Add flags to certstrap to support ECDSA and Ed25519

README.md

@@ -87,6 +87,19 @@ $ openssl pkcs12 -export -out outputCert.p12 -inkey inputKey.key -in inputCert.c
 ```
 `inputKey.key` and `inputCert.crt` make up the leaf private key and certificate pair of your choosing (generated by a `sign` command), with `CA.crt` being the certificate authority certificate that was used to sign it.  The output PKCS12 file is `outputCert.p12`
 
+### Key Algorithms:
+Certstrap supports curves P-224, P-256, P-384, P-521, and Ed25519. Curve names can be specified by name as part of the `init` and `request_cert` commands:
+
+```
+$ ./certstrap init --common-name CertAuth --curve P-256
+Created out/CertAuth.key
+Created out/CertAuth.crt
+Created out/CertAuth.crl
+
+$ ./certstrap request-cert --common-name Alice --curve P-256
+Created out/Alice.key
+Created out/Alice.csr
+```
 
 ### Retrieving Files
 

cmd/curve.go

@@ -0,0 +1,47 @@
+package cmd
+
+import (
+	"crypto/elliptic"
+	"fmt"
+	"strings"
+
+	"github.com/square/certstrap/pkix"
+)
+
+// curves is a map of canonical curve name (as specified by the -curve flag)
+// to function that creates a new key on that curve.
+var curves = map[string]func() (*pkix.Key, error){
+	"P-224": func() (*pkix.Key, error) {
+		return pkix.CreateECDSAKey(elliptic.P224())
+	},
+	"P-256": func() (*pkix.Key, error) {
+		return pkix.CreateECDSAKey(elliptic.P256())
+	},
+	"P-384": func() (*pkix.Key, error) {
+		return pkix.CreateECDSAKey(elliptic.P384())
+	},
+	"P-521": func() (*pkix.Key, error) {
+		return pkix.CreateECDSAKey(elliptic.P521())
+	},
+	"Ed25519": func() (*pkix.Key, error) {
+		return pkix.CreateEd25519Key()
+	},
+}
+
+// supportedCurves returns the list of supported curve names as a comma separated
+// string for use in help text and error messages.
+func supportedCurves() string {
+	result := make([]string, 0, len(curves))
+	for name := range curves {
+		result = append(result, name)
+	}
+	return strings.Join(result, ", ")
+}
+
+func createKeyOnCurve(name string) (*pkix.Key, error) {
+	create, ok := curves[name]
+	if !ok {
+		return nil, fmt.Errorf("unknown curve %q, curve must be one of %s", name, supportedCurves())
+	}
+	return create()
+}

cmd/init.go

@@ -44,6 +44,10 @@ func NewInitCommand() cli.Command {
 				Value: 4096,
 				Usage: "Size (in bits) of RSA keypair to generate (example: 4096)",
 			},
+			cli.StringFlag{
+				Name:  "curve",
+				Usage: fmt.Sprintf("Elliptic curve name. Must be one of %s.", supportedCurves()),
+			},
 			cli.IntFlag{
 				Name:   "years",
 				Hidden: true,
@@ -133,7 +137,8 @@ func initAction(c *cli.Context) {
 	}
 
 	var key *pkix.Key
-	if c.IsSet("key") {
+	switch {
+	case c.IsSet("key"):
 		keyBytes, err := ioutil.ReadFile(c.String("key"))
 		if err != nil {
 			fmt.Fprintln(os.Stderr, "Read Key error:", err)
@@ -146,7 +151,19 @@ func initAction(c *cli.Context) {
 			os.Exit(1)
 		}
 		fmt.Printf("Read %s\n", c.String("key"))
-	} else {
+	case c.IsSet("curve"):
+		curve := c.String("curve")
+		key, err = createKeyOnCurve(curve)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Create %s Key error: %v\n", curve, err)
+			os.Exit(1)
+		}
+		if len(passphrase) > 0 {
+			fmt.Printf("Created %s/%s.key (encrypted by passphrase)\n", depotDir, formattedName)
+		} else {
+			fmt.Printf("Created %s/%s.key\n", depotDir, formattedName)
+		}
+	default:
 		key, err = pkix.CreateRSAKey(c.Int("key-bits"))
 		if err != nil {
 			fmt.Fprintln(os.Stderr, "Create RSA Key error:", err)

cmd/request_cert.go

@@ -45,6 +45,10 @@ func NewCertRequestCommand() cli.Command {
 				Value: 2048,
 				Usage: "Size (in bits) of RSA keypair to generate (example: 4096)",
 			},
+			cli.StringFlag{
+				Name:  "curve",
+				Usage: fmt.Sprintf("Elliptic curve name. Must be one of %s.", supportedCurves()),
+			},
 			cli.StringFlag{
 				Name:  "organization, o",
 				Usage: "Sets the Organization (O) field of the certificate",
@@ -155,7 +159,8 @@ func newCertAction(c *cli.Context) {
 	// generate new key if one doesn't exist already
 	var key *pkix.Key
 	keyFilepath := fileName(c, "key", depotDir, formattedName, "key")
-	if c.IsSet("key") && fileExists(c.String("key")) {
+	switch {
+	case c.IsSet("key") && fileExists(c.String("key")):
 		keyBytes, err := ioutil.ReadFile(c.String("key"))
 		if err != nil {
 			fmt.Fprintln(os.Stderr, "Read Key error:", err)
@@ -168,13 +173,24 @@ func newCertAction(c *cli.Context) {
 			os.Exit(1)
 		}
 		fmt.Printf("Read %s\n", keyFilepath)
-	} else {
+	case c.IsSet("curve"):
+		curve := c.String("curve")
+		key, err = createKeyOnCurve(curve)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Create %s Key error: %v", curve, err)
+			os.Exit(1)
+		}
+		if len(passphrase) > 0 {
+			fmt.Printf("Created %s (encrypted by passphrase)\n", keyFilepath)
+		} else {
+			fmt.Printf("Created %s\n", keyFilepath)
+		}
+	default:
 		key, err = pkix.CreateRSAKey(c.Int("key-bits"))
 		if err != nil {
 			fmt.Fprintln(os.Stderr, "Create RSA Key error:", err)
 			os.Exit(1)
 		}
-		keyFilepath := fileName(c, "key", depotDir, formattedName, "key")
 		if len(passphrase) > 0 {
 			fmt.Printf("Created %s (encrypted by passphrase)\n", keyFilepath)
 		} else {

tests/workflow_test.go

@@ -1,4 +1,4 @@
-// +build integration
+//go:build integration
 
 /*-
  * Copyright 2015 Square Inc.
@@ -30,53 +30,88 @@ import (
 )
 
 // TestWorkflow runs certstrap in the normal workflow
-// and traverses all commands
+// and traverses all commands and all key algorithms.
 func TestWorkflow(t *testing.T) {
-	os.RemoveAll(depotDir)
-	defer os.RemoveAll(depotDir)
+	tests := []struct {
+		desc     string
+		keySpec  []string
+		expected x509.PublicKeyAlgorithm
+	}{{
+		desc:     "default RSA",
+		expected: x509.RSA,
+	}, {
+		desc:     "P-256",
+		keySpec:  []string{"--curve", "P-256"},
+		expected: x509.ECDSA,
+	}, {
+		desc:     "P-521",
+		keySpec:  []string{"--curve", "P-521"},
+		expected: x509.ECDSA,
+	}, {
+		desc:     "Ed25519",
+		keySpec:  []string{"--curve", "Ed25519"},
+		expected: x509.Ed25519,
+	}, {
+		desc:     "RSA 2048",
+		keySpec:  []string{"--key-bits", "2048"},
+		expected: x509.RSA,
+	}}
 
-	use_uri := "test://test/test"
+	for _, tc := range tests {
+		t.Run(tc.desc, func(t *testing.T) {
+			os.RemoveAll(depotDir)
+			defer os.RemoveAll(depotDir)
 
-	stdout, stderr, err := run(binPath, "init", "--passphrase", passphrase, "--common-name", "CA")
-	if stderr != "" || err != nil {
-		t.Fatalf("Received unexpected error: %v, %v", stderr, err)
-	}
-	if strings.Count(stdout, "Created") != 3 {
-		t.Fatalf("Received incorrect create: %v", stdout)
-	}
+			use_uri := "test://test/test"
 
-	stdout, stderr, err = run(binPath, "request-cert", "--passphrase", passphrase, "--common-name", hostname, "--uri", use_uri)
-	if stderr != "" || err != nil {
-		t.Fatalf("Received unexpected error: %v, %v", stderr, err)
-	}
-	if strings.Count(stdout, "Created") != 2 {
-		t.Fatalf("Received incorrect create: %v", stdout)
-	}
+			args := []string{"init", "--passphrase", passphrase, "--common-name", "CA"}
+			args = append(args, tc.keySpec...)
+			stdout, stderr, err := run(binPath, args...)
+			if stderr != "" || err != nil {
+				t.Fatalf("Received unexpected error: %v, %v", stdout, err)
+			}
+			if strings.Count(stdout, "Created") != 3 {
+				t.Fatalf("Received incorrect create: %v", stdout)
+			}
 
-	stdout, stderr, err = run(binPath, "request-cert", "--passphrase", passphrase, "--ip", "127.0.0.1,8.8.8.8", "--common-name", "127.0.0.1")
-	if stderr != "" || err != nil {
-		t.Fatalf("Received unexpected error: %v, %v", stderr, err)
-	}
-	if strings.Count(stdout, "Created") != 2 {
-		t.Fatalf("Received incorrect create: %v", stdout)
-	}
+			args = []string{"request-cert", "--passphrase", passphrase, "--common-name", hostname, "--uri", use_uri}
+			args = append(args, tc.keySpec...)
+			stdout, stderr, err = run(binPath, args...)
+			if stderr != "" || err != nil {
+				t.Fatalf("Received unexpected error: %v, %v", stderr, err)
+			}
+			if strings.Count(stdout, "Created") != 2 {
+				t.Fatalf("Received incorrect create: %v", stdout)
+			}
 
-	stdout, stderr, err = run(binPath, "sign", "--passphrase", passphrase, "--CA", "CA", hostname)
-	if stderr != "" || err != nil {
-		t.Fatalf("Received unexpected error: %v, %v", stderr, err)
-	}
-	if strings.Count(stdout, "Created") != 1 {
-		t.Fatalf("Received incorrect create: %v", stdout)
-	}
+			stdout, stderr, err = run(binPath, "request-cert", "--passphrase", passphrase, "--ip", "127.0.0.1,8.8.8.8", "--common-name", "127.0.0.1")
+			if stderr != "" || err != nil {
+				t.Fatalf("Received unexpected error: %v, %v", stderr, err)
+			}
+			if strings.Count(stdout, "Created") != 2 {
+				t.Fatalf("Received incorrect create: %v", stdout)
+			}
 
-	fcontents, err := ioutil.ReadFile(path.Join(depotDir, strings.Join([]string{hostname, ".crt"}, "")))
-	if err != nil {
-		t.Fatalf("Reading cert failed: %v", err)
-		os.Exit(1)
-	}
-	der, _ := pem.Decode(fcontents)
-	cert, err := x509.ParseCertificate(der.Bytes)
-	if !(len(cert.URIs) == 1 && cert.URIs[0].String() == use_uri) {
-		t.Fatalf("URI not reflected in cert")
+			stdout, stderr, err = run(binPath, "sign", "--passphrase", passphrase, "--CA", "CA", hostname)
+			if stderr != "" || err != nil {
+				t.Fatalf("Received unexpected error: %v, %v", stderr, err)
+			}
+			if strings.Count(stdout, "Created") != 1 {
+				t.Fatalf("Received incorrect create: %v", stdout)
+			}
+
+			fcontents, err := ioutil.ReadFile(path.Join(depotDir, strings.Join([]string{hostname, ".crt"}, "")))
+			if err != nil {
+				t.Fatalf("Reading cert failed: %v", err)
+			}
+			der, _ := pem.Decode(fcontents)
+			cert, err := x509.ParseCertificate(der.Bytes)
+			if !(len(cert.URIs) == 1 && cert.URIs[0].String() == use_uri) {
+				t.Fatalf("URI not reflected in cert")
+			}
+			if cert.PublicKeyAlgorithm != tc.expected {
+				t.Fatalf("Public key algorithm = %d, want %d", cert.PublicKeyAlgorithm, tc.expected)
+			}
+		})
 	}
 }