cmd/acme: Generate ECDSA P-256 keys instead of RSA 2048-bit

ECDSA is much faster and compatible with the vast majority of clients.
google · Aug 19, 2016 · 2a985c7 · 2a985c7
1 parent 33c39d5
commit 2a985c7
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/cmd/acme/config.go b/cmd/acme/config.go
@@ -13,8 +13,9 @@ package main
 
 import (
 	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"encoding/json"
 	"encoding/pem"
@@ -123,12 +124,16 @@ func readKey(path string) (crypto.Signer, error) {
 
 // writeKey writes k to the specified path in PEM format.
 // If file does not exists, it will be created with 0600 mod.
-func writeKey(path string, k *rsa.PrivateKey) error {
+func writeKey(path string, k *ecdsa.PrivateKey) error {
 	f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return err
 	}
-	b := &pem.Block{Type: rsaPrivateKey, Bytes: x509.MarshalPKCS1PrivateKey(k)}
+	bytes, err := x509.MarshalECPrivateKey(k)
+	if err != nil {
+		return err
+	}
+	b := &pem.Block{Type: ecPrivateKey, Bytes: bytes}
 	if err := pem.Encode(f, b); err != nil {
 		f.Close()
 		return err
@@ -147,11 +152,11 @@ func anyKey(filename string, gen bool) (crypto.Signer, error) {
 	if !os.IsNotExist(err) || !gen {
 		return nil, err
 	}
-	rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	ecKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, err
 	}
-	return rsaKey, writeKey(filename, rsaKey)
+	return ecKey, writeKey(filename, ecKey)
 }
 
 // sameDir returns filename path placing it in the same dir as existing file.

diff --git a/cmd/acme/reg.go b/cmd/acme/reg.go
@@ -39,8 +39,11 @@ If the config dir does not exist, it will be created.
 
 Contact arguments can be anything: email, phone number, etc.
 
-If -gen flag is not specified, and an account key does not exist, the command
-will exit with an error.
+The -gen flag will generate an ECDSA P-256 keypair to use as the account key.
+
+If -gen flag is not specified, and a file named account.key containing
+a PEM-encoded ECDSA or RSA private key does not exist, the command will exit
+with an error.
 
 The registration may require the user to agree to the CA Terms of Service (TOS).
 If so, and the -accept argument is not provided, the command prompts the user

diff --git a/cmd/acme/usage.go b/cmd/acme/usage.go
@@ -37,7 +37,7 @@ Use "acme help [topic]" for more information about that topic.
 		Long: `
 The program keeps all configuration, including issued certificates and
 the corresponding keys, in a single directory which is tied to a specific account
-identified by a private RSA key.
+identified by a private key.
 
 The account metadata are stored in {{.AccountFile}} file, while the account
 private key is kept in {{.AccountKey}} file.