Add dhparam generation to the cert generation script.

[lgarron]

April, would you mind adding this?

[april]

Aye aye cap'n!

[april]

@hotaru2k3 -- can you give me the steps that you used to generate dh-composite.pem and dh-small-subgroup.pem, so I can add them to the certificate and key generation script?

Thanks!

[lilyanatia]

for dh-small-subgroup, i used a perl script (https://gist.github.com/hotaru2k3/5f01f5b987a718d45bb1; note that this is a horrible way to generate "real" parameters, but it's really fast if you don't need parameters that are actually secure), like so:
perl gendh.pl 2048 31

for dh-composite, i intended to just use 7^729 with 5 as the generator (#40), but apparently i accidentally replaced the file with dh-small-subgroup.pem... that should probably be fixed.
if you want to be really clever, openssl dhparam -check sometimes thinks this is a prime:

-----BEGIN DH PARAMETERS-----
MIGrAoGlIEshInKAeSezV2ca791LS3oPEnSWJc1xtUnWuLmJXpf8+frcrybGGNqD
yex/azkCBmG6Qi5sggrBTTuDKdbHHRahlTr9YKCqTGMBn5wpwI0FsMT80EH+vqpb
DoR15ulsxJR4726a6He0076BB708ZLNevH8r1xnGQXIHquwhUYEnGbW1uuZFYrzS
7UQXeirDFKRPNE30oS4NT7j/mcQJm/x3kksrAgEF
-----END DH PARAMETERS-----

i've been thinking about trying to generate a 2048-bit composite that fools openssl's prime check even more often, but the process looks really tedious.

[april]

FYI, the "normal" dhparam ones are all in my push request. :)

[lgarron]

dh-composite.pem and dh-small-subgroup.pem are now reused unconditionally every time you generate cert stuff: https://github.com/google/badssl.com/tree/master/certs/src/dhparam

It would be nice to be able to regenerate these using e.g. @hotaru2k3's script.
(If this is slow, we can do what we currently do with dh2048.pem and place it in the certs/sets/test/pregen folder to avoid regenerating it, by default.

[april]

I might be okay with having static DH files. They can take a long time to generate, especially on VMs.

[lgarron]

They can take a long time to generate, especially on VMs.

Yeah, that part is solved by the pregen folder. But I'd still like a way to force regenerating them from scratch.

[april]

I believe the old certificate generator used to have that, must have been something that got excluded on the way in.

Can probably just have a make dhparams-regen that deletes the files that are currently in the pregen folder, and then creates them back in there by scratch. If you set the proper .gitignore on that folder, git should ignore any changes to those files.

[lgarron]

Can probably just have a make dhparams-regen that deletes the files that are currently in the pregen folder, and then creates them back in there by scratch. If you set the proper .gitignore on that folder, git should ignore any changes to those files.

I don't think we should ever delete anything from the pregen folders, but we can certainly add instructions for doing so.

If you're talking about adding all 6 current dhparams into certs/sets/test/pregen, that sounds fine by me. But note that cert generation actually happens outside the VM now, so that should only save a few seconds for each new/cleaned repo.