Re: [patch] use acme-client to sign certificated with ecdsa keys

Fri, 14 Jun 2019 04:59:28 -0700 

On Fri, Jun 14, 2019 at 09:50:35AM +0200, Renaud Allard wrote:
> 
> 
> On 6/12/19 2:30 PM, Renaud Allard wrote:
> > 
> > 
> > On 6/11/19 2:36 PM, Sebastian Benoit wrote:
> > > Hi,
> > > 
> > > some feedback below.
> > > 
> > > Renaud: maybe wait for feedback from florian or gilles until
> > > acting on my comments, sometimes sending diffs to fast creates more
> > > work ;)
> > > 
> > > /Benno
> > > 
> > 
> > As suggested by benno@
> > removal of the global variable
> > removal of KEYTYPE which was not used and was a leftover of a former patch
> > define ECDSA_KEY to be more readable
> > 
> 
> Any comment or OK on my latest patch?
> 

I'd prefer to use enums like the rest of the code.


diff --git extern.h extern.h
index 17c6aa54f18..f6293a371ad 100644
--- extern.h
+++ extern.h
@@ -207,7 +207,8 @@ int          revokeproc(int, const char *, const char *,
                        int, int, const char *const *, size_t);
 int             fileproc(int, const char *, const char *, const char *,
                        const char *);
-int             keyproc(int, const char *, const char **, size_t);
+int             keyproc(int, const char *, const char **, size_t,
+                       enum keytype);
 int             netproc(int, int, int, int, int, int, int,
                        struct authority_c *, const char *const *,
                        size_t);
@@ -275,11 +276,6 @@ char               *json_fmt_signed(const char *, const 
char *, const char *);
  */
 int             verbose;
 
-/*
- * Should we switch to ecdsa?
- */
-int            ecdsa;
-
 /*
  * What component is the process within (COMP__MAX for none)?
  */
diff --git keyproc.c keyproc.c
index 9c392a0f3f6..f9ce081457a 100644
--- keyproc.c
+++ keyproc.c
@@ -74,8 +74,8 @@ add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, const char 
*value)
  * jail and, on success, ship it to "netsock" as an X509 request.
  */
 int
-keyproc(int netsock, const char *keyfile,
-    const char **alts, size_t altsz)
+keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
+    enum keytype keytype)
 {
        char            *der64 = NULL, *der = NULL, *dercp;
        char            *sans = NULL, *san = NULL;
@@ -117,14 +117,17 @@ keyproc(int netsock, const char *keyfile,
        }
 
        if (newkey) {
-               if (ecdsa) {
+               switch (keytype) {
+               case KT_ECDSA:
                        if ((pkey = ec_key_create(f, keyfile)) == NULL)
                                goto out;
                        dodbg("%s: generated ECDSA domain key", keyfile);
-               } else {
+                       break;
+               case KT_RSA:
                        if ((pkey = rsa_key_create(f, keyfile)) == NULL)
                                goto out;
                        dodbg("%s: generated RSA domain key", keyfile);
+                       break;
                }
        } else {
                if ((pkey = key_load(f, keyfile)) == NULL)
diff --git main.c main.c
index ea8f7c5d348..d70a7048f47 100644
--- main.c
+++ main.c
@@ -49,7 +49,6 @@ main(int argc, char *argv[])
        int               popts = 0;
        pid_t             pids[COMP__MAX];
        extern int        verbose;
-       extern int        ecdsa;
        extern enum comp  proccomp;
        size_t            i, altsz, ne;
 
@@ -148,10 +147,6 @@ main(int argc, char *argv[])
                        errx(EXIT_FAILURE, "authority %s not found", auth);
        }
 
-       if (domain->keytype == 1) {
-               ecdsa = 1;
-       }
-
        acctkey = authority->account;
 
        if ((chngdir = domain->challengedir) == NULL)
@@ -258,7 +253,8 @@ main(int argc, char *argv[])
                close(file_fds[0]);
                close(file_fds[1]);
                c = keyproc(key_fds[0], domain->key,
-                   (const char **)alts, altsz);
+                   (const char **)alts, altsz,
+                   domain->keytype);
                exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
        }
 
diff --git parse.h parse.h
index 78405590568..7f2d3ca546c 100644
--- parse.h
+++ parse.h
@@ -27,6 +27,11 @@
  * limit all paths to PATH_MAX
  */
 
+enum keytype {
+       KT_RSA = 0,
+       KT_ECDSA
+};
+
 struct authority_c {
        TAILQ_ENTRY(authority_c)         entry;
        char                    *name;
@@ -36,9 +41,9 @@ struct authority_c {
 
 struct domain_c {
        TAILQ_ENTRY(domain_c)    entry;
-       TAILQ_HEAD(, altname_c) altname_list;
-       int                     altname_count;
-       int                     keytype;
+       TAILQ_HEAD(, altname_c)  altname_list;
+       int                      altname_count;
+       enum keytype             keytype;
        char                    *domain;
        char                    *key;
        char                    *cert;
diff --git parse.y parse.y
index 994492706bb..0b68a35fb73 100644
--- parse.y
+++ parse.y
@@ -100,7 +100,7 @@ typedef struct {
 %}
 
 %token AUTHORITY URL API ACCOUNT
-%token DOMAIN ALTERNATIVE NAMES CERT FULL CHAIN KEY SIGN WITH CHALLENGEDIR 
KEYTYPE
+%token DOMAIN ALTERNATIVE NAMES CERT FULL CHAIN KEY SIGN WITH CHALLENGEDIR
 %token YES NO
 %token INCLUDE
 %token ERROR
@@ -260,13 +260,15 @@ domain            : DOMAIN STRING {
                }
                ;
 
-keytype                : RSA { 
-                       domain->keytype = 0;
+keytype                : RSA {
+                       domain->keytype = KT_RSA;
                }
                | ECDSA {
-                       domain->keytype = 1;
+                       domain->keytype = KT_ECDSA;
+               }
+               | { /* nothing */
+                       domain->keytype = KT_RSA;
                }
-               | /* nothing */
                ;
 
 domainopts_l   : domainopts_l domainoptsl nl


-- 
I'm not entirely sure you are real.

Reply via email to