From patchwork Thu Oct 12 04:45:33 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1469
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.ipfire.org (Postfix) with ESMTP id 2995A60C05
	for <patchwork@ipfire.org>; Wed, 11 Oct 2017 19:45:43 +0200 (CEST)
Received: from mail01.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id A0E1F2A26;
	Wed, 11 Oct 2017 19:45:42 +0200 (CEST)
Received: from mx.link38.eu (mx.link38.eu [188.68.43.123])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mx.link38.eu",
	Issuer "Let's Encrypt Authority X3" (not verified))
	by mail01.ipfire.org (Postfix) with ESMTPS id 9412B2A23
	for <development@lists.ipfire.org>;
	Wed, 11 Oct 2017 19:45:39 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mx.link38.eu (Postfix) with ESMTP id C528441549
	for <development@lists.ipfire.org>;
	Wed, 11 Oct 2017 19:45:38 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mx.link38.eu
Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu
	[10.141.75.13])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx.link38.eu (Postfix) with ESMTPS
	for <development@lists.ipfire.org>;
	Wed, 11 Oct 2017 19:45:33 +0200 (CEST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 823C79F38A
	for <development@lists.ipfire.org>;
	Wed, 11 Oct 2017 19:45:33 +0200 (CEST)
Date: Wed, 11 Oct 2017 19:45:33 +0200
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: "development@lists.ipfire.org" <development@lists.ipfire.org>
Subject: [PATCH 3/3] generate ECDSA key on existing installations
Message-ID: <20171011194533.44dea89c.peter.mueller@link38.eu>
Organization: Link38
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Generate ECDSA key (and sign it) in case it does not exist. That way,
httpscert can be ran on existing installations without breaking already
generated (RSA) keys.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 src/scripts/httpscert | 37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

diff --git a/src/scripts/httpscert b/src/scripts/httpscert
index e20f789ed..cae39fb74 100644
--- a/src/scripts/httpscert
+++ b/src/scripts/httpscert
@@ -7,17 +7,36 @@
 case "$1" in
   new)
 	if [ ! -f /etc/httpd/server.key ]; then
-		echo "Generating https server key."
+		echo "Generating HTTPS RSA server key."
 		/usr/bin/openssl genrsa -out /etc/httpd/server.key 4096
 	fi
-	echo "Generating CSR"
-	/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
-		req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
-	echo "Signing certificate"
-	/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
-		/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
-		/etc/httpd/server.crt
- 	;;
+	if [ ! -f /etc/httpd/server-ecdsa.key ]; then
+		echo "Generating HTTPS ECDSA server key."
+		/usr/bin/openssl ecparam -genkey -name secp384r1 | openssl ec -out /etc/httpd/server-ecdsa.key
+	fi
+
+	echo "Generating CSRs"
+	if [ ! -f /etc/httpd/server.csr ]; then
+		/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+			req -new -key /etc/httpd/server.key -out /etc/httpd/server.csr
+	fi
+	if [ ! -f /etc/httpd/server-ecdsa.csr ]; then
+		/bin/cat /etc/certparams | sed "s/HOSTNAME/`hostname -f`/" | /usr/bin/openssl \
+			req -new -key /etc/httpd/server-ecdsa.key -out /etc/httpd/server-ecdsa.csr
+	fi
+
+	echo "Signing certificates"
+	if [ ! -f /etc/httpd/server.crt ]; then
+		/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+			/etc/httpd/server.csr -signkey /etc/httpd/server.key -out \
+			/etc/httpd/server.crt
+	fi
+	if [ ! -f /etc/httpd/server-ecdsa.crt ]; then
+		/usr/bin/openssl x509 -req -days 999999 -sha256 -in \
+			/etc/httpd/server-ecdsa.csr -signkey /etc/httpd/server-ecdsa.key -out \
+			/etc/httpd/server-ecdsa.crt
+	fi
+	;;
   read)
 	if [ -f /etc/httpd/server.key -a -f /etc/httpd/server.crt -a -f /etc/httpd/server.csr ]; then
 		ISSUER=`openssl x509 -in /etc/httpd/server.crt -text -noout | grep Issuer | /usr/bin/cut -f2 -d '='`