/*
+ * Copyright (C) 2013 Tobias Brunner
* Copyright (C) 2009 Martin Willi
* Hochschule fuer Technik Rapperswil
*
#include "pki.h"
+#include <crypto/ec_params.h>
+
/**
* Generate a private key
*/
{
cred_encoding_type_t form = PRIVKEY_ASN1_DER;
key_type_t type = KEY_RSA;
+ ec_curve_t curve = ECC_UNKNOWN;
u_int size = 0, shares = 0, threshold = 1;
private_key_t *key;
chunk_t encoding;
return command_usage("invalid key size");
}
continue;
+ case 'c':
+ curve = enum_from_name(ec_curve_names, arg);
+ if (curve == -1 || curve == ECC_UNKNOWN)
+ {
+ return command_usage("invalid elliptic curve");
+ }
+ continue;
case 'p':
safe_primes = TRUE;
continue;
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
BUILD_KEY_SIZE, size, BUILD_SAFE_PRIMES, BUILD_END);
}
+ else if (type == KEY_ECDSA && curve != ECC_UNKNOWN)
+ {
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
+ BUILD_ECC_CURVE, curve, BUILD_END);
+ }
else
{
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
{"help", 'h', 0, "show usage information"},
{"type", 't', 1, "type of key, default: rsa"},
{"size", 's', 1, "keylength in bits, default: rsa 2048, ecdsa 384"},
+ {"curve", 'c', 1, "elliptic curve to use for ecdsa"},
{"safe-primes", 'p', 0, "generate rsa safe primes"},
{"shares", 'n', 1, "number of private rsa key shares"},
{"threshold", 'l', 1, "minimum number of participating rsa key shares"},
}
});
}
-
.SY pki\ \-\-gen
.OP \-\-type type
.OP \-\-size bits
+.OP \-\-curve curve
.OP \-\-safe\-primes
.OP \-\-shares n
.OP \-\-threshold l
.TP
.BI "\-s, \-\-size " bits
Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR.
-For \fIecdsa\fR only three values are currently supported: 256, 384 and 521.
+For \fIecdsa\fR only the three values 256, 384 and 521 can be used, they
+correspond to the respective NIST curve.
+.TP
+.BI "\-c, \-\-curve " curve
+Elliptic curve to use for \fIecdsa\fR keys. If configured \fI\-\-size\fR has
+no effect. Currently supported are the following curves (with their known
+aliases):
+.RS
+.TP
+.I nist192
+NIST 192-bit curve (X9.62 prime192v1, SECP secp192r1)
+.TP
+.I nist224
+NIST 224-bit curve (SECP secp224r1)
+.TP
+.I nist256
+NIST 256-bit curve (X9.62 prime256v1, SECP secp256r1)
+.TP
+.I nist384
+NIST 384-bit curve (SECP secp384r1)
+.TP
+.I nist521
+NIST 521-bit curve (SECP secp521r1)
+.TP
+.I bp224
+ECC Brainpool 224-bit curve (brainpoolP224r1)
+.TP
+.I bp256
+ECC Brainpool 256-bit curve (brainpoolP256r1)
+.TP
+.I bp384
+ECC Brainpool 384-bit curve (brainpoolP384r1)
+.TP
+.I bp512
+ECC Brainpool 512-bit curve (brainpoolP512r1)
+.PP
+.B Note:
+Only the three NIST curves with 256, 384 and 521 bit length, respectively, can
+currently be used for authentication in IKE.
+.RE
.TP
.BI "\-p, \-\-safe\-primes"
Generate RSA safe primes.
projects / thirdparty / strongswan.git / commitdiff
