Use genpkey and pkey instead of genrsa and rsa

genrsa and rsa are being deprecated by OpenSSL and both genpkey and pkey provides the same functionalities as genrsa and rsa will being more configurable.
2022-04-06 11:40:17 +02:00
1 changed files with 15 additions and 12 deletions
--- a/27
+++ b/27
@ -137,14 +137,14 @@ warning() {
 }

 verify_ca_password() {
-    "${OPENSSL_BIN}" rsa \
+    "${OPENSSL_BIN}" pkey \
        -in "${CA_KEY}"    \
        -passin pass:"${CA_PASSWORD}" \
        >/dev/null 2>&1
 }
 get_real_path() {
    # --canonicalize is supported on Linux
-    # -f is supported on Linux and OpenBSD 
+    # -f is supported on Linux and OpenBSD
    readlink -f -- "${1}"
 }

@ -278,17 +278,18 @@ init() {

    passout_arg=""
    if [ -n "${CA_PASSWORD:-}" ]; then
-        passout_arg="-passout pass:${CA_PASSWORD}"
+        passout_arg="-pass pass:${CA_PASSWORD}"
    elif [ "${non_interactive}" -eq 1 ]; then
        error "In non-interactive mode, you must pass CA_PASSWORD as environment variable."
    fi

    if [ ! -f "${CA_KEY}" ]; then
-        "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genpkey \
+            -algorithm RSA \
            -out "${CA_KEY}" \
            ${passout_arg} \
            -aes256 \
-            "${CA_KEY_LENGTH}" \
+            -pkeyopt "rsa_keygen_bits:${CA_KEY_LENGTH}" \
            >/dev/null 2>&1
        # shellcheck disable=SC2181
        if [ "$?" -ne 0 ]; then
@ -333,7 +334,7 @@ EOF
            error "Error generating the CA certificate"
        fi
    fi
-    
+
        "${OPENSSL_BIN}" ca \
            -config "${CONF_FILE}" \
            -passin pass:${CA_PASSWORD} \
@ -355,9 +356,10 @@ ocsp() {
    port=$(echo "${ocsp_uri}" | cut -d':' -f2)

    if [ ! -f "${OCSP_KEY}" ]; then
-        "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genpkey \
+            -algorithm RSA \
            -out "${OCSP_KEY}" \
-            "${KEY_LENGTH}" \
+            -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \
            >/dev/null 2>&1
        # shellcheck disable=SC2181
        if [ "$?" -ne 0 ]; then
@ -671,14 +673,15 @@ create() {
        # generate private key
        pass_args=""
        if [ -n "${password_file:-}" ]; then
-            pass_args="-aes256 -passout file:${password_file}"
+            pass_args="-aes256 -pass file:${password_file}"
        elif [ -n "${PASSWORD:-}" ]; then
-            pass_args="-aes256 -passout pass:${PASSWORD}"
+            pass_args="-aes256 -pass pass:${PASSWORD}"
        fi
-        "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genpkey \
+            -algorithm RSA \
            -out "${key_file}" \
            ${pass_args} \
-            "${KEY_LENGTH}" \
+            -pkeyopt "rsa_keygen_bits:${KEY_LENGTH}" \
            >/dev/null 2>&1
        # shellcheck disable=SC2181
        if [ "$?" -eq 0 ]; then