From: Tobias Brunner Date: Mon, 16 Sep 2013 13:02:41 +0000 (+0200) Subject: pki: --gen can generate keys with a known curve X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fheads%2Fbrainpool-gen;p=thirdparty%2Fstrongswan.git pki: --gen can generate keys with a known curve --- diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c index b74be7d981..2a9441c7d2 100644 --- a/src/pki/commands/gen.c +++ b/src/pki/commands/gen.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2013 Tobias Brunner * Copyright (C) 2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -15,6 +16,8 @@ #include "pki.h" +#include + /** * Generate a private key */ @@ -22,6 +25,7 @@ static int gen() { cred_encoding_type_t form = PRIVKEY_ASN1_DER; key_type_t type = KEY_RSA; + ec_curve_t curve = ECC_UNKNOWN; u_int size = 0, shares = 0, threshold = 1; private_key_t *key; chunk_t encoding; @@ -61,6 +65,13 @@ static int gen() return command_usage("invalid key size"); } continue; + case 'c': + curve = enum_from_name(ec_curve_names, arg); + if (curve == -1 || curve == ECC_UNKNOWN) + { + return command_usage("invalid elliptic curve"); + } + continue; case 'p': safe_primes = TRUE; continue; @@ -116,6 +127,11 @@ static int gen() key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, BUILD_KEY_SIZE, size, BUILD_SAFE_PRIMES, BUILD_END); } + else if (type == KEY_ECDSA && curve != ECC_UNKNOWN) + { + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, + BUILD_ECC_CURVE, curve, BUILD_END); + } else { key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, @@ -156,6 +172,7 @@ static void __attribute__ ((constructor))reg() {"help", 'h', 0, "show usage information"}, {"type", 't', 1, "type of key, default: rsa"}, {"size", 's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"}, + {"curve", 'c', 1, "elliptic curve to use for ecdsa"}, {"safe-primes", 'p', 0, "generate rsa safe primes"}, {"shares", 'n', 1, "number of private rsa key shares"}, {"threshold", 'l', 1, "minimum number of participating rsa key shares"}, @@ -163,4 +180,3 @@ static void __attribute__ ((constructor))reg() } }); } - diff --git a/src/pki/man/pki---gen.1.in b/src/pki/man/pki---gen.1.in index 138ab61229..c3ec4385d8 100644 --- a/src/pki/man/pki---gen.1.in +++ b/src/pki/man/pki---gen.1.in @@ -9,6 +9,7 @@ pki \-\-gen \- Generate a new RSA or ECDSA private key .SY pki\ \-\-gen .OP \-\-type type .OP \-\-size bits +.OP \-\-curve curve .OP \-\-safe\-primes .OP \-\-shares n .OP \-\-threshold l @@ -49,7 +50,46 @@ Type of key to generate. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR. .TP .BI "\-s, \-\-size " bits Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR. -For \fIecdsa\fR only three values are currently supported: 256, 384 and 521. +For \fIecdsa\fR only the three values 256, 384 and 521 can be used, they +correspond to the respective NIST curve. +.TP +.BI "\-c, \-\-curve " curve +Elliptic curve to use for \fIecdsa\fR keys. If configured \fI\-\-size\fR has +no effect. Currently supported are the following curves (with their known +aliases): +.RS +.TP +.I nist192 +NIST 192-bit curve (X9.62 prime192v1, SECP secp192r1) +.TP +.I nist224 +NIST 224-bit curve (SECP secp224r1) +.TP +.I nist256 +NIST 256-bit curve (X9.62 prime256v1, SECP secp256r1) +.TP +.I nist384 +NIST 384-bit curve (SECP secp384r1) +.TP +.I nist521 +NIST 521-bit curve (SECP secp521r1) +.TP +.I bp224 +ECC Brainpool 224-bit curve (brainpoolP224r1) +.TP +.I bp256 +ECC Brainpool 256-bit curve (brainpoolP256r1) +.TP +.I bp384 +ECC Brainpool 384-bit curve (brainpoolP384r1) +.TP +.I bp512 +ECC Brainpool 512-bit curve (brainpoolP512r1) +.PP +.B Note: +Only the three NIST curves with 256, 384 and 521 bit length, respectively, can +currently be used for authentication in IKE. +.RE .TP .BI "\-p, \-\-safe\-primes" Generate RSA safe primes.