On Wed, Jun 12, 2019 at 08:12:04AM +0200, Florian Obser wrote:
>
> I had a look yesterday and it looks mostly OK.
> Something came up and I won't be around the next days.
>
> Someone can put it and and we can tweak it in tree or we wait a few
> days.
>
okie dokie, will commit tonight when I get home unless someone
beats me to it :-)
> On Tue, Jun 11, 2019 at 01:37:24PM +0200, Renaud Allard wrote:
> >
> >
> > On 6/11/19 10:17 AM, Renaud Allard wrote:
> > >
> > > Hello,
> > >
> > > Here is a patch with ecdsa and rsa in %token after the domain key name
> > >
> > > OK? comments?
> >
> > I just made a small modification in the formatting of acme.conf man page,
> > putting keytype as an arg. And also a cleaner key.h
> >
> > OK?
>
> > Index: Makefile
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/acme-client/Makefile,v
> > retrieving revision 1.8
> > diff -u -p -r1.8 Makefile
> > --- Makefile 3 Jul 2017 22:21:47 -0000 1.8
> > +++ Makefile 11 Jun 2019 11:35:24 -0000
> > @@ -2,7 +2,7 @@
> > PROG= acme-client
> > SRCS= acctproc.c base64.c certproc.c chngproc.c dbg.c
> > dnsproc.c
> > SRCS+= fileproc.c http.c jsmn.c json.c keyproc.c main.c
> > netproc.c
> > -SRCS+= parse.y revokeproc.c rsa.c util.c
> > +SRCS+= parse.y revokeproc.c key.c util.c
> >
> > MAN= acme-client.1 acme-client.conf.5
> >
> > Index: acctproc.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/acme-client/acctproc.c,v
> > retrieving revision 1.14
> > diff -u -p -r1.14 acctproc.c
> > --- acctproc.c 8 Jun 2019 07:52:55 -0000 1.14
> > +++ acctproc.c 11 Jun 2019 11:35:24 -0000
> > @@ -29,7 +29,7 @@
> > #include <openssl/err.h>
> >
> > #include "extern.h"
> > -#include "rsa.h"
> > +#include "key.h"
> >
> > /*
> > * Converts a BIGNUM to the form used in JWK.
> > @@ -352,7 +352,9 @@ acctproc(int netsock, const char *acctke
> > goto out;
> > dodbg("%s: generated RSA account key", acctkey);
> > } else {
> > - if ((pkey = rsa_key_load(f, acctkey)) == NULL)
> > + if ((pkey = key_load(f, acctkey)) == NULL)
> > + goto out;
> > + if (EVP_PKEY_type(pkey->type) != EVP_PKEY_RSA)
> > goto out;
> > doddbg("%s: loaded RSA account key", acctkey);
> > }
> > Index: acme-client.conf.5
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
> > retrieving revision 1.17
> > diff -u -p -r1.17 acme-client.conf.5
> > --- acme-client.conf.5 8 Jan 2019 06:46:29 -0000 1.17
> > +++ acme-client.conf.5 11 Jun 2019 11:35:24 -0000
> > @@ -109,8 +109,10 @@ Specify a list of alternative names for
> > The common name is included automatically if this option is present,
> > but there is no automatic conversion/inclusion between "www." and
> > plain domain name forms.
> > -.It Ic domain key Ar file
> > +.It Ic domain key Ar file Op Ar keytype
> > The private key file for which the certificate will be obtained.
> > +.Ar keytype
> > +can be rsa or ecdsa. Defaults to rsa.
> > .It Ic domain certificate Ar file
> > The filename of the certificate that will be issued.
> > This is optional if
> > Index: extern.h
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
> > retrieving revision 1.12
> > diff -u -p -r1.12 extern.h
> > --- extern.h 8 Jun 2019 07:52:55 -0000 1.12
> > +++ extern.h 11 Jun 2019 11:35:24 -0000
> > @@ -276,6 +276,11 @@ char *json_fmt_signed(const char *, con
> > int verbose;
> >
> > /*
> > + * Should we switch to ecdsa?
> > + */
> > +int ecdsa;
> > +
> > +/*
> > * What component is the process within (COMP__MAX for none)?
> > */
> > enum comp proccomp;
> > Index: key.c
> > ===================================================================
> > RCS file: key.c
> > diff -N key.c
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ key.c 11 Jun 2019 11:35:24 -0000
> > @@ -0,0 +1,149 @@
> > +/* $Id: rsa.c,v 1.7 2018/07/28 15:25:23 tb Exp $ */
> > +/*
> > + * Copyright (c) 2019 Renaud Allard <ren...@allard.it>
> > + * Copyright (c) 2016 Kristaps Dzonsons <krist...@bsd.lv>
> > + *
> > + * Permission to use, copy, modify, and distribute this software for any
> > + * purpose with or without fee is hereby granted, provided that the above
> > + * copyright notice and this permission notice appear in all copies.
> > + *
> > + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
> > + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> > + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
> > + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> > + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> > + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> > + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> > + */
> > +
> > +#include <err.h>
> > +#include <stdlib.h>
> > +#include <unistd.h>
> > +
> > +#include <openssl/evp.h>
> > +#include <openssl/pem.h>
> > +#include <openssl/rsa.h>
> > +#include <openssl/ecdsa.h>
> > +#include <openssl/ec.h>
> > +#include <openssl/obj_mac.h>
> > +
> > +#include "key.h"
> > +
> > +/*
> > + * Default number of bits when creating a new RSA key.
> > + */
> > +#define KBITS 4096
> > +#define ECCTYPE NID_secp384r1
> > +
> > +/*
> > + * Create an RSA key with the default KBITS number of bits.
> > + */
> > +EVP_PKEY *
> > +rsa_key_create(FILE *f, const char *fname)
> > +{
> > + EVP_PKEY_CTX *ctx = NULL;
> > + EVP_PKEY *pkey = NULL;
> > +
> > + /* First, create the context and the key. */
> > +
> > + if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) == NULL) {
> > + warnx("EVP_PKEY_CTX_new_id");
> > + goto err;
> > + } else if (EVP_PKEY_keygen_init(ctx) <= 0) {
> > + warnx("EVP_PKEY_keygen_init");
> > + goto err;
> > + } else if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, KBITS) <= 0) {
> > + warnx("EVP_PKEY_set_rsa_keygen_bits");
> > + goto err;
> > + } else if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
> > + warnx("EVP_PKEY_keygen");
> > + goto err;
> > + }
> > +
> > + /* Serialise the key to the disc. */
> > +
> > + if (PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL))
> > + goto out;
> > +
> > + warnx("%s: PEM_write_PrivateKey", fname);
> > +
> > +err:
> > + EVP_PKEY_free(pkey);
> > + pkey = NULL;
> > +out:
> > + EVP_PKEY_CTX_free(ctx);
> > + return pkey;
> > +}
> > +
> > +EVP_PKEY *
> > +ec_key_create(FILE *f, const char *fname)
> > +{
> > + EC_KEY *eckey = NULL;
> > + EVP_PKEY *pkey = NULL;
> > +
> > + if ((eckey = EC_KEY_new()) == NULL ) {
> > + warnx("EC_KEY_new");
> > + goto err;
> > + } else if ((eckey = EC_KEY_new_by_curve_name(ECCTYPE)) == NULL ) {
> > + warnx("EC_GROUP_new_by_curve_name");
> > + goto err;
> > + }
> > +
> > + if (!EC_KEY_generate_key(eckey)) {
> > + warnx("EC_KEY_generate_key");
> > + goto err;
> > + }
> > +
> > + /* set OPENSSL_EC_NAMED_CURVE to be able to load the key */
> > +
> > + EC_KEY_set_asn1_flag(eckey, OPENSSL_EC_NAMED_CURVE);
> > +
> > + /* Serialise the key to the disc in EC format */
> > +
> > + if (!PEM_write_ECPrivateKey(f, eckey, NULL, NULL, 0, NULL, NULL)) {
> > + warnx("PEM_write_ECPrivateKey");
> > + goto err;
> > + }
> > +
> > + /* Convert the EC key into a PKEY structure */
> > +
> > + if ((pkey=EVP_PKEY_new()) == NULL) {
> > + warnx("EVP_PKEY_new");
> > + goto err;
> > + }
> > + if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
> > + warnx("EVP_PKEY_assign_EC_KEY");
> > + goto err;
> > + }
> > +
> > + warnx("%s: PEM_write_ECPrivateKey", fname);
> > +
> > + goto out;
> > +
> > +err:
> > + EC_KEY_free(eckey);
> > + EVP_PKEY_free(pkey);
> > + pkey = NULL;
> > +out:
> > + return pkey;
> > +}
> > +
> > +
> > +
> > +EVP_PKEY *
> > +key_load(FILE *f, const char *fname)
> > +{
> > + EVP_PKEY *pkey;
> > +
> > + pkey = PEM_read_PrivateKey(f, NULL, NULL, NULL);
> > + if (pkey == NULL) {
> > + warnx("%s: PEM_read_PrivateKey", fname);
> > + return NULL;
> > + } else if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA ||
> > + EVP_PKEY_type(pkey->type) == EVP_PKEY_EC )
> > + return pkey;
> > +
> > + warnx("%s: unsupported key type", fname);
> > + EVP_PKEY_free(pkey);
> > + return NULL;
> > +}
> > Index: key.h
> > ===================================================================
> > RCS file: key.h
> > diff -N key.h
> > --- /dev/null 1 Jan 1970 00:00:00 -0000
> > +++ key.h 11 Jun 2019 11:35:24 -0000
> > @@ -0,0 +1,25 @@
> > +/* $Id: rsa.h,v 1.1 2016/08/31 22:01:42 florian Exp $ */
> > +/*
> > + * Copyright (c) 2019 Renaud Allard <ren...@allard.it>
> > + * Copyright (c) 2016 Kristaps Dzonsons <krist...@bsd.lv>
> > + *
> > + * Permission to use, copy, modify, and distribute this software for any
> > + * purpose with or without fee is hereby granted, provided that the above
> > + * copyright notice and this permission notice appear in all copies.
> > + *
> > + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
> > + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> > + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
> > + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> > + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> > + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> > + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> > + */
> > +#ifndef KEY_H
> > +#define KEY_H
> > +
> > +EVP_PKEY *rsa_key_create(FILE *, const char *);
> > +EVP_PKEY *ec_key_create(FILE *, const char *);
> > +EVP_PKEY *key_load(FILE *, const char *);
> > +
> > +#endif /* ! KEY_H */
> > Index: keyproc.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/acme-client/keyproc.c,v
> > retrieving revision 1.12
> > diff -u -p -r1.12 keyproc.c
> > --- keyproc.c 8 Jun 2019 07:52:55 -0000 1.12
> > +++ keyproc.c 11 Jun 2019 11:35:25 -0000
> > @@ -30,7 +30,7 @@
> > #include <openssl/x509v3.h>
> >
> > #include "extern.h"
> > -#include "rsa.h"
> > +#include "key.h"
> >
> > /*
> > * This was lifted more or less directly from demos/x509/mkreq.c of the
> > @@ -117,13 +117,19 @@ keyproc(int netsock, const char *keyfile
> > }
> >
> > if (newkey) {
> > - if ((pkey = rsa_key_create(f, keyfile)) == NULL)
> > - goto out;
> > - dodbg("%s: generated RSA domain key", keyfile);
> > + if (ecdsa) {
> > + if ((pkey = ec_key_create(f, keyfile)) == NULL)
> > + goto out;
> > + dodbg("%s: generated ECDSA domain key", keyfile);
> > + } else {
> > + if ((pkey = rsa_key_create(f, keyfile)) == NULL)
> > + goto out;
> > + dodbg("%s: generated RSA domain key", keyfile);
> > + }
> > } else {
> > - if ((pkey = rsa_key_load(f, keyfile)) == NULL)
> > + if ((pkey = key_load(f, keyfile)) == NULL)
> > goto out;
> > - doddbg("%s: loaded RSA domain key", keyfile);
> > + doddbg("%s: loaded domain key", keyfile);
> > }
> >
> > fclose(f);
> > Index: main.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/acme-client/main.c,v
> > retrieving revision 1.47
> > diff -u -p -r1.47 main.c
> > --- main.c 8 Jun 2019 07:52:55 -0000 1.47
> > +++ main.c 11 Jun 2019 11:35:25 -0000
> > @@ -49,6 +49,7 @@ main(int argc, char *argv[])
> > int popts = 0;
> > pid_t pids[COMP__MAX];
> > extern int verbose;
> > + extern int ecdsa;
> > extern enum comp proccomp;
> > size_t i, altsz, ne;
> >
> > @@ -145,6 +146,10 @@ main(int argc, char *argv[])
> > authority = authority_find(conf, auth);
> > if (authority == NULL)
> > errx(EXIT_FAILURE, "authority %s not found", auth);
> > + }
> > +
> > + if (domain->keytype == 1) {
> > + ecdsa = 1;
> > }
> >
> > acctkey = authority->account;
> > Index: parse.h
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/acme-client/parse.h,v
> > retrieving revision 1.10
> > diff -u -p -r1.10 parse.h
> > --- parse.h 8 Jun 2019 07:52:55 -0000 1.10
> > +++ parse.h 11 Jun 2019 11:35:25 -0000
> > @@ -38,6 +38,7 @@ struct domain_c {
> > TAILQ_ENTRY(domain_c) entry;
> > TAILQ_HEAD(, altname_c) altname_list;
> > int altname_count;
> > + int keytype;
> > char *domain;
> > char *key;
> > char *cert;
> > Index: parse.y
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/acme-client/parse.y,v
> > retrieving revision 1.34
> > diff -u -p -r1.34 parse.y
> > --- parse.y 8 Jun 2019 07:52:55 -0000 1.34
> > +++ parse.y 11 Jun 2019 11:35:25 -0000
> > @@ -38,6 +38,7 @@
> > #include <unistd.h>
> >
> > #include "parse.h"
> > +#include "extern.h"
> >
> > TAILQ_HEAD(files, file) files = TAILQ_HEAD_INITIALIZER(files);
> > static struct file {
> > @@ -99,10 +100,11 @@ typedef struct {
> > %}
> >
> > %token AUTHORITY URL API ACCOUNT
> > -%token DOMAIN ALTERNATIVE NAMES CERT FULL CHAIN KEY SIGN WITH
> > CHALLENGEDIR
> > +%token DOMAIN ALTERNATIVE NAMES CERT FULL CHAIN KEY SIGN WITH
> > CHALLENGEDIR KEYTYPE
> > %token YES NO
> > %token INCLUDE
> > %token ERROR
> > +%token RSA ECDSA
> > %token <v.string> STRING
> > %token <v.number> NUMBER
> > %type <v.string> string
> > @@ -258,12 +260,21 @@ domain : DOMAIN STRING {
> > }
> > ;
> >
> > +keytype : RSA {
> > + domain->keytype = 0;
> > + }
> > + | ECDSA {
> > + domain->keytype = 1;
> > + }
> > + | /* nothing */
> > + ;
> > +
> > domainopts_l : domainopts_l domainoptsl nl
> > | domainoptsl optnl
> > ;
> >
> > domainoptsl : ALTERNATIVE NAMES '{' altname_l '}'
> > - | DOMAIN KEY STRING {
> > + | DOMAIN KEY STRING keytype {
> > char *s;
> > if (domain->key != NULL) {
> > yyerror("duplicate key");
> > @@ -427,10 +438,12 @@ lookup(char *s)
> > {"chain", CHAIN},
> > {"challengedir", CHALLENGEDIR},
> > {"domain", DOMAIN},
> > + {"ecdsa", ECDSA},
> > {"full", FULL},
> > {"include", INCLUDE},
> > {"key", KEY},
> > {"names", NAMES},
> > + {"rsa", RSA},
> > {"sign", SIGN},
> > {"url", URL},
> > {"with", WITH},
> > Index: rsa.c
> > ===================================================================
> > RCS file: rsa.c
> > diff -N rsa.c
> > --- rsa.c 28 Jul 2018 15:25:23 -0000 1.7
> > +++ /dev/null 1 Jan 1970 00:00:00 -0000
> > @@ -1,88 +0,0 @@
> > -/* $Id: rsa.c,v 1.7 2018/07/28 15:25:23 tb Exp $ */
> > -/*
> > - * Copyright (c) 2016 Kristaps Dzonsons <krist...@bsd.lv>
> > - *
> > - * Permission to use, copy, modify, and distribute this software for any
> > - * purpose with or without fee is hereby granted, provided that the above
> > - * copyright notice and this permission notice appear in all copies.
> > - *
> > - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
> > - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> > - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
> > - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> > - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> > - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> > - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> > - */
> > -
> > -#include <err.h>
> > -#include <stdlib.h>
> > -#include <unistd.h>
> > -
> > -#include <openssl/evp.h>
> > -#include <openssl/pem.h>
> > -#include <openssl/rsa.h>
> > -
> > -#include "rsa.h"
> > -
> > -/*
> > - * Default number of bits when creating a new key.
> > - */
> > -#define KBITS 4096
> > -
> > -/*
> > - * Create an RSA key with the default KBITS number of bits.
> > - */
> > -EVP_PKEY *
> > -rsa_key_create(FILE *f, const char *fname)
> > -{
> > - EVP_PKEY_CTX *ctx = NULL;
> > - EVP_PKEY *pkey = NULL;
> > -
> > - /* First, create the context and the key. */
> > -
> > - if ((ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) == NULL) {
> > - warnx("EVP_PKEY_CTX_new_id");
> > - goto err;
> > - } else if (EVP_PKEY_keygen_init(ctx) <= 0) {
> > - warnx("EVP_PKEY_keygen_init");
> > - goto err;
> > - } else if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, KBITS) <= 0) {
> > - warnx("EVP_PKEY_set_rsa_keygen_bits");
> > - goto err;
> > - } else if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
> > - warnx("EVP_PKEY_keygen");
> > - goto err;
> > - }
> > -
> > - /* Serialise the key to the disc. */
> > -
> > - if (PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL))
> > - goto out;
> > -
> > - warnx("%s: PEM_write_PrivateKey", fname);
> > -err:
> > - EVP_PKEY_free(pkey);
> > - pkey = NULL;
> > -out:
> > - EVP_PKEY_CTX_free(ctx);
> > - return pkey;
> > -}
> > -
> > -
> > -EVP_PKEY *
> > -rsa_key_load(FILE *f, const char *fname)
> > -{
> > - EVP_PKEY *pkey;
> > -
> > - pkey = PEM_read_PrivateKey(f, NULL, NULL, NULL);
> > - if (pkey == NULL) {
> > - warnx("%s: PEM_read_PrivateKey", fname);
> > - return NULL;
> > - } else if (EVP_PKEY_type(pkey->type) == EVP_PKEY_RSA)
> > - return pkey;
> > -
> > - warnx("%s: unsupported key type", fname);
> > - EVP_PKEY_free(pkey);
> > - return NULL;
> > -}
> > Index: rsa.h
> > ===================================================================
> > RCS file: rsa.h
> > diff -N rsa.h
> > --- rsa.h 31 Aug 2016 22:01:42 -0000 1.1
> > +++ /dev/null 1 Jan 1970 00:00:00 -0000
> > @@ -1,23 +0,0 @@
> > -/* $Id: rsa.h,v 1.1 2016/08/31 22:01:42 florian Exp $ */
> > -/*
> > - * Copyright (c) 2016 Kristaps Dzonsons <krist...@bsd.lv>
> > - *
> > - * Permission to use, copy, modify, and distribute this software for any
> > - * purpose with or without fee is hereby granted, provided that the above
> > - * copyright notice and this permission notice appear in all copies.
> > - *
> > - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
> > - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> > - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
> > - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> > - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> > - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> > - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> > - */
> > -#ifndef RSA_H
> > -#define RSA_H
> > -
> > -EVP_PKEY *rsa_key_create(FILE *, const char *);
> > -EVP_PKEY *rsa_key_load(FILE *, const char *);
> > -
> > -#endif /* ! RSA_H */
>
>
>
>
> --
> I'm not entirely sure you are real.
>
--
Gilles Chehade @poolpOrg
https://www.poolp.org tip me: https://paypal.me/poolpOrg
