Add tlscurve option to specify TLS curve. (#442)

Valid values for this option are: P-224, P-256, P-384, and P-512. P-521 is the default curve used by the wallet config. Closes #441.
decred · Dec 7, 2016 · 62457f4 · 62457f4
1 parent 0a0a972
commit 62457f4
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 12 deletions.
diff --git a/config.go b/config.go
@@ -118,15 +118,16 @@ type config struct {
 	//
 	// Usernames can also be used for the consensus RPC client, so they
 	// aren't considered legacy.
-	RPCCert                string   `long:"rpccert" description:"File containing the certificate file"`
-	RPCKey                 string   `long:"rpckey" description:"File containing the certificate key"`
-	OneTimeTLSKey          bool     `long:"onetimetlskey" description:"Generate a new TLS certpair at startup, but only write the certificate to disk"`
-	DisableServerTLS       bool     `long:"noservertls" description:"Disable TLS for the RPC server -- NOTE: This is only allowed if the RPC server is bound to localhost"`
-	LegacyRPCListeners     []string `long:"rpclisten" description:"Listen for legacy RPC connections on this interface/port (default port: 9110, testnet: 19110, simnet: 18557)"`
-	LegacyRPCMaxClients    int64    `long:"rpcmaxclients" description:"Max number of legacy RPC clients for standard connections"`
-	LegacyRPCMaxWebsockets int64    `long:"rpcmaxwebsockets" description:"Max number of legacy RPC websocket connections"`
-	Username               string   `short:"u" long:"username" description:"Username for legacy RPC and dcrd authentication (if dcrdusername is unset)"`
-	Password               string   `short:"P" long:"password" default-mask:"-" description:"Password for legacy RPC and dcrd authentication (if dcrdpassword is unset)"`
+	RPCCert                string             `long:"rpccert" description:"File containing the certificate file"`
+	RPCKey                 string             `long:"rpckey" description:"File containing the certificate key"`
+	TLSCurve               *cfgutil.CurveFlag `long:"tlscurve" description:"Curve to use when generating TLS keypairs"`
+	OneTimeTLSKey          bool               `long:"onetimetlskey" description:"Generate a new TLS certpair at startup, but only write the certificate to disk"`
+	DisableServerTLS       bool               `long:"noservertls" description:"Disable TLS for the RPC server -- NOTE: This is only allowed if the RPC server is bound to localhost"`
+	LegacyRPCListeners     []string           `long:"rpclisten" description:"Listen for legacy RPC connections on this interface/port (default port: 9110, testnet: 19110, simnet: 18557)"`
+	LegacyRPCMaxClients    int64              `long:"rpcmaxclients" description:"Max number of legacy RPC clients for standard connections"`
+	LegacyRPCMaxWebsockets int64              `long:"rpcmaxwebsockets" description:"Max number of legacy RPC websocket connections"`
+	Username               string             `short:"u" long:"username" description:"Username for legacy RPC and dcrd authentication (if dcrdusername is unset)"`
+	Password               string             `short:"P" long:"password" default-mask:"-" description:"Password for legacy RPC and dcrd authentication (if dcrdpassword is unset)"`
 
 	// EXPERIMENTAL RPC server options
 	//
@@ -301,6 +302,7 @@ func loadConfig() (*config, []string, error) {
 		PromptPass:             defaultPromptPass,
 		RPCKey:                 defaultRPCKeyFile,
 		RPCCert:                defaultRPCCertFile,
+		TLSCurve:               cfgutil.NewCurveFlag(cfgutil.CurveP521),
 		LegacyRPCMaxClients:    defaultRPCMaxClients,
 		LegacyRPCMaxWebsockets: defaultRPCMaxWebsockets,
 		EnableStakeMining:      defaultEnableStakeMining,

diff --git a/internal/cfgutil/curve.go b/internal/cfgutil/curve.go
@@ -0,0 +1,82 @@
+// Copyright (c) 2016 The Decred developers
+// Use of this source code is governed by an ISC
+// license that can be found in the LICENSE file.
+
+package cfgutil
+
+import (
+	"crypto/elliptic"
+	"fmt"
+)
+
+// CurveID specifies a recognized curve through a constant value.
+type CurveID int
+
+// Recognized curve IDs.
+const (
+	CurveP224 CurveID = iota
+	CurveP256
+	CurveP384
+	CurveP521
+)
+
+// CurveFlag describes a curve and implements the flags.Marshaler and
+// Unmarshaler interfaces so it can be used as a config struct field.
+type CurveFlag struct {
+	curveID CurveID
+}
+
+// NewCurveFlag creates a CurveFlag with a default curve.
+func NewCurveFlag(defaultValue CurveID) *CurveFlag {
+	return &CurveFlag{defaultValue}
+}
+
+// MarshalFlag satisifes the flags.Marshaler interface.
+func (f *CurveFlag) MarshalFlag() (name string, err error) {
+	switch f.curveID {
+	case CurveP224:
+		name = "P-224"
+	case CurveP256:
+		name = "P-256"
+	case CurveP384:
+		name = "P-384"
+	case CurveP521:
+		name = "P-521"
+	default:
+		err = fmt.Errorf("unknown curve ID %v", int(f.curveID))
+	}
+	return
+}
+
+// UnmarshalFlag satisifes the flags.Unmarshaler interface.
+func (f *CurveFlag) UnmarshalFlag(value string) error {
+	switch value {
+	case "P-224":
+		f.curveID = CurveP224
+	case "P-256":
+		f.curveID = CurveP256
+	case "P-384":
+		f.curveID = CurveP384
+	case "P-521":
+		f.curveID = CurveP521
+	default:
+		return fmt.Errorf("unrecognized curve %v", value)
+	}
+	return nil
+}
+
+// Curve returns the elliptic.Curve specified by the flag.
+func (f *CurveFlag) Curve() elliptic.Curve {
+	switch f.curveID {
+	case CurveP224:
+		return elliptic.P224()
+	case CurveP256:
+		return elliptic.P256()
+	case CurveP384:
+		return elliptic.P384()
+	case CurveP521:
+		return elliptic.P521()
+	default:
+		panic("unreachable")
+	}
+}
diff --git a/rpcserver.go b/rpcserver.go
@@ -6,7 +6,6 @@
 package main
 
 import (
-	"crypto/elliptic"
 	"crypto/tls"
 	"errors"
 	"fmt"
@@ -75,8 +74,8 @@ func generateRPCKeyPair(writeKey bool) (tls.Certificate, error) {
 	// Generate cert pair.
 	org := "dcrwallet autogenerated cert"
 	validUntil := time.Now().Add(time.Hour * 24 * 365 * 10)
-	cert, key, err := dcrutil.NewTLSCertPair(elliptic.P521(), org, validUntil,
-		nil)
+	cert, key, err := dcrutil.NewTLSCertPair(cfg.TLSCurve.Curve(), org,
+		validUntil, nil)
 	if err != nil {
 		return tls.Certificate{}, err
 	}

diff --git a/sample-dcrwallet.conf b/sample-dcrwallet.conf
@@ -48,6 +48,9 @@
 ; rpccert=~/.drcwallet/rpc.cert
 ; rpckey=~/.drcwallet/rpc.key
 
+; Curve to use when autogenerating TLS keypairs
+; tlscurve=P-521
+
 ; Enable one time TLS keys.  This option results in the process generating
 ; a new certificate pair each startup, writing only the certificate file
 ; to disk.  This is a more secure option for clients that only interact with