04fe65de17
When Edwards curves are currently specified, they will be used for the
signature algorithm, but the actual public/private keypair will fall
back to defaults (RSA2048), which is likely not what the user intends.
This commit modifies the code so that requesting Edwards curves will
result in their use for the Public Key Algorithm (new behavior) in
addition to the Signature Algorithm (current behavior)
Examples of fixed and current (broken) behavior given below. Note the
Public Key Algorithm in the middle of the certificate and the message
from openssl of the private key type that's being generated:
-----------------------------------------------------------------------
Fixed example:
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch --req-cn=ed25519-fixed \
gen-req ed25519-fixed nopass >/dev/null
Generating a ED25519 private key
writing new private key to
'/home/easyrsa/easy-rsa/easyrsa3/pki/easy-rsa-6978.eq66M2/tmp.fEv2Hd'
-----
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch sign-req client \
ed25519-fixed 2>/dev/null
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ cat ./pki/issued/ed25519-fixed.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:34:a6:4c:f8:6b:a5:e9:d0:4d:87:4f:d5:a0:e8:df
Signature Algorithm: ED25519
Issuer: CN=Easy-RSA CA
Validity
Not Before: Apr 5 00:32:23 2020 GMT
Not After : Jul 9 00:32:23 2022 GMT
Subject: CN=ed25519-fixed
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
ac:12:08:26:f7:ba:21:97:b4:51:ff:02:64:a2:af:
09:3a:08:e3:a0:42:8c:4f:d2:e8:a2:52:df:ee:26:
c0:da
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
4B:BD:7F:5E:A5:BD:3A:1B:4C:AB:60:D3:B7:78:80:96:DB:78:89:95
X509v3 Authority Key Identifier:
keyid:36:00:DF:FE:4A:31:5F:3B:F2:83:81:D9:E6:44:D7:ED:14:6B:67:90
DirName:/CN=Easy-RSA CA
serial:69:B7:DB:13:B1:D5:A3:E7:A5:AF:74:38:49:12:E3:DB:50:AD:0D:87
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: ED25519
0d:7c:19:1c:92:dc:0a:8e:2f:4a:f7:c1:0b:02:a5:18:93:19:
45:04:0f:6e:40:f2:c3:a9:bf:72:bc:66:c2:f4:ef:48:4e:72:
e9:14:43:9c:22:c8:8e:70:f8:25:db:b6:f7:8a:8f:78:c0:a5:
3e:40:77:3c:12:f5:5a:72:eb:0d
-----BEGIN CERTIFICATE-----
MIIBjzCCAUGgAwIBAgIQPDSmTPhrpenQTYdP1aDo3zAFBgMrZXAwFjEUMBIGA1UE
AwwLRWFzeS1SU0EgQ0EwHhcNMjAwNDA1MDAzMjIzWhcNMjIwNzA5MDAzMjIzWjAY
MRYwFAYDVQQDDA1lZDI1NTE5LWZpeGVkMCowBQYDK2VwAyEArBIIJve6IZe0Uf8C
ZKKvCToI46BCjE/S6KJS3+4mwNqjgaIwgZ8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU
S71/XqW9OhtMq2DTt3iAltt4iZUwUQYDVR0jBEowSIAUNgDf/koxXzvyg4HZ5kTX
7RRrZ5ChGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRpt9sTsdWj56WvdDhJ
EuPbUK0NhzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwBQYDK2Vw
A0EADXwZHJLcCo4vSvfBCwKlGJMZRQQPbkDyw6m/crxmwvTvSE5y6RRDnCLIjnD4
Jdu294qPeMClPkB3PBL1WnLrDQ==
-----END CERTIFICATE-----
-----------------------------------------------------------------------
Current (broken) example:
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch --req-cn=ed25519-broken \
gen-req ed25519-broken nopass >/dev/null
Generating a RSA private key
..........................................................................+++++
......+++++
writing new private key to
'/home/easyrsa/easy-rsa/easyrsa3/pki/easy-rsa-6901.tfUGNM/tmp.IEPoPv'
-----
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch sign-req client \
ed25519-broken 2>/dev/null
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ cat ./pki/issued/ed25519-broken.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8b:9c:25:ae:25:b0:b2:b1:ab:b0:34:b1:fc:75:70:f8
Signature Algorithm: ED25519
Issuer: CN=Easy-RSA CA
Validity
Not Before: Apr 5 00:27:09 2020 GMT
Not After : Jul 9 00:27:09 2022 GMT
Subject: CN=ed25519-broken
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cf:30:67:14:18:e8:bd:8b:89:23:ac:ac:a8:6c:
c4:6b:bd:50:cd:0d:d1:cf:b0:09:4a:8a:11:89:52:
7e:8e:01:78:d9:99:94:35:90:be:7e:0a:8b:20:c2:
ca:36:ef:3d:0e:17:8e:c9:83:66:42:a1:83:ed:3e:
ed:4d:04:4a:3f:fd:33:ba:6f:dc:cc:5c:c4:0b:1f:
3f:02:8a:d2:13:5b:e8:36:d4:88:10💿14:4a:41:
bd:b1:d1:f4:04:89:8f:a0:10:da:16:da:12:57:91:
06:81:c9🇩🇪2a:da:c2:1b:51:52:2e:a6:20:36:04:
2f:9a:6f:b5:05:6d:f8:ec:65:86:9a:85:d2:6e:44:
47:8a:76:bb:0b:96:34:57:db:b6:a3:b6:76:53:95:
a5:9d:08:9f:35:17:04:22:11:04:66:1e:aa:28:1d:
78:90:c5:9c:19:6b:5d:41:52:79:82:cb:0a:3a:12:
86:71:bc:61:19:c7:e3:42:94:8b:b5:69:47:ac:2c:
8f:18:13🇩🇪f4:52:6a:b5:ba:78:f0:65:5a:88:50:
0f:0f:46:ef:d9:8e:61:fe:33:5c:01:06:82:38:8b:
db:71:f3:7b:94:14:13:8f:94:25:a7:db:8c:53:85:
ea:6a:b2:89:fc:59:c6:61:10🆎ea:38:94:e2:1f:
0d:47
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
40:DF:D9:F3:85:F9:56:5B:E4:65:EC:5A:32:CE:0D:42:35:0F:89:7F
X509v3 Authority Key Identifier:
keyid:36:00:DF:FE:4A:31:5F:3B:F2:83:81:D9:E6:44:D7:ED:14:6B:67:90
DirName:/CN=Easy-RSA CA
serial:69:B7:DB:13:B1:D5:A3:E7:A5:AF:74:38:49:12:E3:DB:50:AD:0D:87
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: ED25519
b3:61:98:2d:49:2f:f9:ce:79:a7:bb:dd:9c:31:41:12:e4:a5:
72:a4:5b:2e:f0:ec:6a:56:26:4e:5c:f9:91:b9:5e:96:d0:c4:
83:8c:81:49:18:df:10:0d:78:b9:82:86:22:f5:67:f9:1a:f5:
3e:5a:19:15:66:38:2f:ce:3a:0e
-----BEGIN CERTIFICATE-----
MIICizCCAj2gAwIBAgIRAIucJa4lsLKxq7A0sfx1cPgwBQYDK2VwMBYxFDASBgNV
BAMMC0Vhc3ktUlNBIENBMB4XDTIwMDQwNTAwMjcwOVoXDTIyMDcwOTAwMjcwOVow
GTEXMBUGA1UEAwwOZWQyNTUxOS1icm9rZW4wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDPMGcUGOi9i4kjrKyobMRrvVDNDdHPsAlKihGJUn6OAXjZmZQ1
kL5+Cosgwso27z0OF47Jg2ZCoYPtPu1NBEo//TO6b9zMXMQLHz8CitITW+g21IgQ
zRRKQb2x0fQEiY+gENoW2hJXkQaByd4q2sIbUVIupiA2BC+ab7UFbfjsZYaahdJu
REeKdrsLljRX27ajtnZTlaWdCJ81FwQiEQRmHqooHXiQxZwZa11BUnmCywo6EoZx
vGEZx+NClIu1aUesLI8YE970Umq1unjwZVqIUA8PRu/ZjmH+M1wBBoI4i9tx83uU
FBOPlCWn24xThepqson8WcZhEKvqOJTiHw1HAgMBAAGjgaIwgZ8wCQYDVR0TBAIw
ADAdBgNVHQ4EFgQUQN/Z84X5VlvkZexaMs4NQjUPiX8wUQYDVR0jBEowSIAUNgDf
/koxXzvyg4HZ5kTX7RRrZ5ChGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRp
t9sTsdWj56WvdDhJEuPbUK0NhzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
BAMCB4AwBQYDK2VwA0EAs2GYLUkv+c55p7vdnDFBEuSlcqRbLvDsalYmTlz5kble
ltDEg4yBSRjfEA14uYKGIvVn+Rr1PloZFWY4L846Dg==
-----END CERTIFICATE-----
Overview
easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, this means to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL).
Downloads
If you are looking for release downloads, please see the releases section on GitHub. Releases are also available as source checkouts using named tags.
Documentation
For 3.x project documentation and usage, see the README.quickstart.md file or the more detailed docs under the doc/ directory. The .md files are in Markdown format and can be converted to html files as desired for release packages, or read as-is in plaintext.
Getting help using easy-rsa
Currently, Easy-RSA development co-exists with OpenVPN even though they are separate projects. The following resources are good places as of this writing to seek help using Easy-RSA:
The openvpn-users mailing list is a good place to post usage or help questions.
You can also try IRC at Freenode/#openvpn for general support or Freenode/#easyrsa for development discussion.
Branch structure
The easy-rsa master branch is currently tracking development for the 3.x release cycle. Please note that, at any given time, master may be broken. Feel free to create issues against master, but have patience when using the master branch. It is recommended to use a release, and priority will be given to bugs identified in the most recent release.
The prior 2.x and 1.x versions are available as release branches for tracking and possible back-porting of relevant fixes. Branch layout is:
master <- 3.x, at present
v3.x.x pre-release branches, used for staging branches
release/2.x
release/1.x
LICENSING info for 3.x is in the COPYING.md file
Code style, standards
We are attempting to adhere to the POSIX standard, which can be found here: