Update to ECDSA support from commit 45c27e9

Add documentation & help output; add quoting; add error messages; put
the ecparams dir under PKI dir with env-var tunable.

Signed-off-by: Josh Cepek <josh.cepek@usa.net>

doc/EasyRSA-Advanced.md

@@ -93,6 +93,9 @@ possible terse description is shown below:
  *  `EASYRSA_REQ_OU` (CLI: `--req-ou`) - set the DN organizational unit with org
     mode
  *  `EASYRSA_KEY_SIZE` (CLI: `--key-size`) - set the keysize in bits to generate
+ *  `EASYRSA_ALGO` (CLI: `--use-algo`) - set the crypto alg to use: rsa or ec
+ *  `EASYRSA_CURVE` (CLI: `--curve`) - define the named EC curve to use
+ *  `EASYRSA_EC_DIR` - dir to store generated ecparams
  *  `EASYRSA_CA_EXPIRE` (CLI: `--days`) - set the CA expiration time in days
  *  `EASYRSA_CERT_EXPIRE` (CLI: `--days`) - set the issued cert expiration time
     in days

easyrsa3/easyrsa

@@ -182,6 +182,8 @@ Certificate & Request options: (these impact cert/req field values)
 --subca-len=#   : path length of signed sub-CA certs; must be >= 0 if used
 --subject-alt-name : Add a subjectAltName. For more info and syntax, see:
                      ./easyrsa help altname
+--use-algo=ALG  : crypto alg to use: choose rsa (default) or ec
+--curve=NAME    : for elliptic curve, sets the named curve to use
 
 Organizational DN options: (only used with the 'org' DN mode)
   (values may be blank for org DN options)
@@ -277,19 +279,23 @@ Expected location: $EASYRSA_SSL_CONF"
 
 # Verify supplied curve exists and generate curve file if needed
 verify_curve() {
-	if ! $EASYRSA_OPENSSL ecparam -name $EASYRSA_CURVE > /dev/null; then
+	if ! "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" > /dev/null; then
 		die "\
 Curve $EASYRSA_CURVE not found. Run openssl ecparam -list_curves to show a
 list of supported curves."
 	fi
 
 	# Check that the ecparams dir exists
-	[ -d ecparams ] || mkdir ecparams
+	[ -d "$EASYRSA_EC_DIR" ] || mkdir "$EASYRSA_EC_DIR" || die "\
+Failed creating ecparams dir (permissions?) at:
+$EASYRSA_EC_DIR"
 
 	# Check that the required ecparams file exists
-	[ -f ecparams/${EASYRSA_CURVE}.pem ] || \
-		$EASYRSA_OPENSSL ecparam -name $EASYRSA_CURVE \
-			-out ecparams/${EASYRSA_CURVE}.pem
+	local out="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem"
+	[ -f "$out" ] && return 0
+	"$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" -out "$out" || die "\
+Failed to generate ecparam file (permissions?) when writing to:
+$out"
 
 	# Explicitly return success for caller
 	return 0
@@ -433,7 +439,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	# Default CN only when not in global EASYRSA_BATCH mode:
 	[ $EASYRSA_BATCH -eq 1 ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"
 	# create the CA keypair:
-	"$EASYRSA_OPENSSL" req -new -newkey $EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS \
+	"$EASYRSA_OPENSSL" req -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \
 		-config "$EASYRSA_SSL_CONF" -keyout "$out_key" -out "$out_file" $opts || \
 		die "Failed to build the CA"
 
@@ -518,7 +524,7 @@ Continuing with key generation will replace this key."
 
 	# generate request
 	[ $EASYRSA_BATCH -eq 1 ] && opts="$opts -batch"
-	"$EASYRSA_OPENSSL" req -new -newkey $EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS \
+	"$EASYRSA_OPENSSL" req -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \
 		-config "$EASYRSA_SSL_CONF" -keyout "$key_out" -out "$req_out" $opts
 	local ret=$?
 	[ -n "$EASYRSA_EXTRA_EXTS" ] && rm "$EASYRSA_TEMP_FILE"
@@ -917,6 +923,7 @@ Note: using Easy-RSA configuration from: $vars"
 	set_var EASYRSA_ALGO		rsa
 	set_var EASYRSA_KEY_SIZE	2048
 	set_var EASYRSA_CURVE		secp384r1
+	set_var EASYRSA_EC_DIR		"$EASYRSA_PKI/ecparams"
 	set_var EASYRSA_CA_EXPIRE	3650
 	set_var EASYRSA_CERT_EXPIRE	3650
 	set_var EASYRSA_CRL_DAYS	180
@@ -938,6 +945,16 @@ Note: using Easy-RSA configuration from: $vars"
 	else	set_var EASYRSA_EXT_DIR		"$EASYRSA/x509-types"
 	fi
 
+	# EASYRSA_ALGO_PARAMS must be set depending on config. Defaults to rsa
+	if [ $EASYRSA_ALGO = "ec" ]; then
+		export EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem"
+	else
+		export EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}"
+		# Warn if the ALGO isn't rsa as we default to rsa anyway
+		[ "$EASYRSA_ALGO" = "rsa" ] || warn "\
+Warning: unknown algo '$EASYRSA_ALGO' -- using rsa default"
+	fi
+
 	# Setting OPENSSL_CONF prevents bogus warnings (especially useful on win32)
 	export OPENSSL_CONF="$EASYRSA_SSL_CONF"
 } # vars_setup()
@@ -1041,14 +1058,6 @@ vars_setup
 	warn "Invalid 'EASYRSA_BATCH' var has been defined to 0. Bad value was: '$EASYRSA_BATCH'"
 }
 
-# EASYRSA_ALGO_PARAMS must be set depending on config
-if [ $EASYRSA_ALGO = "ec" ]; then
-	export EASYRSA_ALGO_PARAMS="ecparams/${EASYRSA_CURVE}.pem"
-else
-	# Default to rsa
-	export EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}"
-fi
-
 # determine how we were called, then hand off to the function responsible
 cmd="$1"
 [ -n "$1" ] && shift # scrape off command

easyrsa3/vars.example

@@ -92,10 +92,22 @@ fi
 # 2048-bit keys is considered more than sufficient for many years into the
 # future. Larger keysizes will slow down TLS negotiation and make key/DH param
 # generation take much longer. Values up to 4096 should be accepted by most
-# software.
+# software. Only used when the crypto alg is rsa (see below.)
 
 #set_var EASYRSA_KEY_SIZE	2048
 
+# The default crypto mode is rsa; ec can enable elliptic curve support.
+# Note that not all software supports ECC, so use care when enabling it.
+# Choices for crypto alg are: (each in lower-case)
+#  * rsa
+#  * ec
+
+#set_var EASYRSA_ALGO		rsa
+
+# Define the named curve, used in ec mode only:
+
+#set_var EASYRSA_CURVE		secp384r1
+
 # In how many days should the root CA key expire?
 
 #set_var EASYRSA_CA_EXPIRE	3650