From: Tobias Brunner Date: Mon, 20 Jan 2020 18:08:14 +0000 (+0100) Subject: pki: Add support for Ed448 keys/certificates X-Git-Tag: 5.8.3dr1~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=878afdf90b93ae83e633c40393022708c2c64cdd;p=thirdparty%2Fstrongswan.git pki: Add support for Ed448 keys/certificates --- diff --git a/src/pki/command.h b/src/pki/command.h index 353f5141ce..8b5b9c1e5e 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -34,7 +34,7 @@ /** * Maximum number of usage summary lines (+1) */ -#define MAX_LINES 12 +#define MAX_LINES 13 typedef struct command_t command_t; typedef struct command_option_t command_option_t; diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c index 203c76542a..361162ea3f 100644 --- a/src/pki/commands/gen.c +++ b/src/pki/commands/gen.c @@ -48,6 +48,10 @@ static int gen() { type = KEY_ED25519; } + else if (streq(arg, "ed448")) + { + type = KEY_ED448; + } else if (streq(arg, "bliss")) { type = KEY_BLISS; @@ -108,6 +112,9 @@ static int gen() case KEY_ED25519: size = 256; break; + case KEY_ED448: + size = 456; + break; case KEY_BLISS: size = 1; break; @@ -166,7 +173,7 @@ static void __attribute__ ((constructor))reg() { command_register((command_t) { gen, 'g', "gen", "generate a new private key", - {"[--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]", + {"[--type rsa|ecdsa|ed25519|ed448|bliss] [--size bits] [--safe-primes]", "[--shares n] [--threshold l] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 4f11e7aa58..f20e2e3c43 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -124,6 +124,11 @@ static int issue() type = CRED_PRIVATE_KEY; subtype = KEY_ED25519; } + else if (streq(arg, "ed448")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ED448; + } else if (streq(arg, "bliss")) { type = CRED_PRIVATE_KEY; @@ -631,9 +636,10 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { issue, 'i', "issue", "issue a certificate using a CA certificate and key", - {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|ed25519|bliss] --cakey file|--cakeyid hex", - " --cacert file [--dn subject-dn] [--san subjectAltName]+", - "[--lifetime days] [--serial hex] [--ca] [--pathlen len]", + {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|ed25519|ed448|bliss]", + "--cakey file|--cakeyid hex --cacert file [--dn subject-dn]", + "[--san subjectAltName]+ [--lifetime days] [--serial hex]", + "[--ca] [--pathlen len]", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", "[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]", "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]", diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index 2ab3e61fc7..3bca92cc33 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -113,6 +113,12 @@ static int print() type = CRED_PRIVATE_KEY; subtype = KEY_ED25519; } + else if (streq(arg, "ed448") || + streq(arg, "ed448-priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ED448; + } else if (streq(arg, "bliss") || streq(arg, "bliss-priv")) { @@ -196,8 +202,8 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { print, 'a', "print", "print a credential in a human readable form", - {"[--in file|--keyid hex] " - "[--type x509|crl|ac|pub|priv|rsa|ecdsa|ed25519|bliss]"}, + {"[--in file|--keyid hex]", + "[--type x509|crl|ac|pub|priv|rsa|ecdsa|ed25519|ed448|bliss]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index 31018e8054..cb7567c37d 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -102,6 +102,10 @@ static int self() { type = KEY_ED25519; } + else if (streq(arg, "ed448")) + { + type = KEY_ED448; + } else if (streq(arg, "bliss")) { type = KEY_BLISS; @@ -467,7 +471,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { self, 's', "self", "create a self signed certificate", - {"[--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]", + {"[--in file|--keyid hex] [--type rsa|ecdsa|ed25519|ed448|bliss|priv]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", diff --git a/src/pki/man/pki---gen.1.in b/src/pki/man/pki---gen.1.in index 4c61ead9cc..0344f9473b 100644 --- a/src/pki/man/pki---gen.1.in +++ b/src/pki/man/pki---gen.1.in @@ -45,8 +45,8 @@ Set debug level, default: 1. Read command line options from \fIfile\fR. .TP .BI "\-t, \-\-type " type -Type of key to generate. Either \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR or -\fIbliss\fR, defaults to \fIrsa\fR. +Type of key to generate. Either \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR, +\fIed448\fR or \fIbliss\fR, defaults to \fIrsa\fR. .TP .BI "\-s, \-\-size " bits Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR. diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index 99dcaca703..3050c0e4cc 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -72,8 +72,9 @@ key/request is read from \fISTDIN\fR. .BI "\-t, \-\-type " type Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), -\fIed25519\fR (Ed25519 private key) \fIbliss\fR (BLISS private key) or -\fIpkcs10\fR (PKCS#10 certificate request), defaults to \fIpub\fR. +\fIed25519\fR (Ed25519 private key), \fIed448\fR (Ed448 private key), +\fIbliss\fR (BLISS private key) or \fIpkcs10\fR (PKCS#10 certificate request), +defaults to \fIpub\fR. .TP .BI "\-k, \-\-cakey " file CA private key file. Either this or diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in index 09b8a10c36..6de0e7340c 100644 --- a/src/pki/man/pki---print.1.in +++ b/src/pki/man/pki---print.1.in @@ -53,8 +53,8 @@ an optional 0x prefix. Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key), \fIpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA -private key), \fIed25519\fR (Ed25519 private key), \fIbliss\fR (BLISS private -key), defaults to \fIx509\fR. +private key), \fIed25519\fR (Ed25519 private key), \fIed448\fR (Ed448 private +key), \fIbliss\fR (BLISS private key), defaults to \fIx509\fR. . .SH "SEE ALSO" . diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in index 6e04609785..caa943d88a 100644 --- a/src/pki/man/pki---self.1.in +++ b/src/pki/man/pki---self.1.in @@ -72,8 +72,8 @@ Smartcard or TPM private key object handle in hex format with an optional 0x prefix. .TP .BI "\-t, \-\-type " type -Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR -or \fIbliss\fR, defaults to \fIpriv\fR. +Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR, +\fIed448\fR or \fIbliss\fR, defaults to \fIpriv\fR. .TP .BI "\-d, \-\-dn " distinguished-name Subject and issuer distinguished name (DN). Required.