From b79fc75a2025be4bcd2515e0d7b91f81be3808af Mon Sep 17 00:00:00 2001
From: Nicolas KAROLAK <nicolas@karolak.fr>
Date: Tue, 29 Jan 2019 14:16:19 +0100
Subject: [PATCH] mkcert: create ecc cert by default

---
 utils.py | 43 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 36 insertions(+), 7 deletions(-)

diff --git a/utils.py b/utils.py
index a9b4d546..d4c4afad 100644
--- a/utils.py
+++ b/utils.py
@@ -4,6 +4,7 @@
 
 from collections import OrderedDict
 import os
+from pathlib import Path
 import subprocess
 import sys
 from typing import Any
@@ -346,25 +347,53 @@ subjectKeyIdentifier = hash
 basicConstraints     = CA:FALSE
 keyUsage             = digitalSignature, keyEncipherment
 subjectAltName       = @alternate_names
-nsComment            = "OpenSSL Generated Certificate"
 
 [ alternate_names ]
 
 """
 
-def mkcert(domains: list, keysize: int = 4096, days: int = 1825, config_tpl: str = OPENSSL_CONFIG_TEMPLATE):
+def mkcert(domains: list, ecc: bool = True, days: int = 3650, config_tpl: str = OPENSSL_CONFIG_TEMPLATE):
+    """Generate a self-signed certificate for the domains list.
+
+    :param domains: Domains for which the certificates will be self-signed
+    :type domains: list
+    :param ecc: Wether to use Elliptic Curve cryptography or not, defaults to True, if Fasle RSA is used
+    :param ecc: bool, optional
+    :param days: Validity lifetime of the certificate, defaults to 3650
+    :param days: int, optional
+    :param config_tpl: OpenSSL config file template, defaults to OPENSSL_CONFIG_TEMPLATE
+    :param config_tpl: str, optional
+    """
+
+    # create certs dir
+    cert_dir = "/etc/ssl/envsetup"
+    Path(cert_dir).mkdir(mode=0o755, parents=True, exist_ok=True)
     # populate template with domains
     for i, domain in enumerate(domains, start=1):
         config_tpl = config_tpl + "DNS.{} = {}\n".format(i, domain)
     # write openssl config file
-    with open("/etc/ssl/envsetup.conf", "w") as config_fh:
+    with open(cert_dir + "/conf", "w") as config_fh:
         config_fh.write(config_tpl)
+    # key type: elliptic curve (default) or rsa
+    if ecc:
+        subprocess.check_call([
+            "openssl", "ecparam",
+            "-name", "secp384r1",
+            "-out", cert_dir + "/ecparam"
+        ])
+        keytype = "ec:" + cert_dir +  "/ecparam"
+    else:
+        keytype = "rsa"
     # execute openssl to generate keypair
     subprocess.check_call([
         "openssl", "req",
-        "-config", "/etc/ssl/envsetup.conf",
-        "-new", "-x509", "-sha256", "-newkey", "rsa:{}".format(str(keysize)), "-nodes",
-        "-keyout", "/etc/ssl/private/envsetup.key.pem",
+        "-config", cert_dir + "/conf",
+        "-new",
+        "-x509",
+        "-sha256",
+        "-nodes",
+        "-newkey", keytype,
+        "-keyout", cert_dir + "/key.pem",
         "-days", str(days),
-        "-out", "/etc/ssl/certs/envsetup.cert.pem"
+        "-out", cert_dir + "/cert.pem"
     ])
-- 
GitLab