Use ecparam instead of genpkey

The generated keys are just different.

As a consequence, remove key encryption support.
This commit is contained in:
Lucas 2020-02-14 03:02:52 +00:00
parent f53179091a
commit 036418abee

View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
usage() usage()
{ {
printf "Usage: %s [-e] [-c curve] [-d days] domain\n" "${0##*/}" >&2 printf "Usage: %s [-c curve] [-d days] domain\n" "${0##*/}" >&2
exit 1 exit 1
} }
@ -12,16 +12,13 @@ tonumber()
curve=secp384r1 curve=secp384r1
days=3650 days=3650
encrypt= while getopts c:d: flag; do
while getopts c:d:e flag; do
case $flag in case $flag in
c) [ -n "$OPTARG" ] || usage c) [ -n "$OPTARG" ] || usage
curve=$OPTARG curve=$OPTARG
;; ;;
d) days=$(tonumber "$OPTARG") || usage d) days=$(tonumber "$OPTARG") || usage
;; ;;
e) encrypt=yes
;;
*) usage *) usage
;; ;;
esac esac
@ -34,16 +31,8 @@ if [ -f "$domain.key" ]; then
printf "%s: key for %s already exists; reusing it.\n" \ printf "%s: key for %s already exists; reusing it.\n" \
"${0##*/}" "$domain" >&2 "${0##*/}" "$domain" >&2
else else
(umask 077 && openssl genpkey ${encrypt:+-aes256} \ (umask 077 &&
-algorithm ec -pkeyopt ec_paramgen_curve:"$curve" \ openssl ecparam -genkey -name "$curve" -out "$domain.key")
-out "$domain.key")
if [ $? -ne 0 ] || [ ! -s "$domain.key" ]; then
# openssl doesn't return an error code if there is a password
# mismatch or a password too short, and it creates the output
# file anyways
rm -f "$domain.key"
exit 1
fi
fi fi
openssl req -new -x509 -days "$days" -subj "/CN=$domain" \ openssl req -new -x509 -days "$days" -subj "/CN=$domain" \