From: Lukas Schauer <lukas@schauer.dev>
Date: Sun, 31 Oct 2021 21:31:09 +0000 (+0100)
Subject: extend ec algorithms with secp521r1 (not yet supported by LetsEncrypt, but maybe... 
X-Git-Tag: v0.7.1~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f4cf92bae519f9d09c6c63dfc62e06e8a5432b97;p=thirdparty%2Fdehydrated.git

extend ec algorithms with secp521r1 (not yet supported by LetsEncrypt, but maybe by other CAs)
---

diff --git a/dehydrated b/dehydrated
index adcb9e7..3cbae35 100755
--- a/dehydrated
+++ b/dehydrated
@@ -317,7 +317,7 @@ verify_config() {
   if [[ "${CHALLENGETYPE}" = "http-01" && ! -d "${WELLKNOWN}" && ! "${COMMAND:-}" = "register" ]]; then
     _exiterr "WELLKNOWN directory doesn't exist, please create ${WELLKNOWN} and set appropriate permissions."
   fi
-  [[ "${KEY_ALGO}" == "rsa" || "${KEY_ALGO}" == "prime256v1" || "${KEY_ALGO}" == "secp384r1" ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... cannot continue."
+  [[ "${KEY_ALGO}" == "rsa" || "${KEY_ALGO}" == "prime256v1" || "${KEY_ALGO}" == "secp384r1" || "${KEY_ALGO}" == "secp521r1" ]] || _exiterr "Unknown public key algorithm ${KEY_ALGO}... cannot continue."
   if [[ -n "${IP_VERSION}" ]]; then
     [[ "${IP_VERSION}" = "4" || "${IP_VERSION}" = "6" ]] || _exiterr "Unknown IP version ${IP_VERSION}... cannot continue."
   fi
@@ -615,7 +615,7 @@ init_system() {
       tmp_account_key="$(_mktemp)"
       case "${ACCOUNT_KEY_ALGO}" in
         rsa) _openssl genrsa -out "${tmp_account_key}" "${ACCOUNT_KEYSIZE}";;
-        prime256v1|secp384r1) _openssl ecparam -genkey -name "${ACCOUNT_KEY_ALGO}" -out "${tmp_account_key}" -noout;;
+        prime256v1|secp384r1|secp521r1) _openssl ecparam -genkey -name "${ACCOUNT_KEY_ALGO}" -out "${tmp_account_key}" -noout;;
       esac
       cat "${tmp_account_key}" > "${ACCOUNT_KEY}"
       rm "${tmp_account_key}"
@@ -638,6 +638,8 @@ init_system() {
       account_key_sigalgo="ES256"
     elif [ "${curve}" = "P-384" ]; then
       account_key_sigalgo="ES384"
+    elif [ "${curve}" = "P-521" ]; then
+      account_key_sigalgo="ES512"
     else
       _exiterr "Unknown account key curve: ${curve}"
     fi
@@ -953,6 +955,7 @@ signed_request() {
     case "${account_key_sigalgo}" in
       "ES256") siglen=64;;
       "ES384") siglen=96;;
+      "ES512") siglen=132;;
     esac
     while [[ ${#dgst_parm_1} -lt $siglen ]]; do dgst_parm_1="0${dgst_parm_1}"; done
     while [[ ${#dgst_parm_2} -lt $siglen ]]; do dgst_parm_2="0${dgst_parm_2}"; done