Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 03:54:38PM +0200, Florian Obser wrote:
> On Fri, Jun 14, 2019 at 02:04:00PM +0200, Renaud Allard wrote:
> >
> >
> > On 6/14/19 1:58 PM, Florian Obser wrote:
> > > On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
> > > >
> > > >
> > > > On 6/12/19 2:30 PM, Renaud Allard wrote:
> > > > >
> > > > >
> > > > > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > > > > Hi,
> > > > > >
> > > > > > some feedback below.
> > > > > >
> > > > > > Renaud: maybe wait for feedback from florian or gilles until
> > > > > > acting on my comments, sometimes sending diffs to fast creates more
> > > > > > work ;)
> > > > > >
> > > > > > /Benno
> > > > > >
> > > > >
> > > > > As suggested by benno@
> > > > > removal of the global variable
> > > > > removal of KEYTYPE which was not used and was a leftover of a former
> > > > > patch
> > > > > define ECDSA_KEY to be more readable
> > > > >
> > > >
> > > > Any comment or OK on my latest patch?
> > > >
> > >
> > > I'd prefer to use enums like the rest of the code.
> > >
> >
> > Indeed, that seems even more explicit. I can't say an official OK, but
> > that's OK to me :)
> >
> >
>
>
> Bit more tweaking to the parse.y. This makes keytype reusable for the
> account key.
>
yes makes sense
> Still looking for an official OK :)
>
> I'll probably just put it in soon...
>
ok gilles@ still :-)
> diff --git extern.h extern.h
> index 17c6aa54f18..f6293a371ad 100644
> --- extern.h
> +++ extern.h
> @@ -207,7 +207,8 @@ intrevokeproc(int, const char *, const
> char *,
> int, int, const char *const *, size_t);
> int fileproc(int, const char *, const char *, const char *,
> const char *);
> -int keyproc(int, const char *, const char **, size_t);
> +int keyproc(int, const char *, const char **, size_t,
> + enum keytype);
> int netproc(int, int, int, int, int, int, int,
> struct authority_c *, const char *const *,
> size_t);
> @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const
> char *, const char *);
> */
> int verbose;
>
> -/*
> - * Should we switch to ecdsa?
> - */
> -int ecdsa;
> -
> /*
> * What component is the process within (COMP__MAX for none)?
> */
> diff --git keyproc.c keyproc.c
> index 9c392a0f3f6..f9ce081457a 100644
> --- keyproc.c
> +++ keyproc.c
> @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char
> *value)
> * jail and, on success, ship it to "netsock" as an X509 request.
> */
> int
> -keyproc(int netsock, const char *keyfile,
> -const char **alts, size_t altsz)
> +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
> +enum keytype keytype)
> {
> char*der64 = NULL, *der = NULL, *dercp;
> char*sans = NULL, *san = NULL;
> @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
> }
>
> if (newkey) {
> - if (ecdsa) {
> + switch (keytype) {
> + case KT_ECDSA:
> if ((pkey = ec_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated ECDSA domain key", keyfile);
> - } else {
> + break;
> + case KT_RSA:
> if ((pkey = rsa_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated RSA domain key", keyfile);
> + break;
> }
> } else {
> if ((pkey = key_load(f, keyfile)) == NULL)
> diff --git main.c main.c
> index ea8f7c5d348..d70a7048f47 100644
> --- main.c
> +++ main.c
> @@ -49,7 +49,6 @@ main(int argc, char *argv[])
> int popts = 0;
> pid_t pids[COMP__MAX];
> extern intverbose;
> - extern intecdsa;
> extern enum comp proccomp;
> size_ti, altsz, ne;
>
> @@ -148,10 +147,6 @@ main(int argc, char *argv[])
> errx(EXIT_FAILURE, "authority %s not found", auth);
> }
>
> - if (domain->keytype == 1) {
> - ecdsa = 1;
> - }
> -
> acctkey = authority->account;
>
> if ((chngdir = domain->challengedir) == NULL)
> @@ -258,7 +253,8 @@ main(int argc, char *argv[])
> close(file_fds[0]);
> close(file_fds[1]);
> c = keyproc(key_fds[0], domain->key,
> - (const char **)alts, altsz);
> + (const char **)alts, altsz,
> + domain->keytype);
> exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
> }
>
> diff --git parse.h parse.h
> index 78405590568..7f2d3ca546c 100644
> --- parse.h
> +++ parse.h
> @@ -27,6 +27,11 @@
> * limit all paths to PATH_MAX
> */
>
> +enum keytype
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 01:58:58PM +0200, Florian Obser wrote:
> On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
> >
> >
> > On 6/12/19 2:30 PM, Renaud Allard wrote:
> > >
> > >
> > > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > > Hi,
> > > >
> > > > some feedback below.
> > > >
> > > > Renaud: maybe wait for feedback from florian or gilles until
> > > > acting on my comments, sometimes sending diffs to fast creates more
> > > > work ;)
> > > >
> > > > /Benno
> > > >
> > >
> > > As suggested by benno@
> > > removal of the global variable
> > > removal of KEYTYPE which was not used and was a leftover of a former patch
> > > define ECDSA_KEY to be more readable
> > >
> >
> > Any comment or OK on my latest patch?
> >
>
> I'd prefer to use enums like the rest of the code.
>
yes, ok gilles@
> diff --git extern.h extern.h
> index 17c6aa54f18..f6293a371ad 100644
> --- extern.h
> +++ extern.h
> @@ -207,7 +207,8 @@ intrevokeproc(int, const char *, const
> char *,
> int, int, const char *const *, size_t);
> int fileproc(int, const char *, const char *, const char *,
> const char *);
> -int keyproc(int, const char *, const char **, size_t);
> +int keyproc(int, const char *, const char **, size_t,
> + enum keytype);
> int netproc(int, int, int, int, int, int, int,
> struct authority_c *, const char *const *,
> size_t);
> @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const
> char *, const char *);
> */
> int verbose;
>
> -/*
> - * Should we switch to ecdsa?
> - */
> -int ecdsa;
> -
> /*
> * What component is the process within (COMP__MAX for none)?
> */
> diff --git keyproc.c keyproc.c
> index 9c392a0f3f6..f9ce081457a 100644
> --- keyproc.c
> +++ keyproc.c
> @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char
> *value)
> * jail and, on success, ship it to "netsock" as an X509 request.
> */
> int
> -keyproc(int netsock, const char *keyfile,
> -const char **alts, size_t altsz)
> +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
> +enum keytype keytype)
> {
> char*der64 = NULL, *der = NULL, *dercp;
> char*sans = NULL, *san = NULL;
> @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
> }
>
> if (newkey) {
> - if (ecdsa) {
> + switch (keytype) {
> + case KT_ECDSA:
> if ((pkey = ec_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated ECDSA domain key", keyfile);
> - } else {
> + break;
> + case KT_RSA:
> if ((pkey = rsa_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated RSA domain key", keyfile);
> + break;
> }
> } else {
> if ((pkey = key_load(f, keyfile)) == NULL)
> diff --git main.c main.c
> index ea8f7c5d348..d70a7048f47 100644
> --- main.c
> +++ main.c
> @@ -49,7 +49,6 @@ main(int argc, char *argv[])
> int popts = 0;
> pid_t pids[COMP__MAX];
> extern intverbose;
> - extern intecdsa;
> extern enum comp proccomp;
> size_ti, altsz, ne;
>
> @@ -148,10 +147,6 @@ main(int argc, char *argv[])
> errx(EXIT_FAILURE, "authority %s not found", auth);
> }
>
> - if (domain->keytype == 1) {
> - ecdsa = 1;
> - }
> -
> acctkey = authority->account;
>
> if ((chngdir = domain->challengedir) == NULL)
> @@ -258,7 +253,8 @@ main(int argc, char *argv[])
> close(file_fds[0]);
> close(file_fds[1]);
> c = keyproc(key_fds[0], domain->key,
> - (const char **)alts, altsz);
> + (const char **)alts, altsz,
> + domain->keytype);
> exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
> }
>
> diff --git parse.h parse.h
> index 78405590568..7f2d3ca546c 100644
> --- parse.h
> +++ parse.h
> @@ -27,6 +27,11 @@
> * limit all paths to PATH_MAX
> */
>
> +enum keytype {
> + KT_RSA = 0,
> + KT_ECDSA
> +};
> +
> struct authority_c {
> TAILQ_ENTRY(authority_c) entry;
> char*name;
> @@ -36,9 +41,9 @@ struct authority_c {
>
> struct domain_c {
> TAILQ_ENTRY(domain_c)entry;
> - TAILQ_HEAD(, altname_c) altname_list;
> - int altname_count;
> - int keytype;
> + TAILQ_HEAD(, altname_c) altname_list;
> + int altname_count;
> + enum keytype keytype;
> char
Re: [patch] use acme-client to sign certificated with ecdsa keys
ok
Florian Obser(flor...@openbsd.org) on 2019.06.14 13:58:58 +0200:
> On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
> >
> >
> > On 6/12/19 2:30 PM, Renaud Allard wrote:
> > >
> > >
> > > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > > Hi,
> > > >
> > > > some feedback below.
> > > >
> > > > Renaud: maybe wait for feedback from florian or gilles until
> > > > acting on my comments, sometimes sending diffs to fast creates more
> > > > work ;)
> > > >
> > > > /Benno
> > > >
> > >
> > > As suggested by benno@
> > > removal of the global variable
> > > removal of KEYTYPE which was not used and was a leftover of a former patch
> > > define ECDSA_KEY to be more readable
> > >
> >
> > Any comment or OK on my latest patch?
> >
>
> I'd prefer to use enums like the rest of the code.
>
>
> diff --git extern.h extern.h
> index 17c6aa54f18..f6293a371ad 100644
> --- extern.h
> +++ extern.h
> @@ -207,7 +207,8 @@ intrevokeproc(int, const char *, const
> char *,
> int, int, const char *const *, size_t);
> int fileproc(int, const char *, const char *, const char *,
> const char *);
> -int keyproc(int, const char *, const char **, size_t);
> +int keyproc(int, const char *, const char **, size_t,
> + enum keytype);
> int netproc(int, int, int, int, int, int, int,
> struct authority_c *, const char *const *,
> size_t);
> @@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const
> char *, const char *);
> */
> int verbose;
>
> -/*
> - * Should we switch to ecdsa?
> - */
> -int ecdsa;
> -
> /*
> * What component is the process within (COMP__MAX for none)?
> */
> diff --git keyproc.c keyproc.c
> index 9c392a0f3f6..f9ce081457a 100644
> --- keyproc.c
> +++ keyproc.c
> @@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char
> *value)
> * jail and, on success, ship it to "netsock" as an X509 request.
> */
> int
> -keyproc(int netsock, const char *keyfile,
> -const char **alts, size_t altsz)
> +keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
> +enum keytype keytype)
> {
> char*der64 = NULL, *der = NULL, *dercp;
> char*sans = NULL, *san = NULL;
> @@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
> }
>
> if (newkey) {
> - if (ecdsa) {
> + switch (keytype) {
> + case KT_ECDSA:
> if ((pkey = ec_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated ECDSA domain key", keyfile);
> - } else {
> + break;
> + case KT_RSA:
> if ((pkey = rsa_key_create(f, keyfile)) == NULL)
> goto out;
> dodbg("%s: generated RSA domain key", keyfile);
> + break;
> }
> } else {
> if ((pkey = key_load(f, keyfile)) == NULL)
> diff --git main.c main.c
> index ea8f7c5d348..d70a7048f47 100644
> --- main.c
> +++ main.c
> @@ -49,7 +49,6 @@ main(int argc, char *argv[])
> int popts = 0;
> pid_t pids[COMP__MAX];
> extern intverbose;
> - extern intecdsa;
> extern enum comp proccomp;
> size_ti, altsz, ne;
>
> @@ -148,10 +147,6 @@ main(int argc, char *argv[])
> errx(EXIT_FAILURE, "authority %s not found", auth);
> }
>
> - if (domain->keytype == 1) {
> - ecdsa = 1;
> - }
> -
> acctkey = authority->account;
>
> if ((chngdir = domain->challengedir) == NULL)
> @@ -258,7 +253,8 @@ main(int argc, char *argv[])
> close(file_fds[0]);
> close(file_fds[1]);
> c = keyproc(key_fds[0], domain->key,
> - (const char **)alts, altsz);
> + (const char **)alts, altsz,
> + domain->keytype);
> exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
> }
>
> diff --git parse.h parse.h
> index 78405590568..7f2d3ca546c 100644
> --- parse.h
> +++ parse.h
> @@ -27,6 +27,11 @@
> * limit all paths to PATH_MAX
> */
>
> +enum keytype {
> + KT_RSA = 0,
> + KT_ECDSA
> +};
> +
> struct authority_c {
> TAILQ_ENTRY(authority_c) entry;
> char*name;
> @@ -36,9 +41,9 @@ struct authority_c {
>
> struct domain_c {
> TAILQ_ENTRY(domain_c)entry;
> - TAILQ_HEAD(, altname_c) altname_list;
> - int altname_count;
> - int keytype;
> + TAILQ_HEAD(, altname_c) altname_list;
> + int altname_count;
> + enum keytype keytype;
> char
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 02:04:00PM +0200, Renaud Allard wrote:
>
>
> On 6/14/19 1:58 PM, Florian Obser wrote:
> > On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
> > >
> > >
> > > On 6/12/19 2:30 PM, Renaud Allard wrote:
> > > >
> > > >
> > > > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > > > Hi,
> > > > >
> > > > > some feedback below.
> > > > >
> > > > > Renaud: maybe wait for feedback from florian or gilles until
> > > > > acting on my comments, sometimes sending diffs to fast creates more
> > > > > work ;)
> > > > >
> > > > > /Benno
> > > > >
> > > >
> > > > As suggested by benno@
> > > > removal of the global variable
> > > > removal of KEYTYPE which was not used and was a leftover of a former
> > > > patch
> > > > define ECDSA_KEY to be more readable
> > > >
> > >
> > > Any comment or OK on my latest patch?
> > >
> >
> > I'd prefer to use enums like the rest of the code.
> >
>
> Indeed, that seems even more explicit. I can't say an official OK, but
> that's OK to me :)
>
>
Bit more tweaking to the parse.y. This makes keytype reusable for the
account key.
Still looking for an official OK :)
I'll probably just put it in soon...
diff --git extern.h extern.h
index 17c6aa54f18..f6293a371ad 100644
--- extern.h
+++ extern.h
@@ -207,7 +207,8 @@ int revokeproc(int, const char *, const char *,
int, int, const char *const *, size_t);
int fileproc(int, const char *, const char *, const char *,
const char *);
-int keyproc(int, const char *, const char **, size_t);
+int keyproc(int, const char *, const char **, size_t,
+ enum keytype);
int netproc(int, int, int, int, int, int, int,
struct authority_c *, const char *const *,
size_t);
@@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const
char *, const char *);
*/
int verbose;
-/*
- * Should we switch to ecdsa?
- */
-intecdsa;
-
/*
* What component is the process within (COMP__MAX for none)?
*/
diff --git keyproc.c keyproc.c
index 9c392a0f3f6..f9ce081457a 100644
--- keyproc.c
+++ keyproc.c
@@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char
*value)
* jail and, on success, ship it to "netsock" as an X509 request.
*/
int
-keyproc(int netsock, const char *keyfile,
-const char **alts, size_t altsz)
+keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
+enum keytype keytype)
{
char*der64 = NULL, *der = NULL, *dercp;
char*sans = NULL, *san = NULL;
@@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
}
if (newkey) {
- if (ecdsa) {
+ switch (keytype) {
+ case KT_ECDSA:
if ((pkey = ec_key_create(f, keyfile)) == NULL)
goto out;
dodbg("%s: generated ECDSA domain key", keyfile);
- } else {
+ break;
+ case KT_RSA:
if ((pkey = rsa_key_create(f, keyfile)) == NULL)
goto out;
dodbg("%s: generated RSA domain key", keyfile);
+ break;
}
} else {
if ((pkey = key_load(f, keyfile)) == NULL)
diff --git main.c main.c
index ea8f7c5d348..d70a7048f47 100644
--- main.c
+++ main.c
@@ -49,7 +49,6 @@ main(int argc, char *argv[])
int popts = 0;
pid_t pids[COMP__MAX];
extern intverbose;
- extern intecdsa;
extern enum comp proccomp;
size_ti, altsz, ne;
@@ -148,10 +147,6 @@ main(int argc, char *argv[])
errx(EXIT_FAILURE, "authority %s not found", auth);
}
- if (domain->keytype == 1) {
- ecdsa = 1;
- }
-
acctkey = authority->account;
if ((chngdir = domain->challengedir) == NULL)
@@ -258,7 +253,8 @@ main(int argc, char *argv[])
close(file_fds[0]);
close(file_fds[1]);
c = keyproc(key_fds[0], domain->key,
- (const char **)alts, altsz);
+ (const char **)alts, altsz,
+ domain->keytype);
exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
}
diff --git parse.h parse.h
index 78405590568..7f2d3ca546c 100644
--- parse.h
+++ parse.h
@@ -27,6 +27,11 @@
* limit all paths to PATH_MAX
*/
+enum keytype {
+ KT_RSA = 0,
+ KT_ECDSA
+};
+
struct authority_c {
TAILQ_ENTRY(authority_c) entry;
char*name;
@@ -36,9 +41,9 @@ struct authority_c {
struct domain_c {
TAILQ_ENTRY(domain_c)entry;
- TAILQ_HEAD(, altname_c) altname_list;
- int
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/14/19 1:58 PM, Florian Obser wrote: On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote: On 6/12/19 2:30 PM, Renaud Allard wrote: On 6/11/19 2:36 PM, Sebastian Benoit wrote: Hi, some feedback below. Renaud: maybe wait for feedback from florian or gilles until acting on my comments, sometimes sending diffs to fast creates more work ;) /Benno As suggested by benno@ removal of the global variable removal of KEYTYPE which was not used and was a leftover of a former patch define ECDSA_KEY to be more readable Any comment or OK on my latest patch? I'd prefer to use enums like the rest of the code. Indeed, that seems even more explicit. I can't say an official OK, but that's OK to me :) smime.p7s Description: S/MIME Cryptographic Signature
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
>
>
> On 6/12/19 2:30 PM, Renaud Allard wrote:
> >
> >
> > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > Hi,
> > >
> > > some feedback below.
> > >
> > > Renaud: maybe wait for feedback from florian or gilles until
> > > acting on my comments, sometimes sending diffs to fast creates more
> > > work ;)
> > >
> > > /Benno
> > >
> >
> > As suggested by benno@
> > removal of the global variable
> > removal of KEYTYPE which was not used and was a leftover of a former patch
> > define ECDSA_KEY to be more readable
> >
>
> Any comment or OK on my latest patch?
>
I'd prefer to use enums like the rest of the code.
diff --git extern.h extern.h
index 17c6aa54f18..f6293a371ad 100644
--- extern.h
+++ extern.h
@@ -207,7 +207,8 @@ int revokeproc(int, const char *, const char *,
int, int, const char *const *, size_t);
int fileproc(int, const char *, const char *, const char *,
const char *);
-int keyproc(int, const char *, const char **, size_t);
+int keyproc(int, const char *, const char **, size_t,
+ enum keytype);
int netproc(int, int, int, int, int, int, int,
struct authority_c *, const char *const *,
size_t);
@@ -275,11 +276,6 @@ char *json_fmt_signed(const char *, const
char *, const char *);
*/
int verbose;
-/*
- * Should we switch to ecdsa?
- */
-intecdsa;
-
/*
* What component is the process within (COMP__MAX for none)?
*/
diff --git keyproc.c keyproc.c
index 9c392a0f3f6..f9ce081457a 100644
--- keyproc.c
+++ keyproc.c
@@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char
*value)
* jail and, on success, ship it to "netsock" as an X509 request.
*/
int
-keyproc(int netsock, const char *keyfile,
-const char **alts, size_t altsz)
+keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
+enum keytype keytype)
{
char*der64 = NULL, *der = NULL, *dercp;
char*sans = NULL, *san = NULL;
@@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
}
if (newkey) {
- if (ecdsa) {
+ switch (keytype) {
+ case KT_ECDSA:
if ((pkey = ec_key_create(f, keyfile)) == NULL)
goto out;
dodbg("%s: generated ECDSA domain key", keyfile);
- } else {
+ break;
+ case KT_RSA:
if ((pkey = rsa_key_create(f, keyfile)) == NULL)
goto out;
dodbg("%s: generated RSA domain key", keyfile);
+ break;
}
} else {
if ((pkey = key_load(f, keyfile)) == NULL)
diff --git main.c main.c
index ea8f7c5d348..d70a7048f47 100644
--- main.c
+++ main.c
@@ -49,7 +49,6 @@ main(int argc, char *argv[])
int popts = 0;
pid_t pids[COMP__MAX];
extern intverbose;
- extern intecdsa;
extern enum comp proccomp;
size_ti, altsz, ne;
@@ -148,10 +147,6 @@ main(int argc, char *argv[])
errx(EXIT_FAILURE, "authority %s not found", auth);
}
- if (domain->keytype == 1) {
- ecdsa = 1;
- }
-
acctkey = authority->account;
if ((chngdir = domain->challengedir) == NULL)
@@ -258,7 +253,8 @@ main(int argc, char *argv[])
close(file_fds[0]);
close(file_fds[1]);
c = keyproc(key_fds[0], domain->key,
- (const char **)alts, altsz);
+ (const char **)alts, altsz,
+ domain->keytype);
exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
}
diff --git parse.h parse.h
index 78405590568..7f2d3ca546c 100644
--- parse.h
+++ parse.h
@@ -27,6 +27,11 @@
* limit all paths to PATH_MAX
*/
+enum keytype {
+ KT_RSA = 0,
+ KT_ECDSA
+};
+
struct authority_c {
TAILQ_ENTRY(authority_c) entry;
char*name;
@@ -36,9 +41,9 @@ struct authority_c {
struct domain_c {
TAILQ_ENTRY(domain_c)entry;
- TAILQ_HEAD(, altname_c) altname_list;
- int altname_count;
- int keytype;
+ TAILQ_HEAD(, altname_c) altname_list;
+ int altname_count;
+ enum keytype keytype;
char*domain;
char*key;
char*cert;
diff --git parse.y parse.y
index 994492706bb..0b68a35fb73 100644
--- parse.y
+++ parse.y
@@ -100,7 +100,7 @@ typedef struct {
%}
%token AUTHORITY URL API ACCOUNT
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/12/19 2:30 PM, Renaud Allard wrote: On 6/11/19 2:36 PM, Sebastian Benoit wrote: Hi, some feedback below. Renaud: maybe wait for feedback from florian or gilles until acting on my comments, sometimes sending diffs to fast creates more work ;) /Benno As suggested by benno@ removal of the global variable removal of KEYTYPE which was not used and was a leftover of a former patch define ECDSA_KEY to be more readable Any comment or OK on my latest patch? smime.p7s Description: S/MIME Cryptographic Signature
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/11/19 2:36 PM, Sebastian Benoit wrote:
Hi,
some feedback below.
Renaud: maybe wait for feedback from florian or gilles until
acting on my comments, sometimes sending diffs to fast creates more work ;)
/Benno
As suggested by benno@
removal of the global variable
removal of KEYTYPE which was not used and was a leftover of a former patch
define ECDSA_KEY to be more readable
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
retrieving revision 1.13
diff -u -p -r1.13 extern.h
--- extern.h 12 Jun 2019 11:09:25 - 1.13
+++ extern.h 12 Jun 2019 12:27:03 -
@@ -207,7 +207,7 @@ int revokeproc(int, const char *, cons
int, int, const char *const *, size_t);
int fileproc(int, const char *, const char *, const char *,
const char *);
-int keyproc(int, const char *, const char **, size_t);
+int keyproc(int, const char *, const char **, size_t, int);
int netproc(int, int, int, int, int, int, int,
struct authority_c *, const char *const *,
size_t);
@@ -274,11 +274,6 @@ char *json_fmt_signed(const char *, con
* Should we print debugging messages?
*/
int verbose;
-
-/*
- * Should we switch to ecdsa?
- */
-int ecdsa;
/*
* What component is the process within (COMP__MAX for none)?
Index: keyproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/keyproc.c,v
retrieving revision 1.13
diff -u -p -r1.13 keyproc.c
--- keyproc.c 12 Jun 2019 11:09:25 - 1.13
+++ keyproc.c 12 Jun 2019 12:27:03 -
@@ -75,7 +75,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, in
*/
int
keyproc(int netsock, const char *keyfile,
-const char **alts, size_t altsz)
+const char **alts, size_t altsz,
+const int keytype)
{
char *der64 = NULL, *der = NULL, *dercp;
char *sans = NULL, *san = NULL;
@@ -117,7 +118,7 @@ keyproc(int netsock, const char *keyfile
}
if (newkey) {
- if (ecdsa) {
+ if (keytype == ECDSA_KEY) {
if ((pkey = ec_key_create(f, keyfile)) == NULL)
goto out;
dodbg("%s: generated ECDSA domain key", keyfile);
Index: main.c
===
RCS file: /cvs/src/usr.sbin/acme-client/main.c,v
retrieving revision 1.48
diff -u -p -r1.48 main.c
--- main.c 12 Jun 2019 11:09:25 - 1.48
+++ main.c 12 Jun 2019 12:27:04 -
@@ -49,7 +49,6 @@ main(int argc, char *argv[])
int popts = 0;
pid_t pids[COMP__MAX];
extern int verbose;
- extern int ecdsa;
extern enum comp proccomp;
size_t i, altsz, ne;
@@ -148,10 +147,6 @@ main(int argc, char *argv[])
errx(EXIT_FAILURE, "authority %s not found", auth);
}
- if (domain->keytype == 1) {
- ecdsa = 1;
- }
-
acctkey = authority->account;
if ((chngdir = domain->challengedir) == NULL)
@@ -258,7 +253,8 @@ main(int argc, char *argv[])
close(file_fds[0]);
close(file_fds[1]);
c = keyproc(key_fds[0], domain->key,
- (const char **)alts, altsz);
+ (const char **)alts, altsz,
+ domain->keytype);
exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
}
Index: parse.h
===
RCS file: /cvs/src/usr.sbin/acme-client/parse.h,v
retrieving revision 1.11
diff -u -p -r1.11 parse.h
--- parse.h 12 Jun 2019 11:09:25 - 1.11
+++ parse.h 12 Jun 2019 12:27:04 -
@@ -21,6 +21,7 @@
#define AUTH_MAXLEN 120 /* max length of an authority_c name */
#define DOMAIN_MAXLEN 255 /* max len of a domain name (rfc2181) */
+#define ECDSA_KEY 1
/*
* XXX other size limits needed?
Index: parse.y
===
RCS file: /cvs/src/usr.sbin/acme-client/parse.y,v
retrieving revision 1.35
diff -u -p -r1.35 parse.y
--- parse.y 12 Jun 2019 11:09:25 - 1.35
+++ parse.y 12 Jun 2019 12:27:04 -
@@ -100,7 +100,7 @@ typedef struct {
%}
%token AUTHORITY URL API ACCOUNT
-%token DOMAIN ALTERNATIVE NAMES CERT FULL CHAIN KEY SIGN WITH CHALLENGEDIR KEYTYPE
+%token DOMAIN ALTERNATIVE NAMES CERT FULL CHAIN KEY SIGN WITH CHALLENGEDIR
%token YES NO
%token INCLUDE
%token ERROR
@@ -261,10 +261,9 @@ domain : DOMAIN STRING {
;
keytype : RSA {
- domain->keytype = 0;
}
| ECDSA {
- domain->keytype = 1;
+ domain->keytype = ECDSA_KEY;
}
| /* nothing */
;
smime.p7s
Description: S/MIME Cryptographic Signature
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Wed, Jun 12, 2019 at 08:12:04AM +0200, Florian Obser wrote:
>
> I had a look yesterday and it looks mostly OK.
> Something came up and I won't be around the next days.
>
> Someone can put it and and we can tweak it in tree or we wait a few
> days.
>
okie dokie, will commit tonight when I get home unless someone
beats me to it :-)
> On Tue, Jun 11, 2019 at 01:37:24PM +0200, Renaud Allard wrote:
> >
> >
> > On 6/11/19 10:17 AM, Renaud Allard wrote:
> > >
> > > Hello,
> > >
> > > Here is a patch with ecdsa and rsa in %token after the domain key name
> > >
> > > OK? comments?
> >
> > I just made a small modification in the formatting of acme.conf man page,
> > putting keytype as an arg. And also a cleaner key.h
> >
> > OK?
>
> > Index: Makefile
> > ===
> > RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
> > retrieving revision 1.8
> > diff -u -p -r1.8 Makefile
> > --- Makefile3 Jul 2017 22:21:47 - 1.8
> > +++ Makefile11 Jun 2019 11:35:24 -
> > @@ -2,7 +2,7 @@
> > PROG= acme-client
> > SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c
> > dnsproc.c
> > SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c
> > netproc.c
> > -SRCS+= parse.y revokeproc.c rsa.c util.c
> > +SRCS+= parse.y revokeproc.c key.c util.c
> >
> > MAN= acme-client.1 acme-client.conf.5
> >
> > Index: acctproc.c
> > ===
> > RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
> > retrieving revision 1.14
> > diff -u -p -r1.14 acctproc.c
> > --- acctproc.c 8 Jun 2019 07:52:55 - 1.14
> > +++ acctproc.c 11 Jun 2019 11:35:24 -
> > @@ -29,7 +29,7 @@
> > #include
> >
> > #include "extern.h"
> > -#include "rsa.h"
> > +#include "key.h"
> >
> > /*
> > * Converts a BIGNUM to the form used in JWK.
> > @@ -352,7 +352,9 @@ acctproc(int netsock, const char *acctke
> > goto out;
> > dodbg("%s: generated RSA account key", acctkey);
> > } else {
> > - if ((pkey = rsa_key_load(f, acctkey)) == NULL)
> > + if ((pkey = key_load(f, acctkey)) == NULL)
> > + goto out;
> > + if (EVP_PKEY_type(pkey->type) != EVP_PKEY_RSA)
> > goto out;
> > doddbg("%s: loaded RSA account key", acctkey);
> > }
> > Index: acme-client.conf.5
> > ===
> > RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
> > retrieving revision 1.17
> > diff -u -p -r1.17 acme-client.conf.5
> > --- acme-client.conf.5 8 Jan 2019 06:46:29 - 1.17
> > +++ acme-client.conf.5 11 Jun 2019 11:35:24 -
> > @@ -109,8 +109,10 @@ Specify a list of alternative names for
> > The common name is included automatically if this option is present,
> > but there is no automatic conversion/inclusion between "www." and
> > plain domain name forms.
> > -.It Ic domain key Ar file
> > +.It Ic domain key Ar file Op Ar keytype
> > The private key file for which the certificate will be obtained.
> > +.Ar keytype
> > +can be rsa or ecdsa. Defaults to rsa.
> > .It Ic domain certificate Ar file
> > The filename of the certificate that will be issued.
> > This is optional if
> > Index: extern.h
> > ===
> > RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
> > retrieving revision 1.12
> > diff -u -p -r1.12 extern.h
> > --- extern.h8 Jun 2019 07:52:55 - 1.12
> > +++ extern.h11 Jun 2019 11:35:24 -
> > @@ -276,6 +276,11 @@ char *json_fmt_signed(const char *, con
> > int verbose;
> >
> > /*
> > + * Should we switch to ecdsa?
> > + */
> > +intecdsa;
> > +
> > +/*
> > * What component is the process within (COMP__MAX for none)?
> > */
> > enum comp proccomp;
> > Index: key.c
> > ===
> > RCS file: key.c
> > diff -N key.c
> > --- /dev/null 1 Jan 1970 00:00:00 -
> > +++ key.c 11 Jun 2019 11:35:24 -
> > @@ -0,0 +1,149 @@
> > +/* $Id: rsa.c,v 1.7 2018/07/28 15:25:23 tb Exp $ */
> > +/*
> > + * Copyright (c) 2019 Renaud Allard
> > + * Copyright (c) 2016 Kristaps Dzonsons
> > + *
> > + * Permission to use, copy, modify, and distribute this software for any
> > + * purpose with or without fee is hereby granted, provided that the above
> > + * copyright notice and this permission notice appear in all copies.
> > + *
> > + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
> > + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> > + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
> > + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES
Re: [patch] use acme-client to sign certificated with ecdsa keys
I had a look yesterday and it looks mostly OK.
Something came up and I won't be around the next days.
Someone can put it and and we can tweak it in tree or we wait a few
days.
On Tue, Jun 11, 2019 at 01:37:24PM +0200, Renaud Allard wrote:
>
>
> On 6/11/19 10:17 AM, Renaud Allard wrote:
> >
> > Hello,
> >
> > Here is a patch with ecdsa and rsa in %token after the domain key name
> >
> > OK? comments?
>
> I just made a small modification in the formatting of acme.conf man page,
> putting keytype as an arg. And also a cleaner key.h
>
> OK?
> Index: Makefile
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
> retrieving revision 1.8
> diff -u -p -r1.8 Makefile
> --- Makefile 3 Jul 2017 22:21:47 - 1.8
> +++ Makefile 11 Jun 2019 11:35:24 -
> @@ -2,7 +2,7 @@
> PROG=acme-client
> SRCS=acctproc.c base64.c certproc.c chngproc.c dbg.c
> dnsproc.c
> SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c
> netproc.c
> -SRCS+= parse.y revokeproc.c rsa.c util.c
> +SRCS+= parse.y revokeproc.c key.c util.c
>
> MAN= acme-client.1 acme-client.conf.5
>
> Index: acctproc.c
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
> retrieving revision 1.14
> diff -u -p -r1.14 acctproc.c
> --- acctproc.c8 Jun 2019 07:52:55 - 1.14
> +++ acctproc.c11 Jun 2019 11:35:24 -
> @@ -29,7 +29,7 @@
> #include
>
> #include "extern.h"
> -#include "rsa.h"
> +#include "key.h"
>
> /*
> * Converts a BIGNUM to the form used in JWK.
> @@ -352,7 +352,9 @@ acctproc(int netsock, const char *acctke
> goto out;
> dodbg("%s: generated RSA account key", acctkey);
> } else {
> - if ((pkey = rsa_key_load(f, acctkey)) == NULL)
> + if ((pkey = key_load(f, acctkey)) == NULL)
> + goto out;
> + if (EVP_PKEY_type(pkey->type) != EVP_PKEY_RSA)
> goto out;
> doddbg("%s: loaded RSA account key", acctkey);
> }
> Index: acme-client.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
> retrieving revision 1.17
> diff -u -p -r1.17 acme-client.conf.5
> --- acme-client.conf.58 Jan 2019 06:46:29 - 1.17
> +++ acme-client.conf.511 Jun 2019 11:35:24 -
> @@ -109,8 +109,10 @@ Specify a list of alternative names for
> The common name is included automatically if this option is present,
> but there is no automatic conversion/inclusion between "www." and
> plain domain name forms.
> -.It Ic domain key Ar file
> +.It Ic domain key Ar file Op Ar keytype
> The private key file for which the certificate will be obtained.
> +.Ar keytype
> +can be rsa or ecdsa. Defaults to rsa.
> .It Ic domain certificate Ar file
> The filename of the certificate that will be issued.
> This is optional if
> Index: extern.h
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
> retrieving revision 1.12
> diff -u -p -r1.12 extern.h
> --- extern.h 8 Jun 2019 07:52:55 - 1.12
> +++ extern.h 11 Jun 2019 11:35:24 -
> @@ -276,6 +276,11 @@ char *json_fmt_signed(const char *, con
> int verbose;
>
> /*
> + * Should we switch to ecdsa?
> + */
> +int ecdsa;
> +
> +/*
> * What component is the process within (COMP__MAX for none)?
> */
> enum comp proccomp;
> Index: key.c
> ===
> RCS file: key.c
> diff -N key.c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ key.c 11 Jun 2019 11:35:24 -
> @@ -0,0 +1,149 @@
> +/* $Id: rsa.c,v 1.7 2018/07/28 15:25:23 tb Exp $ */
> +/*
> + * Copyright (c) 2019 Renaud Allard
> + * Copyright (c) 2016 Kristaps Dzonsons
> + *
> + * Permission to use, copy, modify, and distribute this software for any
> + * purpose with or without fee is hereby granted, provided that the above
> + * copyright notice and this permission notice appear in all copies.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
> + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
> + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> + */
> +
> +#include
> +#include
> +#include
> +
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +
> +#include "key.h"
> +
>
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Tue, Jun 11, 2019 at 01:37:24PM +0200, Renaud Allard wrote:
>
>
> On 6/11/19 10:17 AM, Renaud Allard wrote:
> >
> > Hello,
> >
> > Here is a patch with ecdsa and rsa in %token after the domain key name
> >
> > OK? comments?
>
> I just made a small modification in the formatting of acme.conf man page,
> putting keytype as an arg. And also a cleaner key.h
>
> OK?
I don't have an openbsd at hands right now to test this version of
the diff but I tested an earlier version and you took into account
my comments so ... ok by me
> Index: Makefile
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
> retrieving revision 1.8
> diff -u -p -r1.8 Makefile
> --- Makefile 3 Jul 2017 22:21:47 - 1.8
> +++ Makefile 11 Jun 2019 11:35:24 -
> @@ -2,7 +2,7 @@
> PROG=acme-client
> SRCS=acctproc.c base64.c certproc.c chngproc.c dbg.c
> dnsproc.c
> SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c
> netproc.c
> -SRCS+= parse.y revokeproc.c rsa.c util.c
> +SRCS+= parse.y revokeproc.c key.c util.c
>
> MAN= acme-client.1 acme-client.conf.5
>
> Index: acctproc.c
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
> retrieving revision 1.14
> diff -u -p -r1.14 acctproc.c
> --- acctproc.c8 Jun 2019 07:52:55 - 1.14
> +++ acctproc.c11 Jun 2019 11:35:24 -
> @@ -29,7 +29,7 @@
> #include
>
> #include "extern.h"
> -#include "rsa.h"
> +#include "key.h"
>
> /*
> * Converts a BIGNUM to the form used in JWK.
> @@ -352,7 +352,9 @@ acctproc(int netsock, const char *acctke
> goto out;
> dodbg("%s: generated RSA account key", acctkey);
> } else {
> - if ((pkey = rsa_key_load(f, acctkey)) == NULL)
> + if ((pkey = key_load(f, acctkey)) == NULL)
> + goto out;
> + if (EVP_PKEY_type(pkey->type) != EVP_PKEY_RSA)
> goto out;
> doddbg("%s: loaded RSA account key", acctkey);
> }
> Index: acme-client.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
> retrieving revision 1.17
> diff -u -p -r1.17 acme-client.conf.5
> --- acme-client.conf.58 Jan 2019 06:46:29 - 1.17
> +++ acme-client.conf.511 Jun 2019 11:35:24 -
> @@ -109,8 +109,10 @@ Specify a list of alternative names for
> The common name is included automatically if this option is present,
> but there is no automatic conversion/inclusion between "www." and
> plain domain name forms.
> -.It Ic domain key Ar file
> +.It Ic domain key Ar file Op Ar keytype
> The private key file for which the certificate will be obtained.
> +.Ar keytype
> +can be rsa or ecdsa. Defaults to rsa.
> .It Ic domain certificate Ar file
> The filename of the certificate that will be issued.
> This is optional if
> Index: extern.h
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
> retrieving revision 1.12
> diff -u -p -r1.12 extern.h
> --- extern.h 8 Jun 2019 07:52:55 - 1.12
> +++ extern.h 11 Jun 2019 11:35:24 -
> @@ -276,6 +276,11 @@ char *json_fmt_signed(const char *, con
> int verbose;
>
> /*
> + * Should we switch to ecdsa?
> + */
> +int ecdsa;
> +
> +/*
> * What component is the process within (COMP__MAX for none)?
> */
> enum comp proccomp;
> Index: key.c
> ===
> RCS file: key.c
> diff -N key.c
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ key.c 11 Jun 2019 11:35:24 -
> @@ -0,0 +1,149 @@
> +/* $Id: rsa.c,v 1.7 2018/07/28 15:25:23 tb Exp $ */
> +/*
> + * Copyright (c) 2019 Renaud Allard
> + * Copyright (c) 2016 Kristaps Dzonsons
> + *
> + * Permission to use, copy, modify, and distribute this software for any
> + * purpose with or without fee is hereby granted, provided that the above
> + * copyright notice and this permission notice appear in all copies.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
> + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
> + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> + */
> +
> +#include
> +#include
> +#include
> +
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +
> +#include "key.h"
> +
> +/*
> + *
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/11/19 10:17 AM, Renaud Allard wrote:
Hello,
Here is a patch with ecdsa and rsa in %token after the domain key name
OK? comments?
I just made a small modification in the formatting of acme.conf man
page, putting keytype as an arg. And also a cleaner key.h
OK?
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile 3 Jul 2017 22:21:47 - 1.8
+++ Makefile 11 Jun 2019 11:35:24 -
@@ -2,7 +2,7 @@
PROG= acme-client
SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c
SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c
-SRCS+= parse.y revokeproc.c rsa.c util.c
+SRCS+= parse.y revokeproc.c key.c util.c
MAN= acme-client.1 acme-client.conf.5
Index: acctproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
retrieving revision 1.14
diff -u -p -r1.14 acctproc.c
--- acctproc.c 8 Jun 2019 07:52:55 - 1.14
+++ acctproc.c 11 Jun 2019 11:35:24 -
@@ -29,7 +29,7 @@
#include
#include "extern.h"
-#include "rsa.h"
+#include "key.h"
/*
* Converts a BIGNUM to the form used in JWK.
@@ -352,7 +352,9 @@ acctproc(int netsock, const char *acctke
goto out;
dodbg("%s: generated RSA account key", acctkey);
} else {
- if ((pkey = rsa_key_load(f, acctkey)) == NULL)
+ if ((pkey = key_load(f, acctkey)) == NULL)
+ goto out;
+ if (EVP_PKEY_type(pkey->type) != EVP_PKEY_RSA)
goto out;
doddbg("%s: loaded RSA account key", acctkey);
}
Index: acme-client.conf.5
===
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
retrieving revision 1.17
diff -u -p -r1.17 acme-client.conf.5
--- acme-client.conf.5 8 Jan 2019 06:46:29 - 1.17
+++ acme-client.conf.5 11 Jun 2019 11:35:24 -
@@ -109,8 +109,10 @@ Specify a list of alternative names for
The common name is included automatically if this option is present,
but there is no automatic conversion/inclusion between "www." and
plain domain name forms.
-.It Ic domain key Ar file
+.It Ic domain key Ar file Op Ar keytype
The private key file for which the certificate will be obtained.
+.Ar keytype
+can be rsa or ecdsa. Defaults to rsa.
.It Ic domain certificate Ar file
The filename of the certificate that will be issued.
This is optional if
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
retrieving revision 1.12
diff -u -p -r1.12 extern.h
--- extern.h 8 Jun 2019 07:52:55 - 1.12
+++ extern.h 11 Jun 2019 11:35:24 -
@@ -276,6 +276,11 @@ char *json_fmt_signed(const char *, con
int verbose;
/*
+ * Should we switch to ecdsa?
+ */
+int ecdsa;
+
+/*
* What component is the process within (COMP__MAX for none)?
*/
enum comp proccomp;
Index: key.c
===
RCS file: key.c
diff -N key.c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ key.c 11 Jun 2019 11:35:24 -
@@ -0,0 +1,149 @@
+/* $Id: rsa.c,v 1.7 2018/07/28 15:25:23 tb Exp $ */
+/*
+ * Copyright (c) 2019 Renaud Allard
+ * Copyright (c) 2016 Kristaps Dzonsons
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include
+#include
+#include
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "key.h"
+
+/*
+ * Default number of bits when creating a new RSA key.
+ */
+#define KBITS 4096
+#define ECCTYPE NID_secp384r1
+
+/*
+ * Create an RSA key with the default KBITS number of bits.
+ */
+EVP_PKEY *
+rsa_key_create(FILE *f, const char *fname)
+{
+ EVP_PKEY_CTX *ctx = NULL;
+ EVP_PKEY *pkey = NULL;
+
+ /* First, create the context and the key. */
+
+ if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) == NULL) {
+ warnx("EVP_PKEY_CTX_new_id");
+ goto err;
+ } else if (EVP_PKEY_keygen_init(ctx) <= 0) {
+ warnx("EVP_PKEY_keygen_init");
+ goto err;
+ } else if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, KBITS) <= 0) {
+ warnx("EVP_PKEY_set_rsa_keygen_bits");
+ goto err;
+ } else if (EVP_PKEY_keygen(ctx, ) <= 0) {
+ warnx("EVP_PKEY_keygen");
+ goto err;
+ }
+
+ /* Serialise the key to the disc. */
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/7/19 2:38 PM, Renaud Allard wrote:
On 6/7/19 2:28 PM, Florian Obser wrote:
On Fri, Jun 07, 2019 at 10:40:36AM +0200, Renaud Allard wrote:
On 6/6/19 10:46 AM, Renaud Allard wrote:
On 6/6/19 10:10 AM, Florian Obser wrote:
I currently don't have time to review this. I'm busy switching
acme-client to the rfc 8555 / letsencrypt v2 api. Doesn't look like
this conflicts too badly with my work, but I'd appreciate it if we
could hold this off for a bit and rebase it ontop of the v2 work.
OK, let's wait till your v2 is done. People have the patch already if
they want to try out ecdsa in the meantime.
Here is the patch after the v2 change.
I also changed ecdsa to int instead of bool as requested.
you forgot to include ecdsa.h this time around, but I found it in one
of the earlier diffs.
It is a bit silly though, just skip it, rename rsa.h to key.h and add
your ecdsa.h content there.
Hello,
Here is a patch with ecdsa and rsa in %token after the domain key name
OK? comments?
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile 3 Jul 2017 22:21:47 - 1.8
+++ Makefile 11 Jun 2019 08:15:13 -
@@ -2,7 +2,7 @@
PROG= acme-client
SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c
SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c
-SRCS+= parse.y revokeproc.c rsa.c util.c
+SRCS+= parse.y revokeproc.c key.c util.c
MAN= acme-client.1 acme-client.conf.5
Index: acctproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
retrieving revision 1.14
diff -u -p -r1.14 acctproc.c
--- acctproc.c 8 Jun 2019 07:52:55 - 1.14
+++ acctproc.c 11 Jun 2019 08:15:13 -
@@ -29,7 +29,7 @@
#include
#include "extern.h"
-#include "rsa.h"
+#include "key.h"
/*
* Converts a BIGNUM to the form used in JWK.
@@ -352,7 +352,9 @@ acctproc(int netsock, const char *acctke
goto out;
dodbg("%s: generated RSA account key", acctkey);
} else {
- if ((pkey = rsa_key_load(f, acctkey)) == NULL)
+ if ((pkey = key_load(f, acctkey)) == NULL)
+ goto out;
+ if (EVP_PKEY_type(pkey->type) != EVP_PKEY_RSA)
goto out;
doddbg("%s: loaded RSA account key", acctkey);
}
Index: acme-client.conf.5
===
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
retrieving revision 1.17
diff -u -p -r1.17 acme-client.conf.5
--- acme-client.conf.5 8 Jan 2019 06:46:29 - 1.17
+++ acme-client.conf.5 11 Jun 2019 08:15:13 -
@@ -109,8 +109,9 @@ Specify a list of alternative names for
The common name is included automatically if this option is present,
but there is no automatic conversion/inclusion between "www." and
plain domain name forms.
-.It Ic domain key Ar file
+.It Ic domain key Ar file Op Ar keytype
The private key file for which the certificate will be obtained.
+keytype can be rsa or ecdsa. Defaults to rsa.
.It Ic domain certificate Ar file
The filename of the certificate that will be issued.
This is optional if
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
retrieving revision 1.12
diff -u -p -r1.12 extern.h
--- extern.h 8 Jun 2019 07:52:55 - 1.12
+++ extern.h 11 Jun 2019 08:15:13 -
@@ -276,6 +276,11 @@ char *json_fmt_signed(const char *, con
int verbose;
/*
+ * Should we switch to ecdsa?
+ */
+int ecdsa;
+
+/*
* What component is the process within (COMP__MAX for none)?
*/
enum comp proccomp;
Index: key.c
===
RCS file: key.c
diff -N key.c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ key.c 11 Jun 2019 08:15:14 -
@@ -0,0 +1,149 @@
+/* $Id: rsa.c,v 1.7 2018/07/28 15:25:23 tb Exp $ */
+/*
+ * Copyright (c) 2019 Renaud Allard
+ * Copyright (c) 2016 Kristaps Dzonsons
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include
+#include
+#include
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "key.h"
+
+/*
+ * Default number of bits when creating a new RSA key.
+ */
+#define
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/7/19 2:28 PM, Florian Obser wrote:
On Fri, Jun 07, 2019 at 10:40:36AM +0200, Renaud Allard wrote:
On 6/6/19 10:46 AM, Renaud Allard wrote:
On 6/6/19 10:10 AM, Florian Obser wrote:
I currently don't have time to review this. I'm busy switching
acme-client to the rfc 8555 / letsencrypt v2 api. Doesn't look like
this conflicts too badly with my work, but I'd appreciate it if we
could hold this off for a bit and rebase it ontop of the v2 work.
OK, let's wait till your v2 is done. People have the patch already if
they want to try out ecdsa in the meantime.
Here is the patch after the v2 change.
I also changed ecdsa to int instead of bool as requested.
you forgot to include ecdsa.h this time around, but I found it in one
of the earlier diffs.
It is a bit silly though, just skip it, rename rsa.h to key.h and add
your ecdsa.h content there.
Here is a patch without the flag.
I know you told me not to strncmp the keytype, but I don't see how to
produce an understandable error if I use tokens and without making
repetitions in the code.
? acctproc.d
? acme-client
? base64.d
? certproc.d
? chngproc.d
? dbg.d
? dnsproc.d
? fileproc.d
? http.d
? jsmn.d
? json.d
? key.d
? keyproc.d
? main.d
? netproc.d
? parse.c
? parse.d
? revokeproc.d
? util.d
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile 3 Jul 2017 22:21:47 - 1.8
+++ Makefile 11 Jun 2019 06:58:25 -
@@ -2,7 +2,7 @@
PROG= acme-client
SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c
SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c
-SRCS+= parse.y revokeproc.c rsa.c util.c
+SRCS+= parse.y revokeproc.c key.c util.c
MAN= acme-client.1 acme-client.conf.5
Index: acctproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
retrieving revision 1.14
diff -u -p -r1.14 acctproc.c
--- acctproc.c 8 Jun 2019 07:52:55 - 1.14
+++ acctproc.c 11 Jun 2019 06:58:25 -
@@ -29,7 +29,7 @@
#include
#include "extern.h"
-#include "rsa.h"
+#include "key.h"
/*
* Converts a BIGNUM to the form used in JWK.
@@ -352,7 +352,9 @@ acctproc(int netsock, const char *acctke
goto out;
dodbg("%s: generated RSA account key", acctkey);
} else {
- if ((pkey = rsa_key_load(f, acctkey)) == NULL)
+ if ((pkey = key_load(f, acctkey)) == NULL)
+ goto out;
+ if (EVP_PKEY_type(pkey->type) != EVP_PKEY_RSA)
goto out;
doddbg("%s: loaded RSA account key", acctkey);
}
Index: acme-client.conf.5
===
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
retrieving revision 1.17
diff -u -p -r1.17 acme-client.conf.5
--- acme-client.conf.5 8 Jan 2019 06:46:29 - 1.17
+++ acme-client.conf.5 11 Jun 2019 06:58:26 -
@@ -111,6 +111,8 @@ but there is no automatic conversion/inc
plain domain name forms.
.It Ic domain key Ar file
The private key file for which the certificate will be obtained.
+.It Ic domain keytype Ar type
+The type of key used for the domain. Can be RSA or ECDSA.
.It Ic domain certificate Ar file
The filename of the certificate that will be issued.
This is optional if
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
retrieving revision 1.12
diff -u -p -r1.12 extern.h
--- extern.h 8 Jun 2019 07:52:55 - 1.12
+++ extern.h 11 Jun 2019 06:58:26 -
@@ -276,6 +276,11 @@ char *json_fmt_signed(const char *, con
int verbose;
/*
+ * Should we switch to ecdsa?
+ */
+int ecdsa;
+
+/*
* What component is the process within (COMP__MAX for none)?
*/
enum comp proccomp;
Index: key.c
===
RCS file: key.c
diff -N key.c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ key.c 11 Jun 2019 06:58:26 -
@@ -0,0 +1,149 @@
+/* $Id: rsa.c,v 1.7 2018/07/28 15:25:23 tb Exp $ */
+/*
+ * Copyright (c) 2019 Renaud Allard
+ * Copyright (c) 2016 Kristaps Dzonsons
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include
+#include
+#include
+
+#include
+#include
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/7/19 2:28 PM, Florian Obser wrote:
On Fri, Jun 07, 2019 at 10:40:36AM +0200, Renaud Allard wrote:
On 6/6/19 10:46 AM, Renaud Allard wrote:
On 6/6/19 10:10 AM, Florian Obser wrote:
I currently don't have time to review this. I'm busy switching
acme-client to the rfc 8555 / letsencrypt v2 api. Doesn't look like
this conflicts too badly with my work, but I'd appreciate it if we
could hold this off for a bit and rebase it ontop of the v2 work.
OK, let's wait till your v2 is done. People have the patch already if
they want to try out ecdsa in the meantime.
Here is the patch after the v2 change.
I also changed ecdsa to int instead of bool as requested.
you forgot to include ecdsa.h this time around, but I found it in one
of the earlier diffs.
It is a bit silly though, just skip it, rename rsa.h to key.h and add
your ecdsa.h content there.
True, it makes no sense to put 2 header files for just that.
Here it is with key.h
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile 3 Jul 2017 22:21:47 - 1.8
+++ Makefile 7 Jun 2019 12:37:15 -
@@ -2,7 +2,7 @@
PROG= acme-client
SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c
SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c
-SRCS+= parse.y revokeproc.c rsa.c util.c
+SRCS+= parse.y revokeproc.c key.c util.c
MAN= acme-client.1 acme-client.conf.5
Index: acctproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
retrieving revision 1.13
diff -u -p -r1.13 acctproc.c
--- acctproc.c 7 Jun 2019 08:07:52 - 1.13
+++ acctproc.c 7 Jun 2019 12:37:15 -
@@ -29,7 +29,7 @@
#include
#include "extern.h"
-#include "rsa.h"
+#include "key.h"
/*
* Converts a BIGNUM to the form used in JWK.
@@ -82,8 +82,8 @@ op_thumb_rsa(EVP_PKEY *pkey)
warnx("bn2string");
else if ((exp = bn2string(r->e)) == NULL)
warnx("bn2string");
- else if ((json = json_fmt_thumb_rsa(exp, mod)) == NULL)
- warnx("json_fmt_thumb_rsa");
+ else if ((json = json_fmt_thumb_key(exp, mod)) == NULL)
+ warnx("json_fmt_thumb_key");
free(exp);
free(mod);
@@ -173,8 +173,8 @@ op_sign_rsa(char **prot, EVP_PKEY *pkey,
warnx("bn2string");
else if ((exp = bn2string(r->e)) == NULL)
warnx("bn2string");
- else if ((*prot = json_fmt_protected_rsa(exp, mod, nonce, url)) == NULL)
- warnx("json_fmt_protected_rsa");
+ else if ((*prot = json_fmt_protected_key(exp, mod, nonce, url)) == NULL)
+ warnx("json_fmt_protected_key");
else
rc = 1;
@@ -349,7 +349,7 @@ acctproc(int netsock, const char *acctke
goto out;
dodbg("%s: generated RSA account key", acctkey);
} else {
- if ((pkey = rsa_key_load(f, acctkey)) == NULL)
+ if ((pkey = key_load(f, acctkey)) == NULL)
goto out;
doddbg("%s: loaded RSA account key", acctkey);
}
Index: acme-client.1
===
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
retrieving revision 1.30
diff -u -p -r1.30 acme-client.1
--- acme-client.1 7 Jun 2019 08:07:52 - 1.30
+++ acme-client.1 7 Jun 2019 12:37:15 -
@@ -22,7 +22,7 @@
.Nd ACME client
.Sh SYNOPSIS
.Nm acme-client
-.Op Fl ADFnrv
+.Op Fl ADEFnrv
.Op Fl f Ar configfile
.Ar domain
.Sh DESCRIPTION
@@ -79,7 +79,9 @@ The options are as follows:
.It Fl A
Create a new RSA account key if one does not already exist.
.It Fl D
-Create a new RSA domain key if one does not already exist.
+Create a new domain key if one does not already exist. Defaults to RSA.
+.It Fl E
+Switch the new domain key algorithm to ECDSA instead of RSA.
.It Fl F
Force certificate renewal, even if it's too soon.
.It Fl f Ar configfile
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
retrieving revision 1.11
diff -u -p -r1.11 extern.h
--- extern.h 7 Jun 2019 08:07:52 - 1.11
+++ extern.h 7 Jun 2019 12:37:16 -
@@ -263,18 +263,23 @@ char *json_fmt_newcert(const char *);
char *json_fmt_chkacc(void);
char *json_fmt_newacc(void);
char *json_fmt_neworder(const char *const *, size_t);
-char *json_fmt_protected_rsa(const char *,
+char *json_fmt_protected_key(const char *,
const char *, const char *, const char *);
char *json_fmt_protected_kid(const char *, const char *,
const char *);
char *json_fmt_revokecert(const char *);
-char *json_fmt_thumb_rsa(const char *, const char *);
+char *json_fmt_thumb_key(const char *, const char *);
char *json_fmt_signed(const char *, const char *, const char *);
/*
* Should we print debugging messages?
*/
int verbose;
+
+/*
+ * Should we switch to ecdsa?
+ */
+int ecdsa;
/*
* What component is the process within (COMP__MAX for none)?
Index: json.c
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Fri, Jun 07, 2019 at 10:40:36AM +0200, Renaud Allard wrote:
>
>
> On 6/6/19 10:46 AM, Renaud Allard wrote:
> >
> >
> > On 6/6/19 10:10 AM, Florian Obser wrote:
> >
> > > I currently don't have time to review this. I'm busy switching
> > > acme-client to the rfc 8555 / letsencrypt v2 api. Doesn't look like
> > > this conflicts too badly with my work, but I'd appreciate it if we
> > > could hold this off for a bit and rebase it ontop of the v2 work.
> >
> > OK, let's wait till your v2 is done. People have the patch already if
> > they want to try out ecdsa in the meantime.
> >
>
> Here is the patch after the v2 change.
> I also changed ecdsa to int instead of bool as requested.
>
you forgot to include ecdsa.h this time around, but I found it in one
of the earlier diffs.
It is a bit silly though, just skip it, rename rsa.h to key.h and add
your ecdsa.h content there.
> Index: Makefile
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
> retrieving revision 1.8
> diff -u -p -r1.8 Makefile
> --- Makefile 3 Jul 2017 22:21:47 - 1.8
> +++ Makefile 7 Jun 2019 08:37:56 -
> @@ -2,7 +2,7 @@
> PROG=acme-client
> SRCS=acctproc.c base64.c certproc.c chngproc.c dbg.c
> dnsproc.c
> SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c
> netproc.c
> -SRCS+= parse.y revokeproc.c rsa.c util.c
> +SRCS+= parse.y revokeproc.c key.c util.c
>
> MAN= acme-client.1 acme-client.conf.5
>
> Index: acctproc.c
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
> retrieving revision 1.13
> diff -u -p -r1.13 acctproc.c
> --- acctproc.c7 Jun 2019 08:07:52 - 1.13
> +++ acctproc.c7 Jun 2019 08:37:56 -
> @@ -82,8 +82,8 @@ op_thumb_rsa(EVP_PKEY *pkey)
> warnx("bn2string");
> else if ((exp = bn2string(r->e)) == NULL)
> warnx("bn2string");
> - else if ((json = json_fmt_thumb_rsa(exp, mod)) == NULL)
> - warnx("json_fmt_thumb_rsa");
> + else if ((json = json_fmt_thumb_key(exp, mod)) == NULL)
> + warnx("json_fmt_thumb_key");
keep the _rsa name, this is the account key, not the domain key.
>
> free(exp);
> free(mod);
> @@ -173,8 +173,8 @@ op_sign_rsa(char **prot, EVP_PKEY *pkey,
> warnx("bn2string");
> else if ((exp = bn2string(r->e)) == NULL)
> warnx("bn2string");
> - else if ((*prot = json_fmt_protected_rsa(exp, mod, nonce, url)) == NULL)
> - warnx("json_fmt_protected_rsa");
> + else if ((*prot = json_fmt_protected_key(exp, mod, nonce, url)) == NULL)
> + warnx("json_fmt_protected_key");
keep the _rsa name, this is the account key, not the domain key.
> else
> rc = 1;
>
> @@ -349,7 +349,7 @@ acctproc(int netsock, const char *acctke
> goto out;
> dodbg("%s: generated RSA account key", acctkey);
> } else {
> - if ((pkey = rsa_key_load(f, acctkey)) == NULL)
> + if ((pkey = key_load(f, acctkey)) == NULL)
we need a check here that this is an RSA key for now since we don't
support ECDSA account keys yet
> goto out;
> doddbg("%s: loaded RSA account key", acctkey);
> }
> Index: acme-client.1
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
> retrieving revision 1.30
> diff -u -p -r1.30 acme-client.1
> --- acme-client.1 7 Jun 2019 08:07:52 - 1.30
> +++ acme-client.1 7 Jun 2019 08:37:56 -
> @@ -22,7 +22,7 @@
> .Nd ACME client
> .Sh SYNOPSIS
> .Nm acme-client
> -.Op Fl ADFnrv
> +.Op Fl ADEFnrv
> .Op Fl f Ar configfile
> .Ar domain
> .Sh DESCRIPTION
> @@ -79,7 +79,9 @@ The options are as follows:
> .It Fl A
> Create a new RSA account key if one does not already exist.
> .It Fl D
> -Create a new RSA domain key if one does not already exist.
> +Create a new domain key if one does not already exist. Defaults to RSA.
> +.It Fl E
> +Switch the new domain key algorithm to ECDSA instead of RSA.
could you try to tackle moving this to the config file instead of a flag?
> .It Fl F
> Force certificate renewal, even if it's too soon.
> .It Fl f Ar configfile
> Index: extern.h
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
> retrieving revision 1.11
> diff -u -p -r1.11 extern.h
> --- extern.h 7 Jun 2019 08:07:52 - 1.11
> +++ extern.h 7 Jun 2019 08:37:57 -
> @@ -263,18 +263,23 @@ char*json_fmt_newcert(const char *);
> char *json_fmt_chkacc(void);
> char *json_fmt_newacc(void);
> char *json_fmt_neworder(const char *const *, size_t);
> -char
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/7/19 10:40 AM, Renaud Allard wrote:
On 6/6/19 10:46 AM, Renaud Allard wrote:
On 6/6/19 10:10 AM, Florian Obser wrote:
I currently don't have time to review this. I'm busy switching
acme-client to the rfc 8555 / letsencrypt v2 api. Doesn't look like
this conflicts too badly with my work, but I'd appreciate it if we
could hold this off for a bit and rebase it ontop of the v2 work.
OK, let's wait till your v2 is done. People have the patch already if
they want to try out ecdsa in the meantime.
Here is the patch after the v2 change.
I also changed ecdsa to int instead of bool as requested.
Sorry, former patch was missing ecdsa.h
This one is correct
Comments? OK?
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile 3 Jul 2017 22:21:47 - 1.8
+++ Makefile 7 Jun 2019 12:06:03 -
@@ -2,7 +2,7 @@
PROG= acme-client
SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c
SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c
-SRCS+= parse.y revokeproc.c rsa.c util.c
+SRCS+= parse.y revokeproc.c key.c util.c
MAN= acme-client.1 acme-client.conf.5
Index: acctproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
retrieving revision 1.13
diff -u -p -r1.13 acctproc.c
--- acctproc.c 7 Jun 2019 08:07:52 - 1.13
+++ acctproc.c 7 Jun 2019 12:06:03 -
@@ -82,8 +82,8 @@ op_thumb_rsa(EVP_PKEY *pkey)
warnx("bn2string");
else if ((exp = bn2string(r->e)) == NULL)
warnx("bn2string");
- else if ((json = json_fmt_thumb_rsa(exp, mod)) == NULL)
- warnx("json_fmt_thumb_rsa");
+ else if ((json = json_fmt_thumb_key(exp, mod)) == NULL)
+ warnx("json_fmt_thumb_key");
free(exp);
free(mod);
@@ -173,8 +173,8 @@ op_sign_rsa(char **prot, EVP_PKEY *pkey,
warnx("bn2string");
else if ((exp = bn2string(r->e)) == NULL)
warnx("bn2string");
- else if ((*prot = json_fmt_protected_rsa(exp, mod, nonce, url)) == NULL)
- warnx("json_fmt_protected_rsa");
+ else if ((*prot = json_fmt_protected_key(exp, mod, nonce, url)) == NULL)
+ warnx("json_fmt_protected_key");
else
rc = 1;
@@ -349,7 +349,7 @@ acctproc(int netsock, const char *acctke
goto out;
dodbg("%s: generated RSA account key", acctkey);
} else {
- if ((pkey = rsa_key_load(f, acctkey)) == NULL)
+ if ((pkey = key_load(f, acctkey)) == NULL)
goto out;
doddbg("%s: loaded RSA account key", acctkey);
}
Index: acme-client.1
===
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
retrieving revision 1.30
diff -u -p -r1.30 acme-client.1
--- acme-client.1 7 Jun 2019 08:07:52 - 1.30
+++ acme-client.1 7 Jun 2019 12:06:03 -
@@ -22,7 +22,7 @@
.Nd ACME client
.Sh SYNOPSIS
.Nm acme-client
-.Op Fl ADFnrv
+.Op Fl ADEFnrv
.Op Fl f Ar configfile
.Ar domain
.Sh DESCRIPTION
@@ -79,7 +79,9 @@ The options are as follows:
.It Fl A
Create a new RSA account key if one does not already exist.
.It Fl D
-Create a new RSA domain key if one does not already exist.
+Create a new domain key if one does not already exist. Defaults to RSA.
+.It Fl E
+Switch the new domain key algorithm to ECDSA instead of RSA.
.It Fl F
Force certificate renewal, even if it's too soon.
.It Fl f Ar configfile
Index: ecdsa.h
===
RCS file: ecdsa.h
diff -N ecdsa.h
--- /dev/null 1 Jan 1970 00:00:00 -
+++ ecdsa.h 7 Jun 2019 12:06:03 -
@@ -0,0 +1,22 @@
+/* $Id: rsa.h,v 1.1 2016/08/31 22:01:42 florian Exp $ */
+/*
+ * Copyright (c) 2019 Renaud Allard
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#ifndef ECDSA_H
+#define ECDSA_H
+
+EVP_PKEY *ec_key_create(FILE *, const char *);
+
+#endif /* ! ECDSA_H */
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
retrieving revision 1.11
diff -u -p -r1.11 extern.h
--- extern.h 7 Jun 2019 08:07:52 - 1.11
+++ extern.h 7 Jun 2019 12:06:03 -
@@ -263,18 +263,23 @@ char *json_fmt_newcert(const char *);
char *json_fmt_chkacc(void);
char
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/6/19 10:46 AM, Renaud Allard wrote:
On 6/6/19 10:10 AM, Florian Obser wrote:
I currently don't have time to review this. I'm busy switching
acme-client to the rfc 8555 / letsencrypt v2 api. Doesn't look like
this conflicts too badly with my work, but I'd appreciate it if we
could hold this off for a bit and rebase it ontop of the v2 work.
OK, let's wait till your v2 is done. People have the patch already if
they want to try out ecdsa in the meantime.
Here is the patch after the v2 change.
I also changed ecdsa to int instead of bool as requested.
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile 3 Jul 2017 22:21:47 - 1.8
+++ Makefile 7 Jun 2019 08:37:56 -
@@ -2,7 +2,7 @@
PROG= acme-client
SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c
SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c
-SRCS+= parse.y revokeproc.c rsa.c util.c
+SRCS+= parse.y revokeproc.c key.c util.c
MAN= acme-client.1 acme-client.conf.5
Index: acctproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
retrieving revision 1.13
diff -u -p -r1.13 acctproc.c
--- acctproc.c 7 Jun 2019 08:07:52 - 1.13
+++ acctproc.c 7 Jun 2019 08:37:56 -
@@ -82,8 +82,8 @@ op_thumb_rsa(EVP_PKEY *pkey)
warnx("bn2string");
else if ((exp = bn2string(r->e)) == NULL)
warnx("bn2string");
- else if ((json = json_fmt_thumb_rsa(exp, mod)) == NULL)
- warnx("json_fmt_thumb_rsa");
+ else if ((json = json_fmt_thumb_key(exp, mod)) == NULL)
+ warnx("json_fmt_thumb_key");
free(exp);
free(mod);
@@ -173,8 +173,8 @@ op_sign_rsa(char **prot, EVP_PKEY *pkey,
warnx("bn2string");
else if ((exp = bn2string(r->e)) == NULL)
warnx("bn2string");
- else if ((*prot = json_fmt_protected_rsa(exp, mod, nonce, url)) == NULL)
- warnx("json_fmt_protected_rsa");
+ else if ((*prot = json_fmt_protected_key(exp, mod, nonce, url)) == NULL)
+ warnx("json_fmt_protected_key");
else
rc = 1;
@@ -349,7 +349,7 @@ acctproc(int netsock, const char *acctke
goto out;
dodbg("%s: generated RSA account key", acctkey);
} else {
- if ((pkey = rsa_key_load(f, acctkey)) == NULL)
+ if ((pkey = key_load(f, acctkey)) == NULL)
goto out;
doddbg("%s: loaded RSA account key", acctkey);
}
Index: acme-client.1
===
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
retrieving revision 1.30
diff -u -p -r1.30 acme-client.1
--- acme-client.1 7 Jun 2019 08:07:52 - 1.30
+++ acme-client.1 7 Jun 2019 08:37:56 -
@@ -22,7 +22,7 @@
.Nd ACME client
.Sh SYNOPSIS
.Nm acme-client
-.Op Fl ADFnrv
+.Op Fl ADEFnrv
.Op Fl f Ar configfile
.Ar domain
.Sh DESCRIPTION
@@ -79,7 +79,9 @@ The options are as follows:
.It Fl A
Create a new RSA account key if one does not already exist.
.It Fl D
-Create a new RSA domain key if one does not already exist.
+Create a new domain key if one does not already exist. Defaults to RSA.
+.It Fl E
+Switch the new domain key algorithm to ECDSA instead of RSA.
.It Fl F
Force certificate renewal, even if it's too soon.
.It Fl f Ar configfile
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
retrieving revision 1.11
diff -u -p -r1.11 extern.h
--- extern.h 7 Jun 2019 08:07:52 - 1.11
+++ extern.h 7 Jun 2019 08:37:57 -
@@ -263,18 +263,23 @@ char *json_fmt_newcert(const char *);
char *json_fmt_chkacc(void);
char *json_fmt_newacc(void);
char *json_fmt_neworder(const char *const *, size_t);
-char *json_fmt_protected_rsa(const char *,
+char *json_fmt_protected_key(const char *,
const char *, const char *, const char *);
char *json_fmt_protected_kid(const char *, const char *,
const char *);
char *json_fmt_revokecert(const char *);
-char *json_fmt_thumb_rsa(const char *, const char *);
+char *json_fmt_thumb_key(const char *, const char *);
char *json_fmt_signed(const char *, const char *, const char *);
/*
* Should we print debugging messages?
*/
int verbose;
+
+/*
+ * Should we switch to ecdsa?
+ */
+int ecdsa;
/*
* What component is the process within (COMP__MAX for none)?
Index: json.c
===
RCS file: /cvs/src/usr.sbin/acme-client/json.c,v
retrieving revision 1.12
diff -u -p -r1.12 json.c
--- json.c 7 Jun 2019 08:07:52 - 1.12
+++ json.c 7 Jun 2019 08:37:57 -
@@ -708,7 +708,7 @@ json_fmt_newcert(const char *cert)
* Protected component of json_fmt_signed().
*/
char *
-json_fmt_protected_rsa(const char *exp, const char *mod, const char *nce,
+json_fmt_protected_key(const char *exp, const char *mod, const char *nce,
const char *url)
{
int c;
@@ -781,7 +781,7 @@
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/6/19 10:10 AM, Florian Obser wrote: On Wed, Jun 05, 2019 at 05:37:51PM +0200, Gilles Chehade wrote: On Wed, Jun 05, 2019 at 08:39:51AM +0200, Renaud Allard wrote: On 6/5/19 8:20 AM, Gilles Chehade wrote: On Tue, Jun 04, 2019 at 03:54:11PM +0200, Renaud Allard wrote: On 6/3/19 11:53 AM, Renaud Allard wrote: On 5/29/19 9:58 AM, Florian Obser wrote: why not let acme-client generate the key? Here is a more complete diff where you can use the -E switch to generate a ECDSA key instead of the RSA one. I refined a little bit the patch to not put ecdsa functions into rsa.c. So I renamed rsa.c to key.c and removed the rsa references to functions which apply to both rsa and ecdsa. reads, builds and works fine for me a couple comments inlined I removed the parenthesis and used another wording, removed the RSA from a "Load RSA key" as it might not be RSA and added E to the SYNOPSYS. ok gilles@ We don't do bool in base as far as I know, just use an int. No problem, that's a trivial change. I currently don't have time to review this. I'm busy switching acme-client to the rfc 8555 / letsencrypt v2 api. Doesn't look like this conflicts too badly with my work, but I'd appreciate it if we could hold this off for a bit and rebase it ontop of the v2 work. OK, let's wait till your v2 is done. People have the patch already if they want to try out ecdsa in the meantime. I'd also like to get rid of most of the flags and it feels like RSA vs. ECDSA should be handled in the config file? I think the flags A,D,v and E could indeed belong to the config file. smime.p7s Description: S/MIME Cryptographic Signature
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Wed, Jun 05, 2019 at 05:37:51PM +0200, Gilles Chehade wrote:
> On Wed, Jun 05, 2019 at 08:39:51AM +0200, Renaud Allard wrote:
> >
> >
> > On 6/5/19 8:20 AM, Gilles Chehade wrote:
> > > On Tue, Jun 04, 2019 at 03:54:11PM +0200, Renaud Allard wrote:
> > > >
> > > >
> > > > On 6/3/19 11:53 AM, Renaud Allard wrote:
> > > > > > >
> > > > > > > On 5/29/19 9:58 AM, Florian Obser wrote:
> > > > > > > > why not let acme-client generate the key?
> > > > > > >
> > > > > >
> > > > > > Here is a more complete diff where you can use the -E switch to
> > > > > > generate a ECDSA key instead of the RSA one.
> > > >
> > > > I refined a little bit the patch to not put ecdsa functions into rsa.c.
> > > > So I
> > > > renamed rsa.c to key.c and removed the rsa references to functions which
> > > > apply to both rsa and ecdsa.
> > > >
> > >
> > > reads, builds and works fine for me
> > >
> > > a couple comments inlined
> > >
> >
> > I removed the parenthesis and used another wording, removed the RSA from a
> > "Load RSA key" as it might not be RSA and added E to the SYNOPSYS.
> >
>
> ok gilles@
We don't do bool in base as far as I know, just use an int.
I currently don't have time to review this. I'm busy switching
acme-client to the rfc 8555 / letsencrypt v2 api. Doesn't look like
this conflicts too badly with my work, but I'd appreciate it if we
could hold this off for a bit and rebase it ontop of the v2 work.
I'd also like to get rid of most of the flags and it feels like RSA
vs. ECDSA should be handled in the config file?
>
> > Index: Makefile
> > ===
> > RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
> > retrieving revision 1.8
> > diff -u -p -r1.8 Makefile
> > --- Makefile3 Jul 2017 22:21:47 - 1.8
> > +++ Makefile5 Jun 2019 06:37:00 -
> > @@ -2,7 +2,7 @@
> > PROG= acme-client
> > SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c
> > dnsproc.c
> > SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c
> > netproc.c
> > -SRCS+= parse.y revokeproc.c rsa.c util.c
> > +SRCS+= parse.y revokeproc.c key.c util.c
> >
> > MAN= acme-client.1 acme-client.conf.5
> >
> > Index: acctproc.c
> > ===
> > RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
> > retrieving revision 1.12
> > diff -u -p -r1.12 acctproc.c
> > --- acctproc.c 28 Jul 2018 15:25:23 - 1.12
> > +++ acctproc.c 5 Jun 2019 06:37:00 -
> > @@ -82,8 +82,8 @@ op_thumb_rsa(EVP_PKEY *pkey)
> > warnx("bn2string");
> > else if ((exp = bn2string(r->e)) == NULL)
> > warnx("bn2string");
> > - else if ((json = json_fmt_thumb_rsa(exp, mod)) == NULL)
> > - warnx("json_fmt_thumb_rsa");
> > + else if ((json = json_fmt_thumb_key(exp, mod)) == NULL)
> > + warnx("json_fmt_thumb_key");
> >
> > free(exp);
> > free(mod);
> > @@ -175,10 +175,10 @@ op_sign_rsa(char **head, char **prot, EV
> > warnx("bn2string");
> > else if ((exp = bn2string(r->e)) == NULL)
> > warnx("bn2string");
> > - else if ((*head = json_fmt_header_rsa(exp, mod)) == NULL)
> > - warnx("json_fmt_header_rsa");
> > - else if ((*prot = json_fmt_protected_rsa(exp, mod, nonce)) == NULL)
> > - warnx("json_fmt_protected_rsa");
> > + else if ((*head = json_fmt_header_key(exp, mod)) == NULL)
> > + warnx("json_fmt_header_key");
> > + else if ((*prot = json_fmt_protected_key(exp, mod, nonce)) == NULL)
> > + warnx("json_fmt_protected_key");
> > else
> > rc = 1;
> >
> > @@ -338,7 +338,7 @@ acctproc(int netsock, const char *acctke
> > goto out;
> > dodbg("%s: generated RSA account key", acctkey);
> > } else {
> > - if ((pkey = rsa_key_load(f, acctkey)) == NULL)
> > + if ((pkey = key_load(f, acctkey)) == NULL)
> > goto out;
> > doddbg("%s: loaded RSA account key", acctkey);
> > }
> > Index: acme-client.1
> > ===
> > RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
> > retrieving revision 1.29
> > diff -u -p -r1.29 acme-client.1
> > --- acme-client.1 3 Feb 2019 20:39:35 - 1.29
> > +++ acme-client.1 5 Jun 2019 06:37:00 -
> > @@ -22,7 +22,7 @@
> > .Nd ACME client
> > .Sh SYNOPSIS
> > .Nm acme-client
> > -.Op Fl ADFnrv
> > +.Op Fl ADEFnrv
> > .Op Fl f Ar configfile
> > .Ar domain
> > .Sh DESCRIPTION
> > @@ -79,7 +79,9 @@ The options are as follows:
> > .It Fl A
> > Create a new RSA account key if one does not already exist.
> > .It Fl D
> > -Create a new RSA domain key if one does not already exist.
> > +Create a new domain key if one does not already exist. Defaults to RSA.
> > +.It Fl E
> > +Switch the
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Wed, Jun 05, 2019 at 08:39:51AM +0200, Renaud Allard wrote:
>
>
> On 6/5/19 8:20 AM, Gilles Chehade wrote:
> > On Tue, Jun 04, 2019 at 03:54:11PM +0200, Renaud Allard wrote:
> > >
> > >
> > > On 6/3/19 11:53 AM, Renaud Allard wrote:
> > > > > >
> > > > > > On 5/29/19 9:58 AM, Florian Obser wrote:
> > > > > > > why not let acme-client generate the key?
> > > > > >
> > > > >
> > > > > Here is a more complete diff where you can use the -E switch to
> > > > > generate a ECDSA key instead of the RSA one.
> > >
> > > I refined a little bit the patch to not put ecdsa functions into rsa.c.
> > > So I
> > > renamed rsa.c to key.c and removed the rsa references to functions which
> > > apply to both rsa and ecdsa.
> > >
> >
> > reads, builds and works fine for me
> >
> > a couple comments inlined
> >
>
> I removed the parenthesis and used another wording, removed the RSA from a
> "Load RSA key" as it might not be RSA and added E to the SYNOPSYS.
>
ok gilles@
> Index: Makefile
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
> retrieving revision 1.8
> diff -u -p -r1.8 Makefile
> --- Makefile 3 Jul 2017 22:21:47 - 1.8
> +++ Makefile 5 Jun 2019 06:37:00 -
> @@ -2,7 +2,7 @@
> PROG=acme-client
> SRCS=acctproc.c base64.c certproc.c chngproc.c dbg.c
> dnsproc.c
> SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c
> netproc.c
> -SRCS+= parse.y revokeproc.c rsa.c util.c
> +SRCS+= parse.y revokeproc.c key.c util.c
>
> MAN= acme-client.1 acme-client.conf.5
>
> Index: acctproc.c
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
> retrieving revision 1.12
> diff -u -p -r1.12 acctproc.c
> --- acctproc.c28 Jul 2018 15:25:23 - 1.12
> +++ acctproc.c5 Jun 2019 06:37:00 -
> @@ -82,8 +82,8 @@ op_thumb_rsa(EVP_PKEY *pkey)
> warnx("bn2string");
> else if ((exp = bn2string(r->e)) == NULL)
> warnx("bn2string");
> - else if ((json = json_fmt_thumb_rsa(exp, mod)) == NULL)
> - warnx("json_fmt_thumb_rsa");
> + else if ((json = json_fmt_thumb_key(exp, mod)) == NULL)
> + warnx("json_fmt_thumb_key");
>
> free(exp);
> free(mod);
> @@ -175,10 +175,10 @@ op_sign_rsa(char **head, char **prot, EV
> warnx("bn2string");
> else if ((exp = bn2string(r->e)) == NULL)
> warnx("bn2string");
> - else if ((*head = json_fmt_header_rsa(exp, mod)) == NULL)
> - warnx("json_fmt_header_rsa");
> - else if ((*prot = json_fmt_protected_rsa(exp, mod, nonce)) == NULL)
> - warnx("json_fmt_protected_rsa");
> + else if ((*head = json_fmt_header_key(exp, mod)) == NULL)
> + warnx("json_fmt_header_key");
> + else if ((*prot = json_fmt_protected_key(exp, mod, nonce)) == NULL)
> + warnx("json_fmt_protected_key");
> else
> rc = 1;
>
> @@ -338,7 +338,7 @@ acctproc(int netsock, const char *acctke
> goto out;
> dodbg("%s: generated RSA account key", acctkey);
> } else {
> - if ((pkey = rsa_key_load(f, acctkey)) == NULL)
> + if ((pkey = key_load(f, acctkey)) == NULL)
> goto out;
> doddbg("%s: loaded RSA account key", acctkey);
> }
> Index: acme-client.1
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
> retrieving revision 1.29
> diff -u -p -r1.29 acme-client.1
> --- acme-client.1 3 Feb 2019 20:39:35 - 1.29
> +++ acme-client.1 5 Jun 2019 06:37:00 -
> @@ -22,7 +22,7 @@
> .Nd ACME client
> .Sh SYNOPSIS
> .Nm acme-client
> -.Op Fl ADFnrv
> +.Op Fl ADEFnrv
> .Op Fl f Ar configfile
> .Ar domain
> .Sh DESCRIPTION
> @@ -79,7 +79,9 @@ The options are as follows:
> .It Fl A
> Create a new RSA account key if one does not already exist.
> .It Fl D
> -Create a new RSA domain key if one does not already exist.
> +Create a new domain key if one does not already exist. Defaults to RSA.
> +.It Fl E
> +Switch the new domain key algorithm to ECDSA instead of RSA.
> .It Fl F
> Force certificate renewal, even if it's too soon.
> .It Fl f Ar configfile
> Index: ecdsa.h
> ===
> RCS file: ecdsa.h
> diff -N ecdsa.h
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ ecdsa.h 5 Jun 2019 06:37:00 -
> @@ -0,0 +1,22 @@
> +/* $Id: rsa.h,v 1.1 2016/08/31 22:01:42 florian Exp $ */
> +/*
> + * Copyright (c) 2019 Renaud Allard
> + *
> + * Permission to use, copy, modify, and distribute this software for any
> + * purpose with or without fee is hereby granted, provided that the above
> + * copyright notice and this permission
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/5/19 8:39 AM, Renaud Allard wrote: On 6/5/19 8:20 AM, Gilles Chehade wrote: On Tue, Jun 04, 2019 at 03:54:11PM +0200, Renaud Allard wrote: On 6/3/19 11:53 AM, Renaud Allard wrote: On 5/29/19 9:58 AM, Florian Obser wrote: why not let acme-client generate the key? Here is a more complete diff where you can use the -E switch to generate a ECDSA key instead of the RSA one. I refined a little bit the patch to not put ecdsa functions into rsa.c. So I renamed rsa.c to key.c and removed the rsa references to functions which apply to both rsa and ecdsa. reads, builds and works fine for me a couple comments inlined I removed the parenthesis and used another wording, removed the RSA from a "Load RSA key" as it might not be RSA and added E to the SYNOPSYS. For completion, just in case you are wondering why I choose secp384r1 instead of secp521r1. It is because letsencrypt doesn't allow 521 bits keys. They return "Invalid key in certificate request :: ECDSA curve P-521 not allowed" smime.p7s Description: S/MIME Cryptographic Signature
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/5/19 8:20 AM, Gilles Chehade wrote:
On Tue, Jun 04, 2019 at 03:54:11PM +0200, Renaud Allard wrote:
On 6/3/19 11:53 AM, Renaud Allard wrote:
On 5/29/19 9:58 AM, Florian Obser wrote:
why not let acme-client generate the key?
Here is a more complete diff where you can use the -E switch to
generate a ECDSA key instead of the RSA one.
I refined a little bit the patch to not put ecdsa functions into rsa.c. So I
renamed rsa.c to key.c and removed the rsa references to functions which
apply to both rsa and ecdsa.
reads, builds and works fine for me
a couple comments inlined
I removed the parenthesis and used another wording, removed the RSA from
a "Load RSA key" as it might not be RSA and added E to the SYNOPSYS.
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile 3 Jul 2017 22:21:47 - 1.8
+++ Makefile 5 Jun 2019 06:37:00 -
@@ -2,7 +2,7 @@
PROG= acme-client
SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c
SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c
-SRCS+= parse.y revokeproc.c rsa.c util.c
+SRCS+= parse.y revokeproc.c key.c util.c
MAN= acme-client.1 acme-client.conf.5
Index: acctproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
retrieving revision 1.12
diff -u -p -r1.12 acctproc.c
--- acctproc.c 28 Jul 2018 15:25:23 - 1.12
+++ acctproc.c 5 Jun 2019 06:37:00 -
@@ -82,8 +82,8 @@ op_thumb_rsa(EVP_PKEY *pkey)
warnx("bn2string");
else if ((exp = bn2string(r->e)) == NULL)
warnx("bn2string");
- else if ((json = json_fmt_thumb_rsa(exp, mod)) == NULL)
- warnx("json_fmt_thumb_rsa");
+ else if ((json = json_fmt_thumb_key(exp, mod)) == NULL)
+ warnx("json_fmt_thumb_key");
free(exp);
free(mod);
@@ -175,10 +175,10 @@ op_sign_rsa(char **head, char **prot, EV
warnx("bn2string");
else if ((exp = bn2string(r->e)) == NULL)
warnx("bn2string");
- else if ((*head = json_fmt_header_rsa(exp, mod)) == NULL)
- warnx("json_fmt_header_rsa");
- else if ((*prot = json_fmt_protected_rsa(exp, mod, nonce)) == NULL)
- warnx("json_fmt_protected_rsa");
+ else if ((*head = json_fmt_header_key(exp, mod)) == NULL)
+ warnx("json_fmt_header_key");
+ else if ((*prot = json_fmt_protected_key(exp, mod, nonce)) == NULL)
+ warnx("json_fmt_protected_key");
else
rc = 1;
@@ -338,7 +338,7 @@ acctproc(int netsock, const char *acctke
goto out;
dodbg("%s: generated RSA account key", acctkey);
} else {
- if ((pkey = rsa_key_load(f, acctkey)) == NULL)
+ if ((pkey = key_load(f, acctkey)) == NULL)
goto out;
doddbg("%s: loaded RSA account key", acctkey);
}
Index: acme-client.1
===
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
retrieving revision 1.29
diff -u -p -r1.29 acme-client.1
--- acme-client.1 3 Feb 2019 20:39:35 - 1.29
+++ acme-client.1 5 Jun 2019 06:37:00 -
@@ -22,7 +22,7 @@
.Nd ACME client
.Sh SYNOPSIS
.Nm acme-client
-.Op Fl ADFnrv
+.Op Fl ADEFnrv
.Op Fl f Ar configfile
.Ar domain
.Sh DESCRIPTION
@@ -79,7 +79,9 @@ The options are as follows:
.It Fl A
Create a new RSA account key if one does not already exist.
.It Fl D
-Create a new RSA domain key if one does not already exist.
+Create a new domain key if one does not already exist. Defaults to RSA.
+.It Fl E
+Switch the new domain key algorithm to ECDSA instead of RSA.
.It Fl F
Force certificate renewal, even if it's too soon.
.It Fl f Ar configfile
Index: ecdsa.h
===
RCS file: ecdsa.h
diff -N ecdsa.h
--- /dev/null 1 Jan 1970 00:00:00 -
+++ ecdsa.h 5 Jun 2019 06:37:00 -
@@ -0,0 +1,22 @@
+/* $Id: rsa.h,v 1.1 2016/08/31 22:01:42 florian Exp $ */
+/*
+ * Copyright (c) 2019 Renaud Allard
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#ifndef ECDSA_H
+#define ECDSA_H
+
+EVP_PKEY *ec_key_create(FILE *, const char *);
+
+#endif /* ! ECDSA_H */
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
retrieving revision
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Tue, Jun 04, 2019 at 03:54:11PM +0200, Renaud Allard wrote:
>
>
> On 6/3/19 11:53 AM, Renaud Allard wrote:
> > > >
> > > > On 5/29/19 9:58 AM, Florian Obser wrote:
> > > > > On Wed, May 22, 2019 at 01:33:11PM +0200, Renaud Allard wrote:
> > > > > > The key needs to be generated manually
> > > > > > i.e.: openssl ecparam -genkey -name secp384r1 -out privkey.pem
> > > > >
> > > > > why not let acme-client generate the key?
> > > >
> > >
> > > Here is a more complete diff where you can use the -E switch to
> > > generate a ECDSA key instead of the RSA one.
>
> I refined a little bit the patch to not put ecdsa functions into rsa.c. So I
> renamed rsa.c to key.c and removed the rsa references to functions which
> apply to both rsa and ecdsa.
>
reads, builds and works fine for me
a couple comments inlined
> Index: Makefile
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
> retrieving revision 1.8
> diff -u -p -r1.8 Makefile
> --- Makefile 3 Jul 2017 22:21:47 - 1.8
> +++ Makefile 4 Jun 2019 13:50:28 -
> @@ -2,7 +2,7 @@
> PROG=acme-client
> SRCS=acctproc.c base64.c certproc.c chngproc.c dbg.c
> dnsproc.c
> SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c
> netproc.c
> -SRCS+= parse.y revokeproc.c rsa.c util.c
> +SRCS+= parse.y revokeproc.c key.c util.c
>
> MAN= acme-client.1 acme-client.conf.5
>
> Index: acctproc.c
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
> retrieving revision 1.12
> diff -u -p -r1.12 acctproc.c
> --- acctproc.c28 Jul 2018 15:25:23 - 1.12
> +++ acctproc.c4 Jun 2019 13:50:28 -
> @@ -82,8 +82,8 @@ op_thumb_rsa(EVP_PKEY *pkey)
> warnx("bn2string");
> else if ((exp = bn2string(r->e)) == NULL)
> warnx("bn2string");
> - else if ((json = json_fmt_thumb_rsa(exp, mod)) == NULL)
> - warnx("json_fmt_thumb_rsa");
> + else if ((json = json_fmt_thumb_key(exp, mod)) == NULL)
> + warnx("json_fmt_thumb_key");
>
> free(exp);
> free(mod);
> @@ -175,10 +175,10 @@ op_sign_rsa(char **head, char **prot, EV
> warnx("bn2string");
> else if ((exp = bn2string(r->e)) == NULL)
> warnx("bn2string");
> - else if ((*head = json_fmt_header_rsa(exp, mod)) == NULL)
> - warnx("json_fmt_header_rsa");
> - else if ((*prot = json_fmt_protected_rsa(exp, mod, nonce)) == NULL)
> - warnx("json_fmt_protected_rsa");
> + else if ((*head = json_fmt_header_key(exp, mod)) == NULL)
> + warnx("json_fmt_header_key");
> + else if ((*prot = json_fmt_protected_key(exp, mod, nonce)) == NULL)
> + warnx("json_fmt_protected_key");
> else
> rc = 1;
>
> @@ -338,7 +338,7 @@ acctproc(int netsock, const char *acctke
> goto out;
> dodbg("%s: generated RSA account key", acctkey);
> } else {
> - if ((pkey = rsa_key_load(f, acctkey)) == NULL)
> + if ((pkey = key_load(f, acctkey)) == NULL)
> goto out;
> doddbg("%s: loaded RSA account key", acctkey);
> }
> Index: acme-client.1
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
> retrieving revision 1.29
> diff -u -p -r1.29 acme-client.1
> --- acme-client.1 3 Feb 2019 20:39:35 - 1.29
> +++ acme-client.1 4 Jun 2019 13:50:28 -
> @@ -79,7 +79,9 @@ The options are as follows:
> .It Fl A
> Create a new RSA account key if one does not already exist.
> .It Fl D
> -Create a new RSA domain key if one does not already exist.
> +Create a new (RSA) domain key if one does not already exist.
why is RSA in parenthesis here ?
> +.It Fl E
> +Switch the new domain key algorithm to ECDSA instead of RSA.
the E option should be added to the SYNOPSIS too
> .It Fl F
> Force certificate renewal, even if it's too soon.
> .It Fl f Ar configfile
> Index: ecdsa.h
> ===
> RCS file: ecdsa.h
> diff -N ecdsa.h
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ ecdsa.h 4 Jun 2019 13:50:28 -
> @@ -0,0 +1,22 @@
> +/* $Id: rsa.h,v 1.1 2016/08/31 22:01:42 florian Exp $ */
> +/*
> + * Copyright (c) 2019 Renaud Allard
> + *
> + * Permission to use, copy, modify, and distribute this software for any
> + * purpose with or without fee is hereby granted, provided that the above
> + * copyright notice and this permission notice appear in all copies.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
> + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/3/19 11:53 AM, Renaud Allard wrote:
On 5/29/19 9:58 AM, Florian Obser wrote:
On Wed, May 22, 2019 at 01:33:11PM +0200, Renaud Allard wrote:
The key needs to be generated manually
i.e.: openssl ecparam -genkey -name secp384r1 -out privkey.pem
why not let acme-client generate the key?
Here is a more complete diff where you can use the -E switch to
generate a ECDSA key instead of the RSA one.
I refined a little bit the patch to not put ecdsa functions into rsa.c.
So I renamed rsa.c to key.c and removed the rsa references to functions
which apply to both rsa and ecdsa.
Index: Makefile
===
RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
retrieving revision 1.8
diff -u -p -r1.8 Makefile
--- Makefile 3 Jul 2017 22:21:47 - 1.8
+++ Makefile 4 Jun 2019 13:50:28 -
@@ -2,7 +2,7 @@
PROG= acme-client
SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c dnsproc.c
SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c netproc.c
-SRCS+= parse.y revokeproc.c rsa.c util.c
+SRCS+= parse.y revokeproc.c key.c util.c
MAN= acme-client.1 acme-client.conf.5
Index: acctproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
retrieving revision 1.12
diff -u -p -r1.12 acctproc.c
--- acctproc.c 28 Jul 2018 15:25:23 - 1.12
+++ acctproc.c 4 Jun 2019 13:50:28 -
@@ -82,8 +82,8 @@ op_thumb_rsa(EVP_PKEY *pkey)
warnx("bn2string");
else if ((exp = bn2string(r->e)) == NULL)
warnx("bn2string");
- else if ((json = json_fmt_thumb_rsa(exp, mod)) == NULL)
- warnx("json_fmt_thumb_rsa");
+ else if ((json = json_fmt_thumb_key(exp, mod)) == NULL)
+ warnx("json_fmt_thumb_key");
free(exp);
free(mod);
@@ -175,10 +175,10 @@ op_sign_rsa(char **head, char **prot, EV
warnx("bn2string");
else if ((exp = bn2string(r->e)) == NULL)
warnx("bn2string");
- else if ((*head = json_fmt_header_rsa(exp, mod)) == NULL)
- warnx("json_fmt_header_rsa");
- else if ((*prot = json_fmt_protected_rsa(exp, mod, nonce)) == NULL)
- warnx("json_fmt_protected_rsa");
+ else if ((*head = json_fmt_header_key(exp, mod)) == NULL)
+ warnx("json_fmt_header_key");
+ else if ((*prot = json_fmt_protected_key(exp, mod, nonce)) == NULL)
+ warnx("json_fmt_protected_key");
else
rc = 1;
@@ -338,7 +338,7 @@ acctproc(int netsock, const char *acctke
goto out;
dodbg("%s: generated RSA account key", acctkey);
} else {
- if ((pkey = rsa_key_load(f, acctkey)) == NULL)
+ if ((pkey = key_load(f, acctkey)) == NULL)
goto out;
doddbg("%s: loaded RSA account key", acctkey);
}
Index: acme-client.1
===
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
retrieving revision 1.29
diff -u -p -r1.29 acme-client.1
--- acme-client.1 3 Feb 2019 20:39:35 - 1.29
+++ acme-client.1 4 Jun 2019 13:50:28 -
@@ -79,7 +79,9 @@ The options are as follows:
.It Fl A
Create a new RSA account key if one does not already exist.
.It Fl D
-Create a new RSA domain key if one does not already exist.
+Create a new (RSA) domain key if one does not already exist.
+.It Fl E
+Switch the new domain key algorithm to ECDSA instead of RSA.
.It Fl F
Force certificate renewal, even if it's too soon.
.It Fl f Ar configfile
Index: ecdsa.h
===
RCS file: ecdsa.h
diff -N ecdsa.h
--- /dev/null 1 Jan 1970 00:00:00 -
+++ ecdsa.h 4 Jun 2019 13:50:28 -
@@ -0,0 +1,22 @@
+/* $Id: rsa.h,v 1.1 2016/08/31 22:01:42 florian Exp $ */
+/*
+ * Copyright (c) 2019 Renaud Allard
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#ifndef ECDSA_H
+#define ECDSA_H
+
+EVP_PKEY *ec_key_create(FILE *, const char *);
+
+#endif /* ! ECDSA_H */
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
retrieving revision 1.10
diff -u -p -r1.10 extern.h
--- extern.h 31 Jan 2019 15:55:48 - 1.10
+++ extern.h 4 Jun 2019 13:50:28 -
@@ -18,6 +18,7 @@
#define EXTERN_H
#include "parse.h"
+#include "stdbool.h"
#define MAX_SERVERS_DNS 8
@@ -240,11 +241,11 @@ char *json_fmt_challenge(const char *,
char
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 6/3/19 11:18 AM, Renaud Allard wrote: On 5/29/19 10:19 AM, Renaud Allard wrote: On 5/29/19 9:58 AM, Florian Obser wrote: On Wed, May 22, 2019 at 01:33:11PM +0200, Renaud Allard wrote: The key needs to be generated manually i.e.: openssl ecparam -genkey -name secp384r1 -out privkey.pem why not let acme-client generate the key? Here is a more complete diff where you can use the -D switch to generate a ECDSA key instead of the RSA one. I obviously meant -E switch :) smime.p7s Description: S/MIME Cryptographic Signature
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 5/29/19 10:19 AM, Renaud Allard wrote:
On 5/29/19 9:58 AM, Florian Obser wrote:
On Wed, May 22, 2019 at 01:33:11PM +0200, Renaud Allard wrote:
The key needs to be generated manually
i.e.: openssl ecparam -genkey -name secp384r1 -out privkey.pem
why not let acme-client generate the key?
Here is a more complete diff where you can use the -D switch to generate
a ECDSA key instead of the RSA one.
Index: acme-client.1
===
RCS file: /cvs/src/usr.sbin/acme-client/acme-client.1,v
retrieving revision 1.29
diff -u -p -r1.29 acme-client.1
--- acme-client.1 3 Feb 2019 20:39:35 - 1.29
+++ acme-client.1 3 Jun 2019 09:13:54 -
@@ -79,7 +79,9 @@ The options are as follows:
.It Fl A
Create a new RSA account key if one does not already exist.
.It Fl D
-Create a new RSA domain key if one does not already exist.
+Create a new (RSA) domain key if one does not already exist.
+.It Fl E
+Switch the new domain key algorithm to ECDSA instead of RSA.
.It Fl F
Force certificate renewal, even if it's too soon.
.It Fl f Ar configfile
Index: ecdsa.h
===
RCS file: ecdsa.h
diff -N ecdsa.h
--- /dev/null 1 Jan 1970 00:00:00 -
+++ ecdsa.h 3 Jun 2019 09:13:54 -
@@ -0,0 +1,22 @@
+/* $Id: rsa.h,v 1.1 2016/08/31 22:01:42 florian Exp $ */
+/*
+ * Copyright (c) 2019 Renaud Allard
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#ifndef ECDSA_H
+#define ECDSA_H
+
+EVP_PKEY *ec_key_create(FILE *, const char *);
+
+#endif /* ! ECDSA_H */
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
retrieving revision 1.10
diff -u -p -r1.10 extern.h
--- extern.h 31 Jan 2019 15:55:48 - 1.10
+++ extern.h 3 Jun 2019 09:13:54 -
@@ -18,6 +18,7 @@
#define EXTERN_H
#include "parse.h"
+#include "stdbool.h"
#define MAX_SERVERS_DNS 8
@@ -252,6 +253,11 @@ char *json_fmt_signed(const char *,
* Should we print debugging messages?
*/
int verbose;
+
+/*
+ * Should we switch to ecdsa?
+ */
+bool ecdsa;
/*
* What component is the process within (COMP__MAX for none)?
Index: keyproc.c
===
RCS file: /cvs/src/usr.sbin/acme-client/keyproc.c,v
retrieving revision 1.11
diff -u -p -r1.11 keyproc.c
--- keyproc.c 29 Jul 2018 20:22:02 - 1.11
+++ keyproc.c 3 Jun 2019 09:13:55 -
@@ -31,6 +31,7 @@
#include "extern.h"
#include "rsa.h"
+#include "ecdsa.h"
/*
* This was lifted more or less directly from demos/x509/mkreq.c of the
@@ -114,9 +115,15 @@ keyproc(int netsock, const char *keyfile
}
if (newkey) {
- if ((pkey = rsa_key_create(f, keyfile)) == NULL)
- goto out;
- dodbg("%s: generated RSA domain key", keyfile);
+ if (ecdsa) {
+ if ((pkey = ec_key_create(f, keyfile)) == NULL)
+goto out;
+ dodbg("%s: generated ECDSA domain key", keyfile);
+ } else {
+ if ((pkey = rsa_key_create(f, keyfile)) == NULL)
+goto out;
+ dodbg("%s: generated RSA domain key", keyfile);
+ }
} else {
if ((pkey = rsa_key_load(f, keyfile)) == NULL)
goto out;
Index: main.c
===
RCS file: /cvs/src/usr.sbin/acme-client/main.c,v
retrieving revision 1.45
diff -u -p -r1.45 main.c
--- main.c 9 Mar 2019 18:07:40 - 1.45
+++ main.c 3 Jun 2019 09:13:55 -
@@ -49,6 +49,7 @@ main(int argc, char *argv[])
int popts = 0;
pid_t pids[COMP__MAX];
extern int verbose;
+ extern bool ecdsa;
extern enum comp proccomp;
size_t i, altsz, ne;
@@ -57,7 +58,7 @@ main(int argc, char *argv[])
struct domain_c *domain = NULL;
struct altname_c *ac;
- while ((c = getopt(argc, argv, "ADFnrvf:")) != -1)
+ while ((c = getopt(argc, argv, "ADEFnrvf:")) != -1)
switch (c) {
case 'A':
popts |= ACME_OPT_NEWACCT;
@@ -65,6 +66,10 @@ main(int argc, char *argv[])
case 'D':
popts |= ACME_OPT_NEWDKEY;
break;
+ case 'E':
+ ecdsa = true;
+ popts |= ACME_OPT_DKEYEC;
+ break;
case 'F':
force = 1;
break;
@@ -180,6 +185,10 @@ main(int argc, char *argv[])
!= -1) {
dodbg("%s: domain key exists (not creating)", domain->key);
popts &=
Re: [patch] use acme-client to sign certificated with ecdsa keys
On 5/29/19 9:58 AM, Florian Obser wrote: On Wed, May 22, 2019 at 01:33:11PM +0200, Renaud Allard wrote: Hello, First, sorry for double posting to misc@. This is a short patch to let acme-client accept ECDSA keys now that letsencrypt accepts signing certificates with those keys. This functionality is present in certbot, so it might be a good idea to let acme-client accept that too. thanks The key needs to be generated manually i.e.: openssl ecparam -genkey -name secp384r1 -out privkey.pem why not let acme-client generate the key? I prefer to first enable testing for everyone to be able to spot the eventual problems with those certs. For example, opensmtpd and relayd still don't support ecdsa certs because they to don't have a privsep engine for that yet, so you certainly don't want ecdsa to be the default at the moment. But, yes, I plan to make a patch to enable generating ecdsa keys. It will mainly be useful when Letsencrypt will allow signing with ecdsa too. smime.p7s Description: S/MIME Cryptographic Signature
Re: [patch] use acme-client to sign certificated with ecdsa keys
On Wed, May 22, 2019 at 01:33:11PM +0200, Renaud Allard wrote: > Hello, > > First, sorry for double posting to misc@. > > This is a short patch to let acme-client accept ECDSA keys now that > letsencrypt accepts signing certificates with those keys. This functionality > is present in certbot, so it might be a good idea to let acme-client accept > that too. thanks > The key needs to be generated manually > i.e.: openssl ecparam -genkey -name secp384r1 -out privkey.pem why not let acme-client generate the key? > > Best Regards > -- I'm not entirely sure you are real.
[patch] use acme-client to sign certificated with ecdsa keys
Hello,
First, sorry for double posting to misc@.
This is a short patch to let acme-client accept ECDSA keys now that
letsencrypt accepts signing certificates with those keys. This
functionality is present in certbot, so it might be a good idea to let
acme-client accept that too.
The key needs to be generated manually
i.e.: openssl ecparam -genkey -name secp384r1 -out privkey.pem
Best Regards
Index: rsa.c
===
RCS file: /cvs/src/usr.sbin/acme-client/rsa.c,v
retrieving revision 1.7
diff -u -p -r1.7 rsa.c
--- rsa.c 28 Jul 2018 15:25:23 - 1.7
+++ rsa.c 22 May 2019 11:17:47 -
@@ -79,7 +79,8 @@ rsa_key_load(FILE *f, const char *fname)
if (pkey == NULL) {
warnx("%s: PEM_read_PrivateKey", fname);
return NULL;
- } else if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA)
+ } else if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA ||
+ EVP_PKEY_type(pkey->type) == EVP_PKEY_EC )
return pkey;
warnx("%s: unsupported key type", fname);
smime.p7s
Description: S/MIME Cryptographic Signature
