From 847618687958f5173c839b4f782716d5efd5105a Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Wed, 30 Nov 2022 14:59:20 +0300
Subject: [PATCH] EdDSA (ed25519) support

---
 zeasypki | 66 +++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 46 insertions(+), 20 deletions(-)

diff --git a/zeasypki b/zeasypki
index a2e9a9c..911a042 100755
--- a/zeasypki
+++ b/zeasypki
@@ -25,15 +25,15 @@ key_decrypt() {
 usage() {
     cat >&2 <<EOF
 Usage:
-  \$ $ZSH_ARGZERO:t ca [ecdsa|gost] NAME -- new CA keypair
-  \$ $ZSH_ARGZERO:t list-ca              -- list CA keypairs
-  \$ $ZSH_ARGZERO:t list                 -- list EE ones
-  \$ $ZSH_ARGZERO:t rem                  -- list certificate expirations
-  \$ $ZSH_ARGZERO:t new KEY              -- new EE
-  \$ $ZSH_ARGZERO:t renew KEY            -- renew EE
-  \$ $ZSH_ARGZERO:t dane KEY             -- show DANE SHA256 hash
-  \$ $ZSH_ARGZERO:t encrypt KEY          -- encrypt private key
-  \$ $ZSH_ARGZERO:t keypair KEY          -- PEM-encoded full keypair
+  \$ $ZSH_ARGZERO:t ca [ecdsa|gost|eddsa] NAME -- new CA keypair
+  \$ $ZSH_ARGZERO:t list-ca                    -- list CA keypairs
+  \$ $ZSH_ARGZERO:t list                       -- list EE ones
+  \$ $ZSH_ARGZERO:t rem                        -- list certificate expirations
+  \$ $ZSH_ARGZERO:t new KEY                    -- new EE
+  \$ $ZSH_ARGZERO:t renew KEY                  -- renew EE
+  \$ $ZSH_ARGZERO:t dane KEY                   -- show DANE SHA256 hash
+  \$ $ZSH_ARGZERO:t encrypt KEY                -- encrypt private key
+  \$ $ZSH_ARGZERO:t keypair KEY                -- PEM-encoded full keypair
 EOF
     exit 1
 }
@@ -48,11 +48,12 @@ key_get() {
 }
 
 certtool_genkey() {
-    certtool --generate-privkey --ecc --bits $1 --no-text
+    certtool --generate-privkey ${=1} --no-text
 }
 
-ca_new_ecdsa() {
-    local domain=$1
+ca_new_xdsa() {
+    local keytype=$1
+    local domain=$2
     local key=`mktemp`
     local tmpl=`mktemp`
     local cert=`mktemp`
@@ -64,7 +65,7 @@ expiration_days = 3650
 ca
 cert_signing_key
 EOF
-    certtool_genkey 512 > $key
+    certtool_genkey "$keytype" > $key
     certtool \
         --generate-self-signed \
         --load-privkey $key \
@@ -73,25 +74,38 @@ EOF
     reply=(${mapfile[$key]} ${mapfile[$cert]})
 }
 
+ca_new_ecdsa() {
+    ca_new_xdsa "--key-type=ecdsa --bits 512" $1
+}
+
 ee_key_new_ecdsa() {
-    certtool_genkey 256
+    certtool_genkey "--key-type=ecdsa --bits 256"
+}
+
+ca_new_eddsa() {
+    ca_new_xdsa "--key-type=ed25519" $1
+}
+
+ee_key_new_eddsa() {
+    certtool_genkey "--key-type=ed25519"
 }
 
 ee_key_new_gost() {
     cert-selfsigned-example.py --cn does-not-matter --ai 256A --only-key
 }
 
-ee_renew_ecdsa() {
-    local ca=$1
-    local domain=$2
+ee_renew_xdsa() {
+    local algo=$1
+    local ca=$2
+    local domain=$3
     local cakey=`mktemp`
     local key=`mktemp`
     local tmpl=`mktemp`
     local cert=`mktemp`
     trap "rm -f $cakey $key $tmpl $cert" HUP PIPE INT QUIT TERM EXIT
-    key_get ca/ecdsa/$ca
+    key_get ca/$algo/$ca
     mapfile[$cakey]=$REPLY
-    key_get ee/ecdsa/$ca/$domain
+    key_get ee/$algo/$ca/$domain
     mapfile[$key]=$REPLY
     cat > $tmpl <<EOF
 dn = "cn=$domain,c=RU"
@@ -100,13 +114,21 @@ signing_key
 dns_name = "$domain"
 EOF
     certtool \
-        --load-ca-certificate ca/ecdsa/$ca/cer.pem \
+        --load-ca-certificate ca/$algo/$ca/cer.pem \
         --load-ca-privkey $cakey \
         --generate-certificate \
         --load-privkey $key \
         --template $tmpl
 }
 
+ee_renew_ecdsa() {
+    ee_renew_xdsa ecdsa "$1" "$2"
+}
+
+ee_renew_eddsa() {
+    ee_renew_xdsa eddsa "$1" "$2"
+}
+
 ee_renew_gost() {
     local ca=$1
     local domain=$2
@@ -145,6 +167,10 @@ dane_ecdsa() {
     certtool --key-id --hash=sha256
 }
 
+dane_eddsa() {
+    dane_ecdsa
+}
+
 dane_gost() {
     cert-dane-hash.py
 }
-- 
2.44.0