From cb74c35eb3fbf4fe646eca4b40cae4ac138f00b7 Mon Sep 17 00:00:00 2001 From: Josh Cepek Date: Sun, 24 Nov 2013 23:10:18 -0600 Subject: [PATCH] Update to ECDSA support from commit 45c27e9 Add documentation & help output; add quoting; add error messages; put the ecparams dir under PKI dir with env-var tunable. Signed-off-by: Josh Cepek --- doc/EasyRSA-Advanced.md | 3 +++ easyrsa3/easyrsa | 39 ++++++++++++++++++++++++--------------- easyrsa3/vars.example | 14 +++++++++++++- 3 files changed, 40 insertions(+), 16 deletions(-) diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md index 29e03f0..5f6efb8 100644 --- a/doc/EasyRSA-Advanced.md +++ b/doc/EasyRSA-Advanced.md @@ -93,6 +93,9 @@ possible terse description is shown below: * `EASYRSA_REQ_OU` (CLI: `--req-ou`) - set the DN organizational unit with org mode * `EASYRSA_KEY_SIZE` (CLI: `--key-size`) - set the keysize in bits to generate + * `EASYRSA_ALGO` (CLI: `--use-algo`) - set the crypto alg to use: rsa or ec + * `EASYRSA_CURVE` (CLI: `--curve`) - define the named EC curve to use + * `EASYRSA_EC_DIR` - dir to store generated ecparams * `EASYRSA_CA_EXPIRE` (CLI: `--days`) - set the CA expiration time in days * `EASYRSA_CERT_EXPIRE` (CLI: `--days`) - set the issued cert expiration time in days diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 02f22e0..827a287 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -182,6 +182,8 @@ Certificate & Request options: (these impact cert/req field values) --subca-len=# : path length of signed sub-CA certs; must be >= 0 if used --subject-alt-name : Add a subjectAltName. For more info and syntax, see: ./easyrsa help altname +--use-algo=ALG : crypto alg to use: choose rsa (default) or ec +--curve=NAME : for elliptic curve, sets the named curve to use Organizational DN options: (only used with the 'org' DN mode) (values may be blank for org DN options) @@ -277,19 +279,23 @@ Expected location: $EASYRSA_SSL_CONF" # Verify supplied curve exists and generate curve file if needed verify_curve() { - if ! $EASYRSA_OPENSSL ecparam -name $EASYRSA_CURVE > /dev/null; then + if ! "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" > /dev/null; then die "\ Curve $EASYRSA_CURVE not found. Run openssl ecparam -list_curves to show a list of supported curves." fi # Check that the ecparams dir exists - [ -d ecparams ] || mkdir ecparams + [ -d "$EASYRSA_EC_DIR" ] || mkdir "$EASYRSA_EC_DIR" || die "\ +Failed creating ecparams dir (permissions?) at: +$EASYRSA_EC_DIR" # Check that the required ecparams file exists - [ -f ecparams/${EASYRSA_CURVE}.pem ] || \ - $EASYRSA_OPENSSL ecparam -name $EASYRSA_CURVE \ - -out ecparams/${EASYRSA_CURVE}.pem + local out="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" + [ -f "$out" ] && return 0 + "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" -out "$out" || die "\ +Failed to generate ecparam file (permissions?) when writing to: +$out" # Explicitly return success for caller return 0 @@ -433,7 +439,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." # Default CN only when not in global EASYRSA_BATCH mode: [ $EASYRSA_BATCH -eq 1 ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA" # create the CA keypair: - "$EASYRSA_OPENSSL" req -new -newkey $EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS \ + "$EASYRSA_OPENSSL" req -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \ -config "$EASYRSA_SSL_CONF" -keyout "$out_key" -out "$out_file" $opts || \ die "Failed to build the CA" @@ -518,7 +524,7 @@ Continuing with key generation will replace this key." # generate request [ $EASYRSA_BATCH -eq 1 ] && opts="$opts -batch" - "$EASYRSA_OPENSSL" req -new -newkey $EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS \ + "$EASYRSA_OPENSSL" req -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \ -config "$EASYRSA_SSL_CONF" -keyout "$key_out" -out "$req_out" $opts local ret=$? [ -n "$EASYRSA_EXTRA_EXTS" ] && rm "$EASYRSA_TEMP_FILE" @@ -917,6 +923,7 @@ Note: using Easy-RSA configuration from: $vars" set_var EASYRSA_ALGO rsa set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_CURVE secp384r1 + set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams" set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_CRL_DAYS 180 @@ -938,6 +945,16 @@ Note: using Easy-RSA configuration from: $vars" else set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" fi + # EASYRSA_ALGO_PARAMS must be set depending on config. Defaults to rsa + if [ $EASYRSA_ALGO = "ec" ]; then + export EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" + else + export EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}" + # Warn if the ALGO isn't rsa as we default to rsa anyway + [ "$EASYRSA_ALGO" = "rsa" ] || warn "\ +Warning: unknown algo '$EASYRSA_ALGO' -- using rsa default" + fi + # Setting OPENSSL_CONF prevents bogus warnings (especially useful on win32) export OPENSSL_CONF="$EASYRSA_SSL_CONF" } # vars_setup() @@ -1041,14 +1058,6 @@ vars_setup warn "Invalid 'EASYRSA_BATCH' var has been defined to 0. Bad value was: '$EASYRSA_BATCH'" } -# EASYRSA_ALGO_PARAMS must be set depending on config -if [ $EASYRSA_ALGO = "ec" ]; then - export EASYRSA_ALGO_PARAMS="ecparams/${EASYRSA_CURVE}.pem" -else - # Default to rsa - export EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}" -fi - # determine how we were called, then hand off to the function responsible cmd="$1" [ -n "$1" ] && shift # scrape off command diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example index 67a6844..d9a0ac1 100644 --- a/easyrsa3/vars.example +++ b/easyrsa3/vars.example @@ -92,10 +92,22 @@ fi # 2048-bit keys is considered more than sufficient for many years into the # future. Larger keysizes will slow down TLS negotiation and make key/DH param # generation take much longer. Values up to 4096 should be accepted by most -# software. +# software. Only used when the crypto alg is rsa (see below.) #set_var EASYRSA_KEY_SIZE 2048 +# The default crypto mode is rsa; ec can enable elliptic curve support. +# Note that not all software supports ECC, so use care when enabling it. +# Choices for crypto alg are: (each in lower-case) +# * rsa +# * ec + +#set_var EASYRSA_ALGO rsa + +# Define the named curve, used in ec mode only: + +#set_var EASYRSA_CURVE secp384r1 + # In how many days should the root CA key expire? #set_var EASYRSA_CA_EXPIRE 3650