Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for elliptic curve keys #431

Merged
merged 1 commit into from
Apr 21, 2022
Merged

Add support for elliptic curve keys #431

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 65 additions & 2 deletions REFERENCE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -244,9 +244,12 @@ The following parameters are available in the `openvpn::ca` defined type:
* [`email`](#email)
* [`common_name`](#common_name)
* [`group`](#group)
* [`ssl_key_algo`](#ssl_key_algo)
* [`ssl_key_size`](#ssl_key_size)
* [`ssl_key_curve`](#ssl_key_curve)
* [`key_expire`](#key_expire)
* [`ca_expire`](#ca_expire)
* [`digest`](#digest)
* [`key_name`](#key_name)
* [`key_ou`](#key_ou)
* [`key_cn`](#key_cn)
Expand Down Expand Up @@ -310,14 +313,30 @@ User to drop privileges to after startup

Default value: ``undef``

##### <a name="ssl_key_algo"></a>`ssl_key_algo`

Data type: `Enum['rsa', 'ec', 'ed']`

SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys

Default value: `'rsa'`

##### <a name="ssl_key_size"></a>`ssl_key_size`

Data type: `Integer`

Length of SSL keys (in bits) generated by this module.
Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa

Default value: `2048`

##### <a name="ssl_key_curve"></a>`ssl_key_curve`

Data type: `String`

Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed

Default value: `'secp384r1'`

##### <a name="key_expire"></a>`key_expire`

Data type: `Integer`
Expand All @@ -334,6 +353,14 @@ The number of days to certify the CA certificate for

Default value: `3650`

##### <a name="digest"></a>`digest`

Data type: `Enum['md5','sha1','sha256','sha224','sha384','sha512']`

Cryptographic digest to use

Default value: `'sha512'`

##### <a name="key_name"></a>`key_name`

Data type: `Optional[String]`
Expand Down Expand Up @@ -938,7 +965,10 @@ The following parameters are available in the `openvpn::server` defined type:
* [`route`](#route)
* [`route_ipv6`](#route_ipv6)
* [`keepalive`](#keepalive)
* [`ssl_key_algo`](#ssl_key_algo)
* [`ssl_key_size`](#ssl_key_size)
* [`ssl_key_curve`](#ssl_key_curve)
* [`ecdh_curve`](#ecdh_curve)
* [`topology`](#topology)
* [`c2c`](#c2c)
* [`tcp_nodelay`](#tcp_nodelay)
Expand Down Expand Up @@ -976,6 +1006,7 @@ The following parameters are available in the `openvpn::server` defined type:
* [`persist_tun`](#persist_tun)
* [`key_expire`](#key_expire)
* [`crl_days`](#crl_days)
* [`digest`](#digest)
* [`ca_expire`](#ca_expire)
* [`key_name`](#key_name)
* [`key_ou`](#key_ou)
Expand Down Expand Up @@ -1264,14 +1295,38 @@ Add keepalive directive (ping and ping-restart) to server. Should match the form

Default value: ``undef``

##### <a name="ssl_key_algo"></a>`ssl_key_algo`

Data type: `Enum['rsa', 'ec', 'ed']`

SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys

Default value: `'rsa'`

##### <a name="ssl_key_size"></a>`ssl_key_size`

Data type: `Integer`

Length of SSL keys (in bits) generated by this module.
Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa

Default value: `2048`

##### <a name="ssl_key_curve"></a>`ssl_key_curve`

Data type: `String`

Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed

Default value: `'secp384r1'`

##### <a name="ecdh_curve"></a>`ecdh_curve`

Data type: `String`

Define the named curve for ECDH key exchange, used if ssl_key_algo is ec, ed

Default value: `'secp384r1'`

##### <a name="topology"></a>`topology`

Data type: `String`
Expand Down Expand Up @@ -1568,6 +1623,14 @@ The number of days the client revocation list will be valid for after generating

Default value: `30`

##### <a name="digest"></a>`digest`

Data type: `Enum['md5','sha1','sha256','sha224','sha384','sha512']`

Cryptographic digest to use

Default value: `'sha512'`

##### <a name="ca_expire"></a>`ca_expire`

Data type: `Integer`
Expand Down
63 changes: 39 additions & 24 deletions manifests/ca.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,12 @@
# @param email Email address to be used for the SSL certificate
# @param common_name Common name to be used for the SSL certificate
# @param group User to drop privileges to after startup
# @param ssl_key_size Length of SSL keys (in bits) generated by this module.
# @param ssl_key_algo SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys
# @param ssl_key_size Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa
# @param ssl_key_curve Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed
# @param key_expire The number of days to certify the server certificate for
# @param ca_expire The number of days to certify the CA certificate for
# @param digest Cryptographic digest to use
# @param key_name Value for name_default variable in openssl.cnf and KEY_NAME in vars
# @param key_ou Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars
# @param key_cn Value for commonName_default variable in openssl.cnf and KEY_CN in vars
Expand All @@ -23,22 +26,25 @@
# }
#
define openvpn::ca (
Optional[String] $country = undef,
Optional[String] $province = undef,
Optional[String] $city = undef,
Optional[String] $organization = undef,
Optional[String] $email = undef,
String $common_name = 'server',
Optional[String] $group = undef,
Integer $ssl_key_size = 2048,
Integer $ca_expire = 3650,
Integer $key_expire = 3650,
Integer $crl_days = 30,
Optional[String] $key_cn = undef,
Optional[String] $key_name = undef,
Optional[String] $key_ou = undef,
Boolean $tls_auth = false,
Boolean $tls_static_key = false,
Optional[String] $country = undef,
Optional[String] $province = undef,
Optional[String] $city = undef,
Optional[String] $organization = undef,
Optional[String] $email = undef,
String $common_name = 'server',
Optional[String] $group = undef,
Enum['rsa', 'ec', 'ed'] $ssl_key_algo = 'rsa',
Integer $ssl_key_size = 2048,
String $ssl_key_curve = 'secp384r1',
Integer $ca_expire = 3650,
Integer $key_expire = 3650,
Integer $crl_days = 30,
Enum['md5','sha1','sha256','sha224','sha384','sha512'] $digest = 'sha512',
Optional[String] $key_cn = undef,
Optional[String] $key_name = undef,
Optional[String] $key_ou = undef,
Boolean $tls_auth = false,
Boolean $tls_static_key = false,
) {
if $tls_auth {
warning('Parameter $tls_auth is deprecated. Use $tls_static_key instead.')
Expand Down Expand Up @@ -80,6 +86,10 @@

case $openvpn::easyrsa_version {
'2.0': {
if $ssl_key_algo != 'rsa' {
fail('easy-rsa 2.0 supports only rsa keys.')
}

file { "${server_directory}/${name}/easy-rsa/vars":
ensure => file,
mode => '0550',
Expand Down Expand Up @@ -136,10 +146,13 @@
{
'server_directory' => $server_directory,
'openvpn_server' => $name,
'ssl_key_algo' => $ssl_key_algo,
'ssl_key_curve' => $ssl_key_curve,
'ssl_key_size' => $ssl_key_size,
'ca_expire' => $ca_expire,
'key_expire' => $key_expire,
'crl_days' => $crl_days,
'digest' => $digest,
'country' => $country,
'province' => $province,
'city' => $city,
Expand Down Expand Up @@ -168,13 +181,15 @@
require => File["${server_directory}/${name}/easy-rsa/vars"],
}

exec { "generate dh param ${name}":
command => './easyrsa --batch gen-dh',
timeout => 20000,
cwd => "${server_directory}/${name}/easy-rsa",
creates => "${server_directory}/${name}/easy-rsa/keys/dh.pem",
provider => 'shell',
require => Exec["generate server cert ${name}"],
if ($ssl_key_algo == 'rsa') {
exec { "generate dh param ${name}":
command => './easyrsa --batch gen-dh',
timeout => 20000,
cwd => "${server_directory}/${name}/easy-rsa",
creates => "${server_directory}/${name}/easy-rsa/keys/dh.pem",
provider => 'shell',
require => Exec["generate server cert ${name}"],
}
}

exec { "generate server cert ${name}":
Expand Down
13 changes: 12 additions & 1 deletion manifests/server.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,10 @@
# @param route Add route to routing table after connection is established. Multiple routes can be specified.
# @param route_ipv6 Add IPv6 route to routing table after connection is established. Multiple routes can be specified.
# @param keepalive Add keepalive directive (ping and ping-restart) to server. Should match the form "n m".
# @param ssl_key_size Length of SSL keys (in bits) generated by this module.
# @param ssl_key_algo SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys
# @param ssl_key_size Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa
# @param ssl_key_curve Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed
# @param ecdh_curve Define the named curve for ECDH key exchange, used if ssl_key_algo is ec, ed
# @param topology Define the network topology type
# @param c2c Enable client to client visibility
# @param tcp_nodelay Enable/Disable.
Expand Down Expand Up @@ -71,6 +74,7 @@
# @param persist_tun Try to retain access to resources that may be unavailable because of privilege downgrades
# @param key_expire The number of days to certify the server certificate for
# @param crl_days The number of days the client revocation list will be valid for after generating
# @param digest Cryptographic digest to use
# @param ca_expire The number of days to certify the CA certificate for
# @param key_name Value for name_default variable in openssl.cnf and KEY_NAME in vars
# @param key_ou Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars
Expand Down Expand Up @@ -175,7 +179,10 @@
Array $route_ipv6 = [],
Optional[String[1]] $keepalive = undef,
Variant[Boolean, Integer] $fragment = false,
Enum['rsa', 'ec', 'ed'] $ssl_key_algo = 'rsa',
Integer $ssl_key_size = 2048,
String $ssl_key_curve = 'secp384r1',
String $ecdh_curve = 'secp384r1',
String $topology = 'net30',
Boolean $c2c = false,
Boolean $tcp_nodelay = false,
Expand Down Expand Up @@ -209,6 +216,7 @@
Integer $ca_expire = 3650,
Integer $key_expire = 3650,
Integer[1] $crl_days = 30,
Enum['md5','sha1','sha256','sha224','sha384','sha512'] $digest = 'sha512',
Optional[String] $key_cn = undef,
Optional[String] $key_name = undef,
Optional[String] $key_ou = undef,
Expand Down Expand Up @@ -365,10 +373,13 @@
email => $email,
common_name => $common_name,
group => $group,
ssl_key_algo => $ssl_key_algo,
ssl_key_size => $ssl_key_size,
ssl_key_curve => $ssl_key_curve,
ca_expire => $ca_expire,
key_expire => $key_expire,
crl_days => $crl_days,
digest => $digest,
key_cn => $key_cn,
key_name => $key_name,
key_ou => $key_ou,
Expand Down
Loading