From e86c724422228abbe45d07d3eda409ed0a0e9ce4 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 26 Apr 2024 23:34:12 +0100 Subject: [PATCH] self-sign: Improve default algorithm and curve selection Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 8048c90c7..9b06ac5b5 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1894,19 +1894,31 @@ Cannot self-sign this request for '$file_name_base'. Conflicting certificate exists at: * $crt_out" + # Check algo and curve + case "$EASYRSA_ALGO" in + rsa) + # Silently use ec/secp384r1 + export EASYRSA_ALGO=ec + set_var EASYRSA_CURVE secp384r1 + ;; + ec) + : # ok + ;; + ed) + user_error "self-sign does not support ED Curves." + ;; + *) + user_error "Unrecognised algorithm: '$EASYRSA_ALGO'" + esac + + verbose "\ +self-sign: Use ALGO/CURVE to $EASYRSA_ALGO/$EASYRSA_CURVE" + # temp-file for params-file selfsign_params_file="" easyrsa_mktemp selfsign_params_file || \ die "build_self_sign - easyrsa_mktemp selfsign_params_file" - # Allow default EASYRSA_ALGO=rsa to silently use EC - if [ "$EASYRSA_CURVE" ]; then - [ "$EASYRSA_CURVE" = secp384r1 ] || \ - user_error "Only EC Curve 'secp384r1' is supported." - else - export EASYRSA_CURVE=secp384r1 - fi - # params-file "${EASYRSA_OPENSSL}" ecparam \ -name "${EASYRSA_CURVE}" \ @@ -1937,7 +1949,8 @@ Conflicting certificate exists at: # User info notice "\ -Self-signed key and certificate created: +Self-signed '$EASYRSA_ALGO/$EASYRSA_CURVE' \ +key and certificate created: * $key_out * $crt_out