This adds an 'eckey' command to generate an EC key, with an optional
curve name argument, with P-256 as default.
For the 'selfsigned' command, it adds an 'ec' algorithm argument to the
'-newkey' option, and a '-pkeyopt ec_paramgen_curve:<curvename>' option,
mirroring the way openssl specifies the curve name.
Notice that curve names are not necessarily the same in mbedtls and
openssl. In particular, secp256r1 works for mbedtls, but openssl uses
prime256v1 instead. px5g uses mbedtls, but short NIST curve names P-256
and P-384 are specifically supported.
Package size increased by about 900 bytes (arm).
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit a552ababd4ff8e91d3f03f7496f12d080a71ba28)
px5g has been listed as a blocker for switching to new mbedtls
as the default, therefore make and mbedtls variant of px5g so
that an new mbedtls-only image can be created.
Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
Generate a random serial from /dev/urandom when creating selfsigned certs.
Fixes "sec_error_reused_issuer_and_serial" with Firefox.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 43168
the attached patch fixes a bug of px5g when instructed to build
certificates that expire after 2038-01-19, caused a multiplication that
may overflow the "to" variable of type time_t
Attached patch checks if "to" precedes "from": if so sets "to" to its
maximum value. Pretty rude, but works well even if certificate is set to
expire in a century
Signed-off-by: Federico Fissore <federico@fissore.org>
Patchork: http://patchwork.openwrt.org/patch/3749/
SVN-Revision: 37165
Eneas U de Queiroz