Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25])
	by mail-b.sr.ht (Postfix) with ESMTPS id 2D52FFF089
	for <~sircmpwn/gmni-devel@lists.sr.ht>; Sat, 21 Nov 2020 14:09:33 +0000 (UTC)
Authentication-Results: mail-b.sr.ht;
	dkim=fail reason="key not found in DNS" (0-bit key) header.d=markdain.net header.i=@markdain.net header.b=DGCu9UFj;
	dkim=fail reason="key not found in DNS" (0-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=Z0XMqAo5
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailout.west.internal (Postfix) with ESMTP id E6FC4C6A;
	Sat, 21 Nov 2020 09:09:31 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
  by compute4.internal (MEProxy); Sat, 21 Nov 2020 09:09:32 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=markdain.net; h=
	from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding; s=fm2; bh=giRkIRbGIHjMU4th5nZVlLiN2c
	a+BL4ZgKXtU8Zesro=; b=DGCu9UFjP/TWMPez2MaGhuk+if08pRvVNgTtBy+EFK
	13LxeZvLF0Cy+T5yYxk2tpIlnOBuq5fXYEhKYE4wWMVVRuhyZ+jplSajU0L5k642
	egGvlY249nra24Wd/qW2CWAEqVPrDr5AjuZgbvHfK7i8+0tDCBaxW1yHGScN2NDC
	iMLvoeNhOnedE7OjXi9NGxxRuHgOnqk3yQV/t1Vccyhii8OpzykedaFATRvK2Uga
	vHEZuVPrYBCkRlJdh+xMlFI/la+SKRnCwGUGYWJIhs8IdUUhuLWUfkHfN5HDM03Z
	z6ew7VpcSOsvD6hUZQ67uqxpIUnX7TXEzswjEjwKfj4w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:date:from
	:message-id:mime-version:subject:to:x-me-proxy:x-me-proxy
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=giRkIRbGIHjMU4th5
	nZVlLiN2ca+BL4ZgKXtU8Zesro=; b=Z0XMqAo5abK0Ld64obiRx+CknWHR0yCEu
	bXSBwJt18CfzJSJ7okP4Qc1hIScUy+0Gj15bZT9NydAk8+Ct5ELEU/ow485QMTdX
	mLGGER3RNlAa/ZsZ5+KF1GLMwVRXI5TwicUJg7msy8tSh30CXYG+etINr+wyNQ0D
	jtv7Z9uHTG/KwrkLUrYDw/FHZDv7NcLg20tYJLDNvdRMT6XG9vpt+lFZrjQzzvD9
	4T2wRM5RxvTsBiKcK6ogXN7FpcDnF41zCejL70yuWFtAdiG+qkvMsqJKIKS23v4U
	52j8nO1XYSAzaUsVzTDZEYUml4J6vbQVyMbwKdvOFiYeIrIaJ6NwQ==
X-ME-Sender: <xms:mx-5XyCKZx0xnEIk_CzBeTe9YOuocuGpMA2Gfyp-PUoTTGsQ6eIOFQ>
    <xme:mx-5X8irpOhuTblmBp9DH2Y7MrmXNL5fg0zAuVThBu94UUuGVQDN8LczAwXfU_97D
    TpLx9kSoiUezRADFQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrudegvddgieduucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofgggfestdekredtre
    dttdenucfhrhhomhepofgrrhhkucffrghinhcuoehmrghrkhesmhgrrhhkuggrihhnrdhn
    vghtqeenucggtffrrghtthgvrhhnpeffteffveeutdejheduffdtvdeggeejgeegieeugf
    eggeelheejfffgheelhfefueenucffohhmrghinhepmhgrrhhkuggrihhnrdhnvghtnecu
    kfhppeekuddrudekjedrudejgedrheefnecuvehluhhsthgvrhfuihiivgeptdenucfrrg
    hrrghmpehmrghilhhfrhhomhepmhgrrhhksehmrghrkhgurghinhdrnhgvth
X-ME-Proxy: <xmx:mx-5X1ksM8TXKbWOIvjmwcgMetuaxDo8_i4l7EguRrEKwa0LytrEdQ>
    <xmx:mx-5XwxEkdg8rBuCGwRXvUCnN1zSrV5VeJTMdgYz_9G-hOsfpvTS3Q>
    <xmx:mx-5X3SFUBhaE0a4tMKs8FQMn7BHikLLzjZ6rEqjxi8Cmtq2f-OA-g>
    <xmx:mx-5XxftO50j_cvGryYUllJxCj0kFNdLC9HPKfiYzIFkEGkWhwPvGQ>
Received: from localhost.localdomain (53.174.187.81.in-addr.arpa [81.187.174.53])
	by mail.messagingengine.com (Postfix) with ESMTPA id EDDEF3064AAA;
	Sat, 21 Nov 2020 09:09:30 -0500 (EST)
From: Mark Dain <mark@markdain.net>
To: ~sircmpwn/gmni-devel@lists.sr.ht
Cc: Mark Dain <mark@markdain.net>
Subject: [PATCH] Switch to using ECDSA (secp384r1) keys
Date: Sat, 21 Nov 2020 13:56:37 +0000
Message-Id: <20201121135636.28060-1-mark@markdain.net>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

---
This patch has been tested with gmni and Castor; both are able to use
certificates generated in this way. Additional testing can be done by
accessing gemini://markdain.net which is now serving an ECDSA cert.

The curve secp384r1 was picked because other curves would fail during
cert generation or would fail in other ways. For instance, secp256k1
would produce a certificate with shorter keys than 384r1, however no
Gemini client would accept it - nor would `openssl s_client'.

Let's Encrypt uses secp384r1 for their new ECDSA root cert, so that
seemed like a safe choice for something widely supported.

 src/tls.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/src/tls.c b/src/tls.c
index f7ed344..e3653f2 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -23,17 +23,12 @@ tls_host_gencert(struct gmnisrv_tls *tlsconf, struct gmnisrv_host *host,
 	EVP_PKEY *pkey = EVP_PKEY_new();
 	assert(pkey);

-	BIGNUM *bn = BN_new();
-	assert(bn);
-	BN_set_word(bn, RSA_F4);
-
-	RSA* rsa = RSA_new();
-	assert(rsa);
-	int r = RSA_generate_key_ex(rsa, 4096, bn, NULL);
+	EC_KEY* ec_key = EC_KEY_new_by_curve_name(NID_secp384r1);
+	assert(ec_key);
+	int r = EC_KEY_generate_key(ec_key);
 	assert(r == 1);
-	BN_free(bn);

-	EVP_PKEY_assign_RSA(pkey, rsa);
+	EVP_PKEY_assign_EC_KEY(pkey, ec_key);

 	X509 * x509 = X509_new();
 	assert(x509);
--
2.20.1