mirror of
https://github.com/openwrt/packages.git
synced 2025-12-21 19:14:30 +04:00
0d0afff918
Since upstream openwrt has been using openssl 3.0 for quite some time,
figured we could clean up some of the legacy code.
This PR updates the code for EC/RSA key generation.
nginx-util currently only generates 'ecc' keys, even though the
framework is there for rsa as well.
In order properly test the changes, I created two binaries:
'nginx-util-ssl' (generates ec keys)
'nginx-util-ssl-rsa' (generates rsa keys)
where I would change line:455 in `src/nginx-ssl-util.hpp`
`auto pkey = gen_eckey(NID_secp384r1)` to `auto pkey = gen_rsakey(2048)`
Example with UCI config
```
config server '_rsa'
list listen '443 ssl default_server'
list listen '[::]:443 ssl default_server'
option server_name '_rsa'
list include 'restrict_locally'
list include 'conf.d/*.locations'
option uci_manage_ssl 'self-signed'
option key_type 'rsa'
option ssl_certificate '/etc/nginx/conf.d/_rsa.crt'
option ssl_certificate_key '/etc/nginx/conf.d/_rsa.key'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
option access_log 'off; # logd openwrt'
```
➤ /opt/bin/nginx-ssl-util-rsa add_ssl _rsa
Adding SSL directives to UCI server: nginx._rsa
uci_manage_ssl='self-signed'
Created self-signed SSL certificate '/etc/nginx/conf.d/_rsa.crt' with key '/etc/nginx/conf.d/_rsa.key'.
[04/14/24 18:37:15](K-6.6.27)
root@WRX36 ~
➤ openssl x509 -in /etc/nginx/conf.d/_rsa.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6d:55:a6:cd:52:25:31:fd:3c:78:66:24:82:5f:bb:b6:a6:fe:8f:c7
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrtBF399B64ACF71BC3
Validity
Not Before: Apr 14 22:37:15 2024 GMT
Not After : Jul 16 22:37:15 2027 GMT
Subject: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrtBF399B64ACF71BC3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ac:52:71:af:25:e9:05:0a:a5:d7:86:d3:8d:0b:
66:e0:09:cf:2a:cd:a1:63:57:36:46:61:04:16:fe:
94:84:d0:20:ab:01:15:55:aa:a1:89:c2:85:a9:84:
47:ba:84:d7:1f:a9:0c:c0:f0:67:2f:81:1d:1b:3b:
31:d5:94:6e:a0:f0:e6:ec:26:91:4a:e2:fd:58:4c:
ac:b5:9e:a1:cd:7d:91:51:29:81:1d:3e:4a:d9:d1:
d5:f1:2f:34:2f:ca:95:dc:42:d5:c4:d3:d6:b2:91:
d5:19:61:a2:b5:b1:90:f0:83:88:ef:92:c9:bf:a4:
59:a9:d6:00:6f:1c:0d:70:16:40:cc:cb:c0:de:c4:
8f:00:83:a3:2f:77:ca:18:cd:7b:d4:77:96:47:78:
1b:c1:ff:08:86:93:79:91:8f:a7:95:71:46:06:69:
fc:cc:65:64:e7:99:11:cc:82:bb:39:6b:12:27:73:
0e:d1:e7:65:51:9e:ad:dc:b3:ff:3f:ba:b0:72:4f:
22:ad:7e:41:bb:3c:c7:80:30:81:5f:8b:32:f4:7f:
22:48:3f:3d:a9:eb:28:27:12:db:a9:63:c9:7e:e2:
ed:36:de:e7:68:31:4e:9c:c0:36:e8:f2:d9:3f:50:
09:50:a3:e8:7a:03:00:4f:8d:e1:10:eb:a1:87:44:
be:23
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
06:7d:84:00:ac:8f:8b:a6:b6:b7:b5:ed:ee:7f:61:76:6d:ee:
11:53:f6:d1:f8:95:ad:6c:d7:d0:3e:01:ac:bb:d7:7a:8d:59:
80:ec:ba:b2:7b:78:5c:4f:5e:3f:f1:74:ad:d9:8c:a2:6b:08:
9c:bf:b1:42:fd:8d:a6:35:48:4d:a7:2d:92:c9:45:66:77:32:
a4:e0:ea:eb:e0:4a:42:f5:dd:ea:a2:c0:0a:66:5a:32:03:1d:
e7:87:3a:7f:1e:00:ed:d0:21:01:d5:f9:e2:b1:e6:b7:cb:1c:
67:11:de:69:7f:a2:ce:d0:fc:2d:f2:6c:33:84:4c:3d:f4:f6:
60:6b:2e:31:b7:0c:41:2c:73:31:7e:94:19:a2:2b:6a:56:3f:
07:37:71:97:28:58:91:63:b2:58:97:b2:aa:1e:d5:d9:6d:af:
6f:a0:02:e0:06:39:b0:c9:f5:50:41:b5:58:41:6a:30:72:89:
9a:67:7e:a1:7a:a5:02:b9:2a:f3:f8:93:4f:59:6e:b1:27:54:
86:d1:ec:96:7a:dd:d1:44:6b:1e:3b:17:cf:15:64:ad:83:6b:
63:20:2d:42:c3:28:68:14:de:12:4e:8a:c3:f3:10:c8:4b:4f:
c7:d8:2b:a8:45:fb:3a:bd:9d:bd:08:71:08:09:ed:ea:9b:b9:
3b:33:a6:a6
[04/14/24 18:37:27](K-6.6.27)
root@WRX36 ~
➤ /opt/bin/nginx-ssl-util add_ssl _ec
Adding SSL directives to UCI server: nginx._ec
uci_manage_ssl='self-signed'
Created self-signed SSL certificate '/etc/nginx/conf.d/_ec.crt' with key '/etc/nginx/conf.d/_ec.key'.
[04/14/24 18:37:43](K-6.6.27)
root@WRX36 ~
➤ openssl x509 -in /etc/nginx/conf.d/_ec.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
55:32:fe:07:09:79:d1:40:d7:43:2e:45:3d:98:4a:77:65:d0:29:41
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrt2EDD40F41960C8C1
Validity
Not Before: Apr 14 22:37:43 2024 GMT
Not After : Jul 16 22:37:43 2027 GMT
Subject: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrt2EDD40F41960C8C1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:97:d2:b2:f0:c9:60:60:89:7e:ea:6f:48:1c:90:
8e:6d:1d:d8:58:46:8c:de:e9:50:e2:74:ea:d8:dd:
8c:d9:ed:f4:4c:b7:41:95:55:98:38:5a:9e:66:83:
b9:7c:79:71:9b:ec:18:ed:d9:09:3c:f7:64:32:ae:
59:ad:92:de:d7:c4:15:2e:e5:89:65:f4:29:8a:62:
a0:85:21:95:22:3a:38:e3:11:e6:f2:01:f6:50:62:
01:ed:68:0d:d0:0c:d4
ASN1 OID: secp384r1
NIST CURVE: P-384
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:65:02:30:78:af:d1:4f:57:b1:97:2b:87:aa:7f:a2:26:39:
19:30:5c:4f:9c:f0:d7:ee:24:8e:a2:39:ec:70:af:16:eb:a6:
72:96:d4:a7:2f:c1:38:f4:65:ed:ed:bf:22:c6:a4:6d:02:31:
00:bc:ec:19:0e:3d:6a:d1:5a:ae:6d:5c:a3:ec:96:60:32:f9:
6a:88:06:92:ed:c1:a7:44:2c:33:7a:22:72:0f:2a:ce:83:f0:
f2:04:9e:49:60:ef:83:b4:7f:8b:af:61:c9
```
Maintainer: Peter Stadler <peter.stadler@student.uibk.ac.at>
Compile tested: aarch64, qualcommax, Master Branch
Run tested: aarch64, Dynalink DL-WRX36, Master Branch
Signed-off-by: Sean Khan <datapronix@protonmail.com>