LDAP: Rotate soon-to-be expired key material.

Also, switch from rsa4096 to ed25519 and use a separate key for each syncrepl.
author: Guilhem Moulin <guilhem@fripost.org> 2024-09-08 20:30:20 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2024-09-08 20:54:00 +0200
commit: 6b7ad809bbefc32216bac22547241ed402a570c8 (patch)
tree: 21b18d5268ecf4c2d86864832d384cc79de78b4d
parent: ab26418d9e59314d88ebf4f0885659114a919961 (diff)
7 files changed, 62 insertions, 78 deletions
diff --git a/certs/ldap/ldap.fripost.org.pem b/certs/ldap/ldap.fripost.org.pem
index f9d9e94..02b1237 100644
--- a/certs/ldap/ldap.fripost.org.pem
+++ b/certs/ldap/ldap.fripost.org.pem
@@ -1,31 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIFXzCCA0egAwIBAgIJALUdgbcP0QegMA0GCSqGSIb3DQEBCwUAME8xEDAOBgNV
-BAoTB0ZyaXBvc3QxETAPBgNVBAsTCFNTTGNlcnRzMQ0wCwYDVQQLEwRMREFQMRkw
-FwYDVQQDExBsZGFwLmZyaXBvc3Qub3JnMB4XDTE0MDkxMjE2NDM1NloXDTI0MDkw
-OTE2NDM1NlowTzEQMA4GA1UEChMHRnJpcG9zdDERMA8GA1UECxMIU1NMY2VydHMx
-DTALBgNVBAsTBExEQVAxGTAXBgNVBAMTEGxkYXAuZnJpcG9zdC5vcmcwggIiMA0G
-CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCqwdXg+Jst/vZ6NUPfT4DwXCwt7Xl4
-L2txiwGbpHqgC5B2ZcSePpoGCyT1CC7GsFCw+4qSDtB+7kDqDcomZsru1+n3onET
-YC7cSFzs6ks9PtpRMmnWC7184X0bUm6wkvpdJE8tlaqWzkt8S1RlGS/4g5bLKbmz
-ClYz/IrG68yPLWU9MHwlrV79Uf29mwLZGwK1PBV29QOiKDTp1KribRepjiO/bKVd
-+NIrHY8k7rdbZoe4z1Hp/SBdr7WyospSLwbJgNAFXPw/Nju9B/xEkQhDL+DkUR1X
-6JmIik1iAIxv3t1YgctL3Dyc8+RP0vjekrBWUYgRK9dBqia7Etmn7pGB19dqZe6g
-y30OsI9TcpW8Elqwg768QUCYZjwI2LN1SyR/et7hL3FQasjMjJOwqlT/PIQAJsLF
-CdqK+zZKBi/fNpdzJIb7TW7g4p8NJaICU0n9PMsoSdp4yi4n3OEYq6c8fKUuDF1i
-w8pCZE7SHW4qB1Vz5BgZjGmRk+MRzF48VigiZvL+WYoKEvNK7bhXQJ1DACc60j5h
-hrX5mleUANrhgwG72+m7gyZNCo2p15SausLup9ImyImZoQT88xRgz8txsDxe08Oa
-fO7z9dTuenY/tNVYHMkiJ/0RskOs7fDnSRpHzcwzWf1u4iEDS6lEbUWDdkyZ3XEP
-wLoBBaRhexm4mQIDAQABoz4wPDAcBgNVHREEFTATgRFhZG1pbkBmcmlwb3N0Lm9y
-ZzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwICpDANBgkqhkiG9w0BAQsFAAOC
-AgEAglkIiXCYMajASIjJuVp8e3Eu+k3FKXvW7SPfga6SxcKUTmVPyzNAIVUWXxDq
-3nHArOEgrHW8ZAa9aFvLHKcUFOo9hmFZe+dxCXBK++XSyf2Au8PQ7B+8uznaC8/w
-JhSq+VarhItd3KMcW9ueG8YMCAxL7yahC0NQkMmwdecvdNB1gNRNnefvjhGIGFOJ
-Af5EPSckv+M6f4tFiX8EiabE4t4YW1yHHQ+6SStZL8vBJgT4OCeXaARirGAUiL7K
-xVR55ilO3dOdTEg7/+9ASNqygxtz53flnGltKfzt+QwzFK37WSBvGyp+tvmh6EE7
-XaqhBTYepWoiWJ2oRZsQet3QL4goCQGug0HFhYjW2sIl6TjlczuHXc3ynC6kkTD5
-8fhHNDt2bqXPfWmLqHXFP8RFapj+j/PzSXFH0JgllYGXtJufLXzGfN5Bg+6zpJSo
-COuZcoWw0e4BgNlc3gT8lKDqjK7zBoAVoxxvsOOaDB27T0sWwg3SERZXKD3xn7Jw
-vOIAWYkaQLonYuexW3KUX7OoG9d8HQAOyEkgoU0R6CfwGmK5VbGUQCFAwjF0VHqz
-9rKQrRB5+Oh4wK0dQhtU1m5IuxRrRyV7CX/n79vlBePdUIbDRWgJOvaSD125P+9l
-RHOSUOZ3tq6IltCLetUMM+qgDkVUFvRvXy2tev5ZBFUpJQs=
+MIIBvTCCAW+gAwIBAgIUHA3QvHLOo4JVBaYkVrDL9xv+sdMwBQYDK2VwME8xEDAO
+BgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ0wCwYDVQQLDARMREFQ
+MRkwFwYDVQQDDBBsZGFwLmZyaXBvc3Qub3JnMB4XDTI0MDkwODE4MzMyM1oXDTM0
+MDkwNjE4MzMyM1owTzEQMA4GA1UECgwHRnJpcG9zdDERMA8GA1UECwwIU1NMY2Vy
+dHMxDTALBgNVBAsMBExEQVAxGTAXBgNVBAMMEGxkYXAuZnJpcG9zdC5vcmcwKjAF
+BgMrZXADIQAvg/MmR2tVDRb0MYcfQ8T9CMm6xNSWLt+2JDpXs7W0x6NdMFswHAYD
+VR0RBBUwE4ERYWRtaW5AZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIwADAOBgNVHQ8B
+Af8EBAMCBaAwHQYDVR0OBBYEFEJgdyZi8bgHZljJaUT/p8e8ZIWeMAUGAytlcANB
+APqO/lJ6WkT2rr8MG7kG+3IvBa7+KWKCmzV8ew9SoSF+enaCkNjOBtvW85W0lHBT
+i4DzFM0IxdgxgWIEP/NsrgQ=
 -----END CERTIFICATE-----
diff --git a/certs/ldap/mx.pem b/certs/ldap/mx.pem
deleted file mode 100644
index 2e6275e..0000000
--- a/certs/ldap/mx.pem
+++ /dev/null
@@ -1,31 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFaTCCA1GgAwIBAgIJAMFfcQJWxnoSMA0GCSqGSIb3DQEBCwUAMFQxEDAOBgNV
-BAoTB0ZyaXBvc3QxETAPBgNVBAsTCFNTTGNlcnRzMQ0wCwYDVQQLEwRMREFQMREw
-DwYDVQQLEwhTeW5jUmVwbDELMAkGA1UEAxMCbXgwHhcNMTQwOTEyMTY0MzM3WhcN
-MjQwOTA5MTY0MzM3WjBUMRAwDgYDVQQKEwdGcmlwb3N0MREwDwYDVQQLEwhTU0xj
-ZXJ0czENMAsGA1UECxMETERBUDERMA8GA1UECxMIU3luY1JlcGwxCzAJBgNVBAMT
-Am14MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArdTG5Uh17j85iOs2
-8+92wHtIR/95ic3+E0Ao8KsWNXYduKLGGrLLAh7T9JPMK80M3gF32nZcbTD5pBuW
-NpuClezmCHtPN5ZtTMN6sRl3I/OGhu4vrOkfjOvRNTSByQo3ZC48rcgZbUPTzrCq
-+2eDc3R+TbllGhXB9JyZtM71nIix6c6vuERuj6uPQ64oonNWL5eVPH/Ww8wlTDzp
-Q69ATXQ92KoIILWllN7zqoU6ldVUyNswo0/wZsqDjxajh7s0qQwQLt7jMLV5JGNd
-kWvzyeMJMrmZj5C7Ch54usZh1gdOyf+ZnpnrhCERNOKpkxL59WOrglQPNiKMBZin
-MYVcpeCG3UdFaN59kuExUut8U3AVVflYuDfQIP9iHGdHKsBazqUTfqgLIZyWIMoe
-MdERazvRANPNHBMjIYYLlcWyjDch3k5iY1pyl8jskWi72F82XsiKMkr5H+tjFPve
-H3VaUCY2XNYNI8Ztvn6lifjvA+uVAI084pHZUDQkZFbT4LnLKY79d5IOwE1uXHtf
-6tUu8PHG9HeLZNiGex+kIPhg5gmQmipZwofbXX4xG0Km+3Dz2dWViOQri4n1s5xQ
-G1bWJtVmyDKEfDGF2ZiUZ+dAiih3qit1rTFZoiMqtNgEiahh/8R78Qx2xsCcu/76
-GLg/qh8r+lR1wMkWcoUbToIpARcCAwEAAaM+MDwwHAYDVR0RBBUwE4ERYWRtaW5A
-ZnJpcG9zdC5vcmcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAqQwDQYJKoZI
-hvcNAQELBQADggIBAGmCGK8Q32nc1Ltc3S2XCkbMzn4qfFKu1agEk2fBgU1qrVnx
-ioNWcct4trI8hwYwJ7QMQLx8ZdmuBbEyD60k9/qj+SCctrXnSA8p0SSCRUKgwyN0
-L14hvu+7P6G5VfPDNd+T1yqVMbMM2qgNYMHQDmf8e9IFa1DUSYks0v/3YdGwLSxj
-5IoIvc1JxBlGmgRGgG4z5a4v0ikuDc+XAEV0wWT2xF/7CuJnwglpedOgE+l7PLgU
-RQ4uPFQUnFUbcBBE+GLDxXxkOosD7GmAkvppaS8vwA+beqYX8LZMlCqqzXqk+3bp
-FCgQ6IARyYWchp/x4PFy1uGkU8PKsVO4xzQ15WuyaJCy3jqum9TfQUW/ZjRFT+3m
-sEgzarTxqP7CIlCHygVaDj2ALiaMjGbpHGA5JbwMFFaIuzVDj/DEJWKnxu5paJw1
-ERLBmZXhCqtveGmbI08RCMIZjlZ1xLAhFKGRQ4abDTfTlD4QU1EWh+NLHlSRTIg4
-Idbs9QDQH9Eb6p2+scEUL6ci2XGWRjet2wKdCPC3VMNwW/+pXG5YvrvHJBdx8V+F
-w0jWYOg4RQQuB/tAbucj1fvCnj2yMJPCsnlbeN4RPG/xF/89qlSey3kxUfma5eid
-m9kmjWPgXPgUQf+hmefL5HcN7M8zShTdSf81Xa0z3VqJENoQ4v4AqidEjVGY
------END CERTIFICATE-----
diff --git a/certs/ldap/syncrepl/mx@civett.pem b/certs/ldap/syncrepl/mx@civett.pem
new file mode 100644
index 0000000..430c3e6
--- /dev/null
+++ b/certs/ldap/syncrepl/mx@civett.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxzCCAXmgAwIBAgIUKkHGFnwdZ85QwHkb4cCfE8chdFEwBQYDK2VwMFQxEDAO
+BgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ0wCwYDVQQLDARMREFQ
+MREwDwYDVQQLDAhTeW5jUmVwbDELMAkGA1UEAwwCbXgwHhcNMjQwOTA4MTgzNjU2
+WhcNMzQwOTA2MTgzNjU2WjBUMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhT
+U0xjZXJ0czENMAsGA1UECwwETERBUDERMA8GA1UECwwIU3luY1JlcGwxCzAJBgNV
+BAMMAm14MCowBQYDK2VwAyEATR5gkOjpEYhG4e2fRjcowwSWkwLFjWHy1mGEjaru
+/jmjXTBbMBwGA1UdEQQVMBOBEWFkbWluQGZyaXBvc3Qub3JnMAwGA1UdEwEB/wQC
+MAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBSe9LYpYEdZNz7vx0Pe/LXFCJST
+PDAFBgMrZXADQQC0Isvso/VBCBrQx2uOVRUC8hZiKhKHX3SozqYGgrxlQBjxy8dZ
+cx3gsl4TGw/VWt80BSXQ+TqJHocjoyoy5/oE
+-----END CERTIFICATE-----
diff --git a/certs/ldap/syncrepl/mx@elefant.pem b/certs/ldap/syncrepl/mx@elefant.pem
new file mode 100644
index 0000000..bbd5f56
--- /dev/null
+++ b/certs/ldap/syncrepl/mx@elefant.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxzCCAXmgAwIBAgIUcwEP5HP6psC+HGMXHZBwf3Y/++UwBQYDK2VwMFQxEDAO
+BgNVBAoMB0ZyaXBvc3QxETAPBgNVBAsMCFNTTGNlcnRzMQ0wCwYDVQQLDARMREFQ
+MREwDwYDVQQLDAhTeW5jUmVwbDELMAkGA1UEAwwCbXgwHhcNMjQwOTA4MTgzNTIw
+WhcNMzQwOTA2MTgzNTIwWjBUMRAwDgYDVQQKDAdGcmlwb3N0MREwDwYDVQQLDAhT
+U0xjZXJ0czENMAsGA1UECwwETERBUDERMA8GA1UECwwIU3luY1JlcGwxCzAJBgNV
+BAMMAm14MCowBQYDK2VwAyEAp7jKBb1mYic6E+k7awOmDU2HVV+Ly9BNSqoWPmoG
+XhCjXTBbMBwGA1UdEQQVMBOBEWFkbWluQGZyaXBvc3Qub3JnMAwGA1UdEwEB/wQC
+MAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBQUeRpdKnUN37/2HJElOEgOiYNp
+IzAFBgMrZXADQQADKZwI8lJT+o2tuJD9tbAyjgJU72IxVRNsV8jkE3SEmI0E6w/3
+gf7T9BSPKe1Z23+Sc7Y5lKwHdxGp0Toao/UL
+-----END CERTIFICATE-----
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 37edb0b..e17bc3a 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -13,100 +13,108 @@
     - libnet-ldap-perl
     - libauthen-sasl-perl
 
 - name: Configure slapd
   template: src=etc/default/slapd.j2
             dest=/etc/default/slapd
             owner=root group=root
             mode=0644
   register: r1
   notify:
     - Restart slapd
 
 - name: Create directory /etc/ldap/ssl
   file: path=/etc/ldap/ssl
         state=directory
         owner=root group=root
         mode=0755
   tags:
     - genkey
 
-# XXX: It's ugly to list all roles here, and to prunes them with a
-# conditional...
 - name: Generate a private key and a X.509 certificate for slapd
-  # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
-  # support ECDSA; and slapd doesn't seem to support DHE (!?) so
-  # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
-  # SHA-512.
   command: genkeypair.sh x509
                          --pubkey=/etc/ldap/ssl/{{ item.name }}.pem
                          --privkey=/etc/ldap/ssl/{{ item.name }}.key
                          --ou=LDAP {{ item.ou }} --cn={{ item.name }}
-                         --usage=digitalSignature,keyEncipherment,keyCertSign
-                         -t rsa -b 4096 -h sha256
+                         --usage=digitalSignature,keyEncipherment
+                         -t ed25519
                          --owner=root --group=openldap --mode=0640
   register: r2
   changed_when: r2.rc == 0
   failed_when: r2.rc > 1
   with_items:
     - { group: 'LDAP_provider', name: ldap.fripost.org, ou:               }
     - { group: 'MX',            name: mx,               ou: --ou=SyncRepl }
     - { group: 'lists',         name: lists,            ou: --ou=SyncRepl }
   when: "item.group in group_names"
+  notify:
+    - Restart slapd
+  tags:
+    - genkey
+
+- name: Fetch the SyncProv's X.509 certificate
+  # Ensure we don't fetch private data
+  become: False
+  fetch_cmd: cmd="openssl x509"
+             stdin=/etc/ldap/ssl/ldap.fripost.org.pem
+             dest=certs/ldap/ldap.fripost.org.pem
+  when: "'LDAP_provider' in group_names"
   tags:
     - genkey
 
 - name: Fetch slapd's X.509 certificate
   # Ensure we don't fetch private data
   become: False
   fetch_cmd: cmd="openssl x509"
              stdin=/etc/ldap/ssl/{{ item.name }}.pem
-             dest=certs/ldap/{{ item.name }}.pem
+             dest=certs/ldap/syncrepl/{{ item.name }}@{{ inventory_hostname_short }}.pem
   with_items:
-    - { group: 'LDAP_provider', name: ldap.fripost.org }
     - { group: 'MX',            name: mx               }
     - { group: 'lists',         name: lists            }
   when: "item.group in group_names"
   tags:
     - genkey
 
 - name: Copy the SyncProv's server certificate
   copy: src=certs/ldap/ldap.fripost.org.pem
         dest=/etc/ldap/ssl/ldap.fripost.org.pem
         owner=root group=root
         mode=0644
   when: "'LDAP_provider' not in group_names"
   tags:
     - genkey
 
 - name: Copy the SyncRepls's client certificates
-  assemble: src=certs/ldap remote_src=no
-            dest=/etc/ldap/ssl/clients.pem
+  assemble: src=certs/ldap/syncrepl remote_src=no
+            dest=/etc/ldap/ssl/syncrepl.pem
             owner=root group=root
             mode=0644
   when: "'LDAP_provider' in group_names"
   tags:
     - genkey
+  register: r3
+  notify:
+    - Restart slapd
 
 - name: Start slapd
   service: name=slapd state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
 
 - name: Copy fripost & amavis' schema
   copy: src=etc/ldap/schema/{{ item }}
         dest=/etc/ldap/schema/{{ item }}
         owner=root group=root
         mode=0644
   # It'd certainly be nicer if we didn't have to deploy amavis' schema
   # everywhere, but we need the 'objectClass' in our replicates, hence
   # they need to be aware of the 'amavisAccount' class.
   with_items:
     - fripost.ldif
     - amavis.schema
   tags:
     - amavis
 
 - name: Load amavis' schema
   openldap: target=/etc/ldap/schema/amavis.schema
             format=slapd.conf name=amavis
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 2c0db0b..a0ac705 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -17,41 +17,41 @@
 dn: cn=config
 objectClass: olcGlobal
 cn: config
 olcArgsFile: /run/slapd/slapd.args
 olcPidFile: /run/slapd/slapd.pid
 olcLogLevel: none
 olcToolThreads: 1
 {% if ansible_processor_vcpus > 4 %}
 olcThreads: {{ 2 * ansible_processor_vcpus }}
 {% else %}
 olcThreads: 8
 {% endif %}
 {% if 'LDAP_provider' in group_names %}
 olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem
 olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
 # If we are being offered a client cert, it has to be trusted (in which
 # case we map the X.509 subject to a DN in our namespace), or we
 # terminate the connection.  Not providing a certificate is fine for
 # TLS-protected simple binds, though.
 olcTLSVerifyClient: try
-olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
+olcTLSCACertificateFile: /etc/ldap/ssl/syncrepl.pem
 olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
                 "dn.exact:$1,dc=fripost,dc=org"
 olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
 olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1
 olcTLSDHParamFile: /etc/ssl/dhparams.pem
 {% endif %}
 olcLocalSSF: 128
 # /!\ This is not portable! But we only use glibc's crypt(3), which
 # supports (salted, streched) SHA512
 olcPasswordHash: {CRYPT}
 olcPasswordCryptSaltFormat: $6$%s
 
 
 dn: olcDatabase=monitor,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcMonitorConfig
 olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 olcAccess: to dn.subtree="cn=monitor"
     by dn.exact="username=munin,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" read
     by * =0
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index ad65aef..72102f4 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -102,48 +102,50 @@ while [ $# -gt 0 ]; do
         -f) force=$(( 1 + $force ));;
         --pubkey=?*) pubkey="${1#--pubkey=}";;
         --privkey=?*) privkey="${1#--privkey=}";;
 
         --usage=?*) usage="${usage:+$usage,}${1#--usage=}";;
         --config=?*) config="${1#--config=}";;
 
         --mode=?*) mode="${1#--mode=}";;
         --owner=?*) owner="${1#--owner=}";;
         --group=?*) group="${1#--group=}";;
 
         --help) usage; exit;;
         *) echo "Unrecognized argument: $1" >&2; exit 2
     esac
     shift;
 done
 
 case "$type" in
     # XXX: genrsa and dsaparam have been deprecated in favor of genpkey.
     # genpkey can also create explicit EC parameters, but not named.
-    rsa) genkey=genrsa; genkeyargs="-f4 ${bits:-2048}";;
-    dsa) genkey=dsaparam; genkeyargs="-noout -genkey ${bits:-1024}";;
+    rsa) genkey=genrsa; genkeyargs="-rand /dev/urandom -f4 ${bits:-2048}";;
+    dsa) genkey=dsaparam; genkeyargs="-rand /dev/urandom -noout -genkey ${bits:-1024}";;
     # See 'openssl ecparam -list_curves' for the list of supported
     # curves. StrongSwan doesn't support explicit curve parameters
     # (however explicit parameters might be required to make exotic
     # curves work with some clients.)
     ecdsa) genkey=ecparam
-           genkeyargs="-noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";;
+           genkeyargs="-rand /dev/urandom -noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";;
+    x25519|x448|ed25519|ed448) genkey=genpkey
+                               genkeyargs="-algorithm $type";;
     *) echo "Unrecognized key type: $type" >&2; exit 2
 esac
 
 if [ "$cmd" = x509 -o "$cmd" = csr ]; then
     case "$hash" in
         md5|rmd160|sha1|sha224|sha256|sha384|sha512|'') ;;
         *) echo "Invalid digest algorithm: $hash" >&2; exit 2;
     esac
 
     [ "$cn" ] || cn="$(hostname --fqdn)"
     [ ${#cn} -le 64 ] || { echo "CommonName too long: $cn" >&2; exit 2; }
 fi
 
 if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then
     config=$(mktemp) || exit 2
     trap 'rm -f "$config"' EXIT
 
     # see /usr/share/ssl-cert/ssleay.cnf
     cat >"$config" <<- EOF
 		[ req ]
@@ -156,40 +158,40 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then
 		[ req_distinguished_name ]
 		organizationName       = Fripost
 		organizationalUnitName = SSLcerts
 		$(echo "$ou")
 		commonName             = ${cn:-/}
 
 		[ v3_req ]
 		subjectAltName       = email:admin@fripost.org${dns:+, $dns}
 		basicConstraints     = critical, CA:FALSE
 		# https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method
 		keyUsage             = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign}
 		subjectKeyIdentifier = hash
 	EOF
 fi
 
 if [ -s "$privkey" -a $force -eq 0 ]; then
     echo "Error: private key exists: $privkey" >&2
     exit 1
 elif [ ! -s "$privkey" -o $force -ge 2 ]; then
     install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2
-    openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
+    openssl $genkey $genkeyargs >"$privkey" || exit 2
     [ "$cmd" = dkim ] && exit
 fi
 
 if [ "$cmd" = x509 -a "$pubkey" = "$privkey" ]; then
     pubkey=$(mktemp)
     openssl req -config "$config" -new -x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2
     cat "$pubkey" >>"$privkey" || exit 2
     rm -f "$pubkey"
 elif [ "$cmd" = x509 -o "$cmd" = csr ]; then
     if [ -s "$pubkey" -a $force -eq 0 ]; then
         echo "Error: public key exists: $pubkey" >&2
         exit 1
     else
         [ "$cmd" = x509 ] && x509=-x509 || x509=
         openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2
     fi
 elif [ "$cmd" = keypair -a "$pubkey" ]; then
     openssl pkey -pubout <"$privkey" >"$pubkey"
 fi
author	Guilhem Moulin <guilhem@fripost.org>	2024-09-08 20:30:20 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2024-09-08 20:54:00 +0200
commit	6b7ad809bbefc32216bac22547241ed402a570c8 (patch)
tree	21b18d5268ecf4c2d86864832d384cc79de78b4d
parent	ab26418d9e59314d88ebf4f0885659114a919961 (diff)