New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is it possible for this script to support ECDSA ? #83

Open
Remonli opened this Issue Feb 6, 2016 · 14 comments

Comments

Projects
None yet
@Remonli

Remonli commented Feb 6, 2016

Hello,

Let's Encrypt now support ECC keys,is it possible for you to update this script ?
You can check here:
https://community.letsencrypt.org/t/ecdsa-testing-on-staging/8809

Thank you for your kind reply.
Li

@diafygi

This comment has been minimized.

Owner

diafygi commented Feb 22, 2016

Hmmm, maybe, but can it be added and keep the script under 200 lines?

@diafygi diafygi added the help wanted label Feb 22, 2016

@drdaeman

This comment has been minimized.

drdaeman commented Feb 27, 2016

I implemented EC keys support, but I haven't noticed 200 SLOC disclaimer (sorry!), so, if you count the empty lines and comments, the script grew above the threshold.

Well, I guess I can easily cut out at least 11 lines that parse DER, by making code more cryptic (will have to rely on "magic" offsets instead of calling openssl asn1parse). Then, possibly, remove some safety checks/assertions about key material, as bad data willl be rejected by the server anyway...

@drdaeman

This comment has been minimized.

drdaeman commented Feb 27, 2016

Uh. Well, I had managed to squeezed everything down to 200 lines exactly, but that went against the very idea of why the limitation is there and felt like participating into an obfuscated programming contest. I don't like what I did, and did that only to see if having low wc -l acme_tiny.py is even possible. The only optimization I actually found good is factoring out all those openssl calls into a function.

I think I'll give up at this point. It works for me, anyway. Whoever has any good idea how to make this into a good PR, suitable for the project, please do so.

@tchernomax

This comment has been minimized.

tchernomax commented Mar 1, 2016

I agree with @drdaeman .
It's preferable to increase a bit the number of lines and update the main README "200 SLOC" → "250 SLOC", than to write semi-obfuscated code.

@jedisct1

This comment has been minimized.

jedisct1 commented Jun 6, 2016

Make it a round number: 256 lines.

@ScottHelme

This comment has been minimized.

ScottHelme commented Jun 6, 2016

You can get ECDSA server certificates without any changes, which is what the thread linked was regarding. Do they accept ECDSA account keys?

@HansVanEijsden

This comment has been minimized.

HansVanEijsden commented Jun 6, 2016

ECDSA works great. As you can see @ https://www.weblogzwolle.nl also with a secp384r1 curve. This is how I do it, maybe it helps you: http://pastebin.com/cRAtip4z

@olmari

This comment has been minimized.

olmari commented Jul 16, 2016

Confirmed, using info from paste that @HansVanEijsden gave I was able to create ECDSA-certificate. More accurately: I used mine RSA account.key (I believe that doens't matter here, it is for authenticating "me" into LE, not relating to certificate itself) and EC domain.key.

Currently Lets Encrypt only has RSA intermediate, but that will also change in the future. I don't know will LE/ACME/Boulder automatically sign EC.csr with EC-intermediate or does it involve some sort of manual switch/parameter... This is something acme-tiny might need to be prepared when it happends (currently their upcoming features says "Before March 31, 2017". Otherwise EC(DSA) certificate making works well in current situation.

@pfoo

This comment has been minimized.

pfoo commented Apr 14, 2017

Any update on merging this ?
I understand the whole <200 lines thing, but isn't adding a major feature worth a few more lines ?

@rotanid

This comment has been minimized.

rotanid commented Apr 15, 2017

@pfoo it seems @diafygi isn't caring about acme-tiny anymore :-(

@andreasscherbaum

This comment has been minimized.

andreasscherbaum commented Apr 15, 2017

One can always fork it ... I'm using my own fork, but need to upgrade it as well.

@olmari

This comment has been minimized.

olmari commented Apr 15, 2017

So what is the problem? ECDSA-certs already... Just read this ticket...

@pfoo

This comment has been minimized.

pfoo commented Apr 15, 2017

I was actually speaking of @drdaeman implementation of ECDSA account key support, ecdsa for domain key is already supported.

@olmari

This comment has been minimized.

olmari commented Apr 15, 2017

Ah.. well.. this ticket was originally AFAIK about ECDSA cert-key, not account...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment