Add support for EC521 elliptic curves to certutil

As it currently stands the name certutil is not correct anymore. In issue #49 certutil will be renamed.
fhofherr · Nov 10, 2019 · d95cf91 · d95cf91
1 parent 0807045
commit d95cf91
Show file tree

Hide file tree

Showing 8 changed files with 30 additions and 3 deletions.
diff --git a/pkg/certutil/assert.go b/pkg/certutil/assert.go
@@ -51,7 +51,7 @@ func parseSigner(t *testing.T, kt KeyType, key []byte) crypto.Signer {
  switch kt {
  case RSA2048, RSA4096, RSA8192:
  signer, err = x509.ParsePKCS1PrivateKey(block.Bytes)
- case EC256, EC384:
+ case EC256, EC384, EC521:
  signer, err = x509.ParseECPrivateKey(block.Bytes)
  default:
  t.Fatalf("Unsupported key type: %v", kt)

diff --git a/pkg/certutil/key.go b/pkg/certutil/key.go
@@ -29,6 +29,8 @@ const (
  EC256 KeyType = iota
  // EC384 represents an ECDSA key using an elliptic curve implementing P-384.
  EC384
+ // EC521 represents an ECDSA key using an elliptic curve implementing P-521.
+ EC521
  // RSA2048 represents an RSA key with a size of 2048 bits.
  RSA2048
  // RSA4096 represents an RSA key with a size of 4096 bits.
@@ -62,6 +64,8 @@ func determineECDSAKeyType(pk *ecdsa.PrivateKey) (KeyType, error) {
  return EC256, nil
  case "P-384":
  return EC384, nil
+ case "P-521":
+ return EC521, nil
  default:
  return -1, errors.New(op, fmt.Sprintf("unsupported curve: %s", curveName))
  }
@@ -98,6 +102,8 @@ func NewPrivateKey(kt KeyType) (crypto.PrivateKey, error) {
  pk, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
  case EC384:
  pk, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+ case EC521:
+ pk, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
  case RSA2048:
  pk, err = rsa.GenerateKey(rand.Reader, 2048)
  case RSA4096:
@@ -124,7 +130,7 @@ func ReadPrivateKey(kt KeyType, r io.Reader, pemDecode bool) (crypto.PrivateKey,
  err error
  )
  switch kt {
- case EC256, EC384:
+ case EC256, EC384, EC521:
  pk, err = readKey(r, pemDecode, parseECDSAKey)
  case RSA2048, RSA4096, RSA8192:
  pk, err = readKey(r, pemDecode, parseRSAKey)

diff --git a/pkg/certutil/key_test.go b/pkg/certutil/key_test.go
@@ -27,6 +27,7 @@ func TestNewPrivateKey(t *testing.T) {
  }{
  {"EC256", certutil.EC256, (*ecdsa.PrivateKey)(nil)},
  {"EC384", certutil.EC384, (*ecdsa.PrivateKey)(nil)},
+ {"EC521", certutil.EC521, (*ecdsa.PrivateKey)(nil)},
  {"RSA2048", certutil.RSA2048, (*rsa.PrivateKey)(nil)},
  {"RSA4096", certutil.RSA4096, (*rsa.PrivateKey)(nil)},
  {"RSA8192", certutil.RSA8192, (*rsa.PrivateKey)(nil)},
@@ -65,6 +66,8 @@ func TestReadPrivateKey(t *testing.T) {
  {"ec256.der", certutil.EC256, false},
  {"ec384.pem", certutil.EC384, true},
  {"ec384.der", certutil.EC384, false},
+ {"ec521.der", certutil.EC521, false},
+ {"ec521.pem", certutil.EC521, true},
  {"rsa2048.pem", certutil.RSA2048, true},
  {"rsa2048.der", certutil.RSA2048, false},
  {"rsa4096.der", certutil.RSA4096, false},
@@ -141,6 +144,8 @@ func TestWritePrivateKey(t *testing.T) {
  {"ec256.der", certutil.EC256, false},
  {"ec384.pem", certutil.EC384, true},
  {"ec384.der", certutil.EC384, false},
+ {"ec521.pem", certutil.EC521, true},
+ {"ec521.der", certutil.EC521, false},
  {"rsa2048.pem", certutil.RSA2048, true},
  {"rsa2048.der", certutil.RSA2048, false},
  {"rsa4096.der", certutil.RSA4096, false},

diff --git a/pkg/certutil/openssl.go b/pkg/certutil/openssl.go
@@ -22,7 +22,7 @@ func CreateOpenSSLPrivateKey(t *testing.T, kt KeyType, keyPath string, pemEncode
  t.Fatalf("failed to create target directory: %v", err)
  }
  switch kt {
- case EC256, EC384:
+ case EC256, EC384, EC521:
  createOpenSSLECPrivateKey(t, kt, dir, keyFile, pemEncode)
  case RSA2048, RSA4096, RSA8192:
  createOpenSSLRSAPrivateKey(t, kt, dir, keyFile, pemEncode)
@@ -38,6 +38,8 @@ func createOpenSSLECPrivateKey(t *testing.T, kt KeyType, dir, keyFile string, pe
  argv = append(argv, "ecparam", "-name", "prime256v1", "-genkey", "-noout")
  case EC384:
  argv = append(argv, "ecparam", "-name", "secp384r1", "-genkey", "-noout")
+ case EC521:
+ argv = append(argv, "ecparam", "-name", "secp521r1", "-genkey", "-noout")
  default:
  t.Fatal("unsupported key type")
  }

diff --git a/pkg/certutil/testdata/TestReadPrivateKey/ec521.der b/pkg/certutil/testdata/TestReadPrivateKey/ec521.der
diff --git a/pkg/certutil/testdata/TestReadPrivateKey/ec521.pem b/pkg/certutil/testdata/TestReadPrivateKey/ec521.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBD/n/UCE1fNtAuvGTwdbsWFWOyG4dx8mXtE+sIz+QXo2maCuFX4r5
+sA6Y5ZTqXDIdZ3goYi1AiKAAtCxl7qjLG8ygBwYFK4EEACOhgYkDgYYABAAlh4H8
+ig7DqLPviAGPy1Vt5F/egKctW4/q+/5gPqeKCWon+5lmm5aXda9KUA2zxwcamPng
+j+mcjKNq1tY2ky9IVQHpgGQC5QybKIH+iPzj2jpOcYvak+m2Hqc80BTI/PdAmI0W
+UQf6xs6glzhSIDJybdYT/c9f19eIFKLZxq3Cq8RSdA==
+-----END EC PRIVATE KEY-----
diff --git a/pkg/certutil/testdata/TestWritePrivateKey/ec521.der b/pkg/certutil/testdata/TestWritePrivateKey/ec521.der
diff --git a/pkg/certutil/testdata/TestWritePrivateKey/ec521.pem b/pkg/certutil/testdata/TestWritePrivateKey/ec521.pem
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIA3QWHrhc1Acq3sHePawoxI3nRpACrArQx5bA92jcKU+/Wh5knlfZG
+E/1S1dmjZMTeqJeXg5ozTVhf3Il8Q5E6SfegBwYFK4EEACOhgYkDgYYABAEbrDTv
+MZfUuAxN4r1LnUIKmjp9zNmO4eOFPI/wu8P6SCwa+frhymEWb738/KC5Vj43DfT8
+wXy9IV9XeoCq/UKvQQEJU+d8FpOBdPmheTr6rOcxkLCC9CfzQYMZZ+yD0a/tfyIj
+iTeVXm3FVtJuaj7vCPp8FFIuJKxw/+YIgUOEqPGvYg==
+-----END EC PRIVATE KEY-----