [ "rsa" = "$EASYRSA_ALGO" ]; then EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}" - else - die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa' or 'ec'" + elif [ "ed" != "$EASYRSA_ALGO" ]; then + die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed' " fi # Assign value to $EASYRSA_TEMP_DIR_session and work around Windows mktemp bug when parent dir is missing diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example index c324897..8ebbc1e 100644 --- a/easyrsa3/vars.example +++ b/easyrsa3/vars.example @@ -112,10 +112,11 @@ fi # Choices for crypto alg are: (each in lower-case) # * rsa # * ec +# * ed #set_var EASYRSA_ALGO rsa -# Define the named curve, used in ec mode only: +# Define the named curve, used in ec & ed modes: #set_var EASYRSA_CURVE secp384r1 From da6f65877028379ef26592600fe47d7a086e6a19 Mon Sep 17 00:00:00 2001 From: root <13200018+siddharths2710@users.noreply.github.com> Date: Sun, 19 Jan 2020 08:08:09 +0100 Subject: [PATCH 2/6] Removed stray ED echo --- easyrsa3/easyrsa | 1 - 1 file changed, 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 06c560c..f744a9f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -393,7 +393,6 @@ easyrsa_openssl() { cp "$easyrsa_openssl_conf" "$EASYRSA_SAFE_CONF" err=$? else - echo "$EASYRSA_OPENSSL" "$openssl_command" -config "$easyrsa_openssl_conf" "$@" "$EASYRSA_OPENSSL" "$openssl_command" -config "$easyrsa_openssl_conf" "$@" err=$? fi From 48da132a892053da6465d54defbbda951709f703 Mon Sep 17 00:00:00 2001 From: root <13200018+siddharths2710@users.noreply.github.com> Date: Sun, 19 Jan 2020 08:16:26 +0100 Subject: [PATCH 3/6] Removed stray quotes --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index f744a9f..d604387 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -777,7 +777,7 @@ $EASYRSA_EXTRA_EXTS" # shellcheck disable=2086,2148 algo_opts="" if [ "ed" != $EASYRSA_ALGO ];then - algo_opts=' -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" ' + algo_opts=' -newkey $EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS ' fi easyrsa_openssl req -utf8 -new $algo_opts \ -keyout "$key_out_tmp" -out "$req_out_tmp" $opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} \ From 2c72a7a2310bf72e1e4d6c7f3202a34eebd45a56 Mon Sep 17 00:00:00 2001 From: root <13200018+siddharths2710@users.noreply.github.com> Date: Mon, 20 Jan 2020 15:39:48 +0100 Subject: [PATCH 4/6] Hardcoded checks for ED curves manually --- easyrsa3/easyrsa | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d604387..1dfe833 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -665,10 +665,13 @@ current CA keypair. If you intended to start a new CA, run init-pki first." "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || \ die "Failed create CA private key" elif [ "ed" = "$EASYRSA_ALGO" ]; then - CURVE_CAPS=$(echo $EASYRSA_CURVE | tr '[a-z]' '[A-Z]') - echo "$EASYRSA_OPENSSL genpkey -algorithm $CURVE_CAPS -out $out_key_tmp" - "$EASYRSA_OPENSSL" genpkey -algorithm $CURVE_CAPS -out $out_key_tmp || \ + if [ "ed25519" = "$EASYRSA_CURVE" ]; then + "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 -out $out_key_tmp || \ die "Failed create CA private key" + elif [ "ed448" = "$EASYRSA_CURVE" ]; then + "$EASYRSA_OPENSSL" genpkey -algorithm ED448 -out $out_key_tmp || \ + die "Failed create CA private key" + fi fi # create the CA keypair: From c45298e804001d5b5a40bc5e11cbf663755bff4b Mon Sep 17 00:00:00 2001 From: root <13200018+siddharths2710@users.noreply.github.com> Date: Sat, 1 Feb 2020 11:03:48 +0100 Subject: [PATCH 5/6] Bug fixes and code formatting for ed curves --- easyrsa3/easyrsa | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 1dfe833..b63e4ad 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -433,11 +433,15 @@ $out" return 0 } +# Verify if Edward Curve exists verify_curve_ed() { - if [ "ed25519" = "$EASYRSA_CURVE" ] || [ "ed448" = "$EASYRSA_CURVE" ] ; then + + if [ "ed25519" = "$EASYRSA_CURVE" ] && "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 > /dev/null; then + return 0 + elif [ "ed448" = "$EASYRSA_CURVE" ] && "$EASYRSA_OPENSSL" genpkey -algorithm ED448 > /dev/null; then return 0 fi - return 1 + die "Curve $EASYRSA_CURVE not found." } verify_ssl_lib () { @@ -665,12 +669,12 @@ current CA keypair. If you intended to start a new CA, run init-pki first." "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || \ die "Failed create CA private key" elif [ "ed" = "$EASYRSA_ALGO" ]; then - if [ "ed25519" = "$EASYRSA_CURVE" ]; then + if [ "ed25519" = "$EASYRSA_CURVE" ]; then "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 -out $out_key_tmp || \ - die "Failed create CA private key" + die "Failed create CA private key" elif [ "ed448" = "$EASYRSA_CURVE" ]; then "$EASYRSA_OPENSSL" genpkey -algorithm ED448 -out $out_key_tmp || \ - die "Failed create CA private key" + die "Failed create CA private key" fi fi @@ -741,7 +745,7 @@ Run easyrsa without commands for usage and commands." verify_pki_init [ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec - [ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed + [ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed # don't wipe out an existing private key without confirmation [ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\ @@ -780,7 +784,7 @@ $EASYRSA_EXTRA_EXTS" # shellcheck disable=2086,2148 algo_opts="" if [ "ed" != $EASYRSA_ALGO ];then - algo_opts=' -newkey $EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS ' + algo_opts=" -newkey $EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS " fi easyrsa_openssl req -utf8 -new $algo_opts \ -keyout "$key_out_tmp" -out "$req_out_tmp" $opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} \ From 7ef2302044bdf02157c8c6c70c9d3da60291aaa6 Mon Sep 17 00:00:00 2001 From: Sid Srinivas Date: Tue, 17 Mar 2020 07:46:03 +0530 Subject: [PATCH 6/6] Provided support for ED curves --- easyrsa3/easyrsa | 2 -- 1 file changed, 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b63e4ad..3dc0ead 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -410,7 +410,6 @@ EASYRSA_PKI env-var undefined" # Verify supplied curve exists and generate curve file if needed verify_curve_ec() { - if ! "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" > /dev/null; then die "\ Curve $EASYRSA_CURVE not found. Run openssl ecparam -list_curves to show a @@ -435,7 +434,6 @@ $out" # Verify if Edward Curve exists verify_curve_ed() { - if [ "ed25519" = "$EASYRSA_CURVE" ] && "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 > /dev/null; then return 0 elif [ "ed448" = "$EASYRSA_CURVE" ] && "$EASYRSA_OPENSSL" genpkey -algorithm ED448 > /dev/null; then