From 04fe65de17ac82e88d69011c28a84ae4131685ef Mon Sep 17 00:00:00 2001 From: Sean McKay Date: Sat, 4 Apr 2020 16:53:08 -0700 Subject: [PATCH] Enable Edwards Curves for Public Key Algorithm When Edwards curves are currently specified, they will be used for the signature algorithm, but the actual public/private keypair will fall back to defaults (RSA2048), which is likely not what the user intends. This commit modifies the code so that requesting Edwards curves will result in their use for the Public Key Algorithm (new behavior) in addition to the Signature Algorithm (current behavior) Examples of fixed and current (broken) behavior given below. Note the Public Key Algorithm in the middle of the certificate and the message from openssl of the private key type that's being generated: ----------------------------------------------------------------------- Fixed example: easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch --req-cn=ed25519-fixed \ gen-req ed25519-fixed nopass >/dev/null Generating a ED25519 private key writing new private key to '/home/easyrsa/easy-rsa/easyrsa3/pki/easy-rsa-6978.eq66M2/tmp.fEv2Hd' ----- easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch sign-req client \ ed25519-fixed 2>/dev/null Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 easyrsa@ubuntu:~/easy-rsa/easyrsa3$ cat ./pki/issued/ed25519-fixed.crt Certificate: Data: Version: 3 (0x2) Serial Number: 3c:34:a6:4c:f8:6b:a5:e9:d0:4d:87:4f:d5:a0:e8:df Signature Algorithm: ED25519 Issuer: CN=Easy-RSA CA Validity Not Before: Apr 5 00:32:23 2020 GMT Not After : Jul 9 00:32:23 2022 GMT Subject: CN=ed25519-fixed Subject Public Key Info: Public Key Algorithm: ED25519 ED25519 Public-Key: pub: ac:12:08:26:f7:ba:21:97:b4:51:ff:02:64:a2:af: 09:3a:08:e3:a0:42:8c:4f:d2:e8:a2:52:df:ee:26: c0:da X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 4B:BD:7F:5E:A5:BD:3A:1B:4C:AB:60:D3:B7:78:80:96:DB:78:89:95 X509v3 Authority Key Identifier: keyid:36:00:DF:FE:4A:31:5F:3B:F2:83:81:D9:E6:44:D7:ED:14:6B:67:90 DirName:/CN=Easy-RSA CA serial:69:B7:DB:13:B1:D5:A3:E7:A5:AF:74:38:49:12:E3:DB:50:AD:0D:87 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: ED25519 0d:7c:19:1c:92:dc:0a:8e:2f:4a:f7:c1:0b:02:a5:18:93:19: 45:04:0f:6e:40:f2:c3:a9:bf:72:bc:66:c2:f4:ef:48:4e:72: e9:14:43:9c:22:c8:8e:70:f8:25:db:b6:f7:8a:8f:78:c0:a5: 3e:40:77:3c:12:f5:5a:72:eb:0d -----BEGIN CERTIFICATE----- MIIBjzCCAUGgAwIBAgIQPDSmTPhrpenQTYdP1aDo3zAFBgMrZXAwFjEUMBIGA1UE AwwLRWFzeS1SU0EgQ0EwHhcNMjAwNDA1MDAzMjIzWhcNMjIwNzA5MDAzMjIzWjAY MRYwFAYDVQQDDA1lZDI1NTE5LWZpeGVkMCowBQYDK2VwAyEArBIIJve6IZe0Uf8C ZKKvCToI46BCjE/S6KJS3+4mwNqjgaIwgZ8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU S71/XqW9OhtMq2DTt3iAltt4iZUwUQYDVR0jBEowSIAUNgDf/koxXzvyg4HZ5kTX 7RRrZ5ChGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRpt9sTsdWj56WvdDhJ EuPbUK0NhzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwBQYDK2Vw A0EADXwZHJLcCo4vSvfBCwKlGJMZRQQPbkDyw6m/crxmwvTvSE5y6RRDnCLIjnD4 Jdu294qPeMClPkB3PBL1WnLrDQ== -----END CERTIFICATE----- ----------------------------------------------------------------------- Current (broken) example: easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch --req-cn=ed25519-broken \ gen-req ed25519-broken nopass >/dev/null Generating a RSA private key ..........................................................................+++++ ......+++++ writing new private key to '/home/easyrsa/easy-rsa/easyrsa3/pki/easy-rsa-6901.tfUGNM/tmp.IEPoPv' ----- easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch sign-req client \ ed25519-broken 2>/dev/null Using SSL: openssl OpenSSL 1.1.1c 28 May 2019 easyrsa@ubuntu:~/easy-rsa/easyrsa3$ cat ./pki/issued/ed25519-broken.crt Certificate: Data: Version: 3 (0x2) Serial Number: 8b:9c:25:ae:25:b0:b2:b1:ab:b0:34:b1:fc:75:70:f8 Signature Algorithm: ED25519 Issuer: CN=Easy-RSA CA Validity Not Before: Apr 5 00:27:09 2020 GMT Not After : Jul 9 00:27:09 2022 GMT Subject: CN=ed25519-broken Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:cf:30:67:14:18:e8:bd:8b:89:23:ac:ac:a8:6c: c4:6b:bd:50:cd:0d:d1:cf:b0:09:4a:8a:11:89:52: 7e:8e:01:78:d9:99:94:35:90:be:7e:0a:8b:20:c2: ca:36:ef:3d:0e:17:8e:c9:83:66:42:a1:83:ed:3e: ed:4d:04:4a:3f:fd:33:ba:6f:dc:cc:5c:c4:0b:1f: 3f:02:8a:d2:13:5b:e8:36:d4:88:10:cd:14:4a:41: bd:b1:d1:f4:04:89:8f:a0:10:da:16:da:12:57:91: 06:81:c9:de:2a:da:c2:1b:51:52:2e:a6:20:36:04: 2f:9a:6f:b5:05:6d:f8:ec:65:86:9a:85:d2:6e:44: 47:8a:76:bb:0b:96:34:57:db:b6:a3:b6:76:53:95: a5:9d:08:9f:35:17:04:22:11:04:66:1e:aa:28:1d: 78:90:c5:9c:19:6b:5d:41:52:79:82:cb:0a:3a:12: 86:71:bc:61:19:c7:e3:42:94:8b:b5:69:47:ac:2c: 8f:18:13:de:f4:52:6a:b5:ba:78:f0:65:5a:88:50: 0f:0f:46:ef:d9:8e:61:fe:33:5c:01:06:82:38:8b: db:71:f3:7b:94:14:13:8f:94:25:a7:db:8c:53:85: ea:6a:b2:89:fc:59:c6:61:10:ab:ea:38:94:e2:1f: 0d:47 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 40:DF:D9:F3:85:F9:56:5B:E4:65:EC:5A:32:CE:0D:42:35:0F:89:7F X509v3 Authority Key Identifier: keyid:36:00:DF:FE:4A:31:5F:3B:F2:83:81:D9:E6:44:D7:ED:14:6B:67:90 DirName:/CN=Easy-RSA CA serial:69:B7:DB:13:B1:D5:A3:E7:A5:AF:74:38:49:12:E3:DB:50:AD:0D:87 X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Signature Algorithm: ED25519 b3:61:98:2d:49:2f:f9:ce:79:a7:bb:dd:9c:31:41:12:e4:a5: 72:a4:5b:2e:f0:ec:6a:56:26:4e:5c:f9:91:b9:5e:96:d0:c4: 83:8c:81:49:18:df:10:0d:78:b9:82:86:22:f5:67:f9:1a:f5: 3e:5a:19:15:66:38:2f:ce:3a:0e -----BEGIN CERTIFICATE----- MIICizCCAj2gAwIBAgIRAIucJa4lsLKxq7A0sfx1cPgwBQYDK2VwMBYxFDASBgNV BAMMC0Vhc3ktUlNBIENBMB4XDTIwMDQwNTAwMjcwOVoXDTIyMDcwOTAwMjcwOVow GTEXMBUGA1UEAwwOZWQyNTUxOS1icm9rZW4wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDPMGcUGOi9i4kjrKyobMRrvVDNDdHPsAlKihGJUn6OAXjZmZQ1 kL5+Cosgwso27z0OF47Jg2ZCoYPtPu1NBEo//TO6b9zMXMQLHz8CitITW+g21IgQ zRRKQb2x0fQEiY+gENoW2hJXkQaByd4q2sIbUVIupiA2BC+ab7UFbfjsZYaahdJu REeKdrsLljRX27ajtnZTlaWdCJ81FwQiEQRmHqooHXiQxZwZa11BUnmCywo6EoZx vGEZx+NClIu1aUesLI8YE970Umq1unjwZVqIUA8PRu/ZjmH+M1wBBoI4i9tx83uU FBOPlCWn24xThepqson8WcZhEKvqOJTiHw1HAgMBAAGjgaIwgZ8wCQYDVR0TBAIw ADAdBgNVHQ4EFgQUQN/Z84X5VlvkZexaMs4NQjUPiX8wUQYDVR0jBEowSIAUNgDf /koxXzvyg4HZ5kTX7RRrZ5ChGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRp t9sTsdWj56WvdDhJEuPbUK0NhzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E BAMCB4AwBQYDK2VwA0EAs2GYLUkv+c55p7vdnDFBEuSlcqRbLvDsalYmTlz5kble ltDEg4yBSRjfEA14uYKGIvVn+Rr1PloZFWY4L846Dg== -----END CERTIFICATE----- --- easyrsa3/easyrsa | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 261336f..e9c75a4 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -781,7 +781,9 @@ $EASYRSA_EXTRA_EXTS" [ $EASYRSA_BATCH ] && opts="$opts -batch" # shellcheck disable=2086,2148 algo_opts="" - if [ "ed" != $EASYRSA_ALGO ];then + if [ "ed" = "$EASYRSA_ALGO" ]; then + algo_opts=" -newkey $EASYRSA_CURVE " + else algo_opts=" -newkey $EASYRSA_ALGO:$EASYRSA_ALGO_PARAMS " fi easyrsa_openssl req -utf8 -new $algo_opts \