evolix/shellpki
21
0
Fork 0
Code Issues Pull requests Releases 3 Wiki Activity

Use genpkey and pkey instead of genrsa and rsa

Browse source 
genrsa and rsa are being deprecated by OpenSSL and both genpkey and pkey
provides the same functionalities as genrsa and rsa will being more
configurable.
This commit is contained in:
Mathieu Trossevin 2022-04-06 11:09:07 +02:00
parent 97f1affa1b
commit 38aac7b137
Signed by: mtrossevin
GPG key ID: D1DBB7EA828374E9
1 changed files with 15 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
shellpki
View file

@ -137,14 +137,14 @@ warning() {
} }
verify_ca_password() { verify_ca_password() {
"${OPENSSL_BIN}" rsa \ "${OPENSSL_BIN}" pkey \
-in "${CA_KEY}" \ -in "${CA_KEY}" \
-passin pass:"${CA_PASSWORD}" \ -passin pass:"${CA_PASSWORD}" \
>/dev/null 2>&1 >/dev/null 2>&1
} }
get_real_path() { get_real_path() {
# --canonicalize is supported on Linux # --canonicalize is supported on Linux
# -f is supported on Linux and OpenBSD # -f is supported on Linux and OpenBSD
readlink -f -- "${1}" readlink -f -- "${1}"
} }
@ -278,17 +278,18 @@ init() {
passout_arg="" passout_arg=""
if [ -n "${CA_PASSWORD:-}" ]; then if [ -n "${CA_PASSWORD:-}" ]; then
passout_arg="-passout pass:${CA_PASSWORD}" passout_arg="-pass pass:${CA_PASSWORD}"
elif [ "${non_interactive}" -eq 1 ]; then elif [ "${non_interactive}" -eq 1 ]; then
error "In non-interactive mode, you must pass CA_PASSWORD as environment variable." error "In non-interactive mode, you must pass CA_PASSWORD as environment variable."
fi fi
if [ ! -f "${CA_KEY}" ]; then if [ ! -f "${CA_KEY}" ]; then
"${OPENSSL_BIN}" genrsa \ "${OPENSSL_BIN}" genpkey \
-algorithm RSA \
-out "${CA_KEY}" \ -out "${CA_KEY}" \
${passout_arg} \ ${passout_arg} \
-aes256 \ -aes256 \
"${CA_KEY_LENGTH}" \ -pkeyopt "rsa_keygen_bits:${CA_KEY_LENGTH}" \
>/dev/null 2>&1 >/dev/null 2>&1
# shellcheck disable=SC2181 # shellcheck disable=SC2181
if [ "$?" -ne 0 ]; then if [ "$?" -ne 0 ]; then
@ -333,7 +334,7 @@ EOF
error "Error generating the CA certificate" error "Error generating the CA certificate"
fi fi
fi fi
"${OPENSSL_BIN}" ca \ "${OPENSSL_BIN}" ca \
-config "${CONF_FILE}" \ -config "${CONF_FILE}" \
-passin pass:${CA_PASSWORD} \ -passin pass:${CA_PASSWORD} \
@ -355,9 +356,10 @@ ocsp() {
port=$(echo "${ocsp_uri}" | cut -d':' -f2) port=$(echo "${ocsp_uri}" | cut -d':' -f2)
if [ ! -f "${OCSP_KEY}" ]; then if [ ! -f "${OCSP_KEY}" ]; then
"${OPENSSL_BIN}" genrsa \ "${OPENSSL_BIN}" genpkey \
-algorithm RSA \
-out "${OCSP_KEY}" \ -out "${OCSP_KEY}" \
"${KEY_LENGTH}" \ -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \
>/dev/null 2>&1 >/dev/null 2>&1
# shellcheck disable=SC2181 # shellcheck disable=SC2181
if [ "$?" -ne 0 ]; then if [ "$?" -ne 0 ]; then
@ -671,14 +673,15 @@ create() {
# generate private key # generate private key
pass_args="" pass_args=""
if [ -n "${password_file:-}" ]; then if [ -n "${password_file:-}" ]; then
pass_args="-aes256 -passout file:${password_file}" pass_args="-aes256 -pass file:${password_file}"
elif [ -n "${PASSWORD:-}" ]; then elif [ -n "${PASSWORD:-}" ]; then
pass_args="-aes256 -passout pass:${PASSWORD}" pass_args="-aes256 -pass pass:${PASSWORD}"
fi fi
"${OPENSSL_BIN}" genrsa \ "${OPENSSL_BIN}" genpkey \
-algorithm RSA \
-out "${key_file}" \ -out "${key_file}" \
${pass_args} \ ${pass_args} \
"${KEY_LENGTH}" \ -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \
>/dev/null 2>&1 >/dev/null 2>&1
# shellcheck disable=SC2181 # shellcheck disable=SC2181
if [ "$?" -eq 0 ]; then if [ "$?" -eq 0 ]; then