1 files changed, 6 insertions, 4 deletions

diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index ad65aef..72102f4 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -119,14 +119,16 @@ done
 case "$type" in
     # XXX: genrsa and dsaparam have been deprecated in favor of genpkey.
     # genpkey can also create explicit EC parameters, but not named.
-    rsa) genkey=genrsa; genkeyargs="-f4 ${bits:-2048}";;
-    dsa) genkey=dsaparam; genkeyargs="-noout -genkey ${bits:-1024}";;
+    rsa) genkey=genrsa; genkeyargs="-rand /dev/urandom -f4 ${bits:-2048}";;
+    dsa) genkey=dsaparam; genkeyargs="-rand /dev/urandom -noout -genkey ${bits:-1024}";;
     # See 'openssl ecparam -list_curves' for the list of supported
     # curves. StrongSwan doesn't support explicit curve parameters
     # (however explicit parameters might be required to make exotic
     # curves work with some clients.)
     ecdsa) genkey=ecparam
-           genkeyargs="-noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";;
+           genkeyargs="-rand /dev/urandom -noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";;
+    x25519|x448|ed25519|ed448) genkey=genpkey
+                               genkeyargs="-algorithm $type";;
     *) echo "Unrecognized key type: $type" >&2; exit 2
 esac
 
@@ -173,7 +175,7 @@ if [ -s "$privkey" -a $force -eq 0 ]; then
     exit 1
 elif [ ! -s "$privkey" -o $force -ge 2 ]; then
     install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2
-    openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
+    openssl $genkey $genkeyargs >"$privkey" || exit 2
     [ "$cmd" = dkim ] && exit
 fi