From 602d8c6cf62f5692efe9abd1ca53ed84f5817abd Mon Sep 17 00:00:00 2001
From: Rodolphe Breard <rodolphe@what.tf>
Date: Wed, 26 Aug 2020 14:12:04 +0200
Subject: [PATCH] Add the `--crt-signature-alg` option in tacd

---
 acme_common/src/crypto/key_type.rs | 15 ++++++++++++++-
 man/en/tacd.8                      |  5 +++++
 tacd/src/main.rs                   | 16 +++++++++++++++-
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/acme_common/src/crypto/key_type.rs b/acme_common/src/crypto/key_type.rs
index edaa3ec..2207821 100644
--- a/acme_common/src/crypto/key_type.rs
+++ b/acme_common/src/crypto/key_type.rs
@@ -47,13 +47,26 @@ impl KeyType {
             Err(err_msg.into())
         }
     }
+
+    pub fn list_possible_values() -> Vec<&'static str> {
+        vec![
+            "rsa2048",
+            "rsa4096",
+            "ecdsa-p256",
+            "ecdsa-p384",
+            #[cfg(ed25519)]
+            "ed25519",
+            #[cfg(ed448)]
+            "ed448",
+        ]
+    }
 }
 
 impl FromStr for KeyType {
     type Err = Error;
 
     fn from_str(s: &str) -> Result<Self, Error> {
-        match s.to_lowercase().as_str() {
+        match s.to_lowercase().replace("-", "_").as_str() {
             "rsa2048" => Ok(KeyType::Rsa2048),
             "rsa4096" => Ok(KeyType::Rsa4096),
             "ecdsa_p256" => Ok(KeyType::EcdsaP256),
diff --git a/man/en/tacd.8 b/man/en/tacd.8
index 274f22e..c8b5a74 100644
--- a/man/en/tacd.8
+++ b/man/en/tacd.8
@@ -14,6 +14,7 @@
 .Nm
 .Op Fl e|--acme-ext Ar STRING
 .Op Fl -acme-ext-file Ar FILE
+.Op Fl -crt-signature-alg Ar STRING
 .Op Fl d|--domain Ar STRING
 .Op Fl -domain-file Ar STRING
 .Op Fl f|--foreground
@@ -49,6 +50,10 @@ The options are as follows:
 The acmeIdentifier extension to set in the self-signed certificate.
 .It Fl -acme-ext-file Ar FILE
 File from which is read the acmeIdentifier extension to set in the self-signed certificate.
+.It Fl -crt-signature-alg Ar STRING
+Set the certificate's signature algorithm. Possible values depends on the cryptographic library support and can be listed using the
+.Em --help
+flag.
 .It Fl d, -domain Ar STRING
 The domain that is being validated.
 .It Fl -domain-file Ar STRING
diff --git a/tacd/src/main.rs b/tacd/src/main.rs
index 54dd1db..18dc254 100644
--- a/tacd/src/main.rs
+++ b/tacd/src/main.rs
@@ -50,13 +50,18 @@ fn init(cnf: &ArgMatches) -> Result<(), Error> {
     let domain = to_idna(&domain)?;
     let ext = get_acme_value(cnf, "acme-ext", "acme-ext-file")?;
     let listen_addr = cnf.value_of("listen").unwrap_or(DEFAULT_LISTEN_ADDR);
-    let (pk, cert) = X509Certificate::from_acme_ext(&domain, &ext, DEFAULT_CRT_KEY_TYPE)?;
+    let crt_signature_alg = match cnf.value_of("crt-signature-alg") {
+        Some(alg) => alg.parse()?,
+        None => DEFAULT_CRT_KEY_TYPE,
+    };
+    let (pk, cert) = X509Certificate::from_acme_ext(&domain, &ext, crt_signature_alg)?;
     info!("Starting {} on {} for {}", APP_NAME, listen_addr, domain);
     server_start(listen_addr, &cert, &pk)?;
     Ok(())
 }
 
 fn main() {
+    let default_crt_key_type = DEFAULT_CRT_KEY_TYPE.to_string();
     let matches = App::new(APP_NAME)
         .version(APP_VERSION)
         .arg(
@@ -101,6 +106,15 @@ fn main() {
                 .value_name("FILE")
                 .conflicts_with("acme-ext")
         )
+        .arg(
+            Arg::with_name("crt-signature-alg")
+                .long("crt-signature-alg")
+                .help("The certificate's signature algorithm")
+                .takes_value(true)
+                .value_name("STRING")
+                .possible_values(&KeyType::list_possible_values())
+                .default_value(&default_crt_key_type)
+        )
         .arg(
             Arg::with_name("log-level")
                 .long("log-level")