pki: Add support for Ed448 keys/certificates
authorTobias Brunner <tobias@strongswan.org>
Mon, 20 Jan 2020 18:08:14 +0000 (19:08 +0100)
committerTobias Brunner <tobias@strongswan.org>
Mon, 10 Feb 2020 12:37:31 +0000 (13:37 +0100)
src/pki/command.h
src/pki/commands/gen.c
src/pki/commands/issue.c
src/pki/commands/print.c
src/pki/commands/self.c
src/pki/man/pki---gen.1.in
src/pki/man/pki---issue.1.in
src/pki/man/pki---print.1.in
src/pki/man/pki---self.1.in

index 353f514..8b5b9c1 100644 (file)
@@ -34,7 +34,7 @@
 /**
  * Maximum number of usage summary lines (+1)
  */
-#define MAX_LINES 12
+#define MAX_LINES 13
 
 typedef struct command_t command_t;
 typedef struct command_option_t command_option_t;
index 203c765..361162e 100644 (file)
@@ -48,6 +48,10 @@ static int gen()
                                {
                                        type = KEY_ED25519;
                                }
+                               else if (streq(arg, "ed448"))
+                               {
+                                       type = KEY_ED448;
+                               }
                                else if (streq(arg, "bliss"))
                                {
                                        type = KEY_BLISS;
@@ -108,6 +112,9 @@ static int gen()
                        case KEY_ED25519:
                                size = 256;
                                break;
+                       case KEY_ED448:
+                               size = 456;
+                               break;
                        case KEY_BLISS:
                                size = 1;
                                break;
@@ -166,7 +173,7 @@ static void __attribute__ ((constructor))reg()
 {
        command_register((command_t) {
                gen, 'g', "gen", "generate a new private key",
-               {"[--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]",
+               {"[--type rsa|ecdsa|ed25519|ed448|bliss] [--size bits] [--safe-primes]",
                 "[--shares n] [--threshold l] [--outform der|pem]"},
                {
                        {"help",                'h', 0, "show usage information"},
index 4f11e7a..f20e2e3 100644 (file)
@@ -124,6 +124,11 @@ static int issue()
                                        type = CRED_PRIVATE_KEY;
                                        subtype = KEY_ED25519;
                                }
+                               else if (streq(arg, "ed448"))
+                               {
+                                       type = CRED_PRIVATE_KEY;
+                                       subtype = KEY_ED448;
+                               }
                                else if (streq(arg, "bliss"))
                                {
                                        type = CRED_PRIVATE_KEY;
@@ -631,9 +636,10 @@ static void __attribute__ ((constructor))reg()
        command_register((command_t) {
                issue, 'i', "issue",
                "issue a certificate using a CA certificate and key",
-               {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|ed25519|bliss] --cakey file|--cakeyid hex",
-                " --cacert file [--dn subject-dn] [--san subjectAltName]+",
-                "[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
+               {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|ed25519|ed448|bliss]",
+                "--cakey file|--cakeyid hex --cacert file [--dn subject-dn]",
+                "[--san subjectAltName]+ [--lifetime days] [--serial hex]",
+                "[--ca] [--pathlen len]",
                 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
                 "[--crl uri [--crlissuer i]]+ [--ocsp uri]+ [--nc-permitted name]",
                 "[--nc-excluded name] [--policy-mapping issuer-oid:subject-oid]",
index 2ab3e61..3bca92c 100644 (file)
@@ -113,6 +113,12 @@ static int print()
                                        type = CRED_PRIVATE_KEY;
                                        subtype = KEY_ED25519;
                                }
+                               else if (streq(arg, "ed448") ||
+                                                streq(arg, "ed448-priv"))
+                               {
+                                       type = CRED_PRIVATE_KEY;
+                                       subtype = KEY_ED448;
+                               }
                                else if (streq(arg, "bliss") ||
                                                 streq(arg, "bliss-priv"))
                                {
@@ -196,8 +202,8 @@ static void __attribute__ ((constructor))reg()
        command_register((command_t)
                { print, 'a', "print",
                "print a credential in a human readable form",
-               {"[--in file|--keyid hex] "
-                "[--type x509|crl|ac|pub|priv|rsa|ecdsa|ed25519|bliss]"},
+               {"[--in file|--keyid hex]",
+                "[--type x509|crl|ac|pub|priv|rsa|ecdsa|ed25519|ed448|bliss]"},
                {
                        {"help",        'h', 0, "show usage information"},
                        {"in",          'i', 1, "input file, default: stdin"},
index 31018e8..cb7567c 100644 (file)
@@ -102,6 +102,10 @@ static int self()
                                {
                                        type = KEY_ED25519;
                                }
+                               else if (streq(arg, "ed448"))
+                               {
+                                       type = KEY_ED448;
+                               }
                                else if (streq(arg, "bliss"))
                                {
                                        type = KEY_BLISS;
@@ -467,7 +471,7 @@ static void __attribute__ ((constructor))reg()
        command_register((command_t) {
                self, 's', "self",
                "create a self signed certificate",
-               {"[--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]",
+               {"[--in file|--keyid hex] [--type rsa|ecdsa|ed25519|ed448|bliss|priv]",
                 " --dn distinguished-name [--san subjectAltName]+",
                 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
                 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
index 4c61ead..0344f94 100644 (file)
@@ -45,8 +45,8 @@ Set debug level, default: 1.
 Read command line options from \fIfile\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of key to generate. Either \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR or
-\fIbliss\fR, defaults to \fIrsa\fR.
+Type of key to generate. Either \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR,
+\fIed448\fR or \fIbliss\fR, defaults to \fIrsa\fR.
 .TP
 .BI "\-s, \-\-size " bits
 Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR.
index 99dcaca..3050c0e 100644 (file)
@@ -72,8 +72,9 @@ key/request is read from \fISTDIN\fR.
 .BI "\-t, \-\-type " type
 Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
 \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key),
-\fIed25519\fR (Ed25519 private key) \fIbliss\fR (BLISS private key) or
-\fIpkcs10\fR (PKCS#10 certificate request), defaults to \fIpub\fR.
+\fIed25519\fR (Ed25519 private key), \fIed448\fR (Ed448 private key),
+\fIbliss\fR (BLISS private key) or \fIpkcs10\fR (PKCS#10 certificate request),
+defaults to \fIpub\fR.
 .TP
 .BI "\-k, \-\-cakey " file
 CA private key file. Either this or
index 09b8a10..6de0e73 100644 (file)
@@ -53,8 +53,8 @@ an optional 0x prefix.
 Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate
 Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key),
 \fIpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA
-private key), \fIed25519\fR (Ed25519 private key), \fIbliss\fR (BLISS private
-key), defaults to \fIx509\fR.
+private key), \fIed25519\fR (Ed25519 private key), \fIed448\fR (Ed448 private
+key), \fIbliss\fR (BLISS private key), defaults to \fIx509\fR.
 .
 .SH "SEE ALSO"
 .
index 6e04609..caa943d 100644 (file)
@@ -72,8 +72,8 @@ Smartcard or TPM private key object handle in hex format with an optional
 0x prefix.
 .TP
 .BI "\-t, \-\-type " type
-Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR
-or \fIbliss\fR, defaults to \fIpriv\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR,
+\fIed448\fR or \fIbliss\fR, defaults to \fIpriv\fR.
 .TP
 .BI "\-d, \-\-dn " distinguished-name
 Subject and issuer distinguished name (DN). Required.