Add the `--crt-signature-alg` option in tacd

4 years ago · 602d8c6cf6
3 changed files with 34 additions and 2 deletions
--- a/acme_common/src/crypto/key_type.rs
+++ b/acme_common/src/crypto/key_type.rs
@ -47,13 +47,26 @@ impl KeyType {
            Err(err_msg.into())
        }
    }
    pub fn list_possible_values() -> Vec<&'static str> {
        vec![
            "rsa2048",
            "rsa4096",
            "ecdsa-p256",
            "ecdsa-p384",
            #[cfg(ed25519)]
            "ed25519",
            #[cfg(ed448)]
            "ed448",
        ]
    }
 }
 impl FromStr for KeyType {
    type Err = Error;
    fn from_str(s: &str) -> Result<Self, Error> {
        match s.to_lowercase().as_str() {
        match s.to_lowercase().replace("-", "_").as_str() {
            "rsa2048" => Ok(KeyType::Rsa2048),
            "rsa4096" => Ok(KeyType::Rsa4096),
            "ecdsa_p256" => Ok(KeyType::EcdsaP256),
--- a/man/en/tacd.8
+++ b/man/en/tacd.8
@ -14,6 +14,7 @@
 .Nm
 .Op Fl e|--acme-ext Ar STRING
 .Op Fl -acme-ext-file Ar FILE
 .Op Fl -crt-signature-alg Ar STRING
 .Op Fl d|--domain Ar STRING
 .Op Fl -domain-file Ar STRING
 .Op Fl f|--foreground
@ -49,6 +50,10 @@ The options are as follows:
 The acmeIdentifier extension to set in the self-signed certificate.
 .It Fl -acme-ext-file Ar FILE
 File from which is read the acmeIdentifier extension to set in the self-signed certificate.
 .It Fl -crt-signature-alg Ar STRING
 Set the certificate's signature algorithm. Possible values depends on the cryptographic library support and can be listed using the
 .Em --help
 flag.
 .It Fl d, -domain Ar STRING
 The domain that is being validated.
 .It Fl -domain-file Ar STRING
--- a/tacd/src/main.rs
+++ b/tacd/src/main.rs
@ -50,13 +50,18 @@ fn init(cnf: &ArgMatches) -> Result<(), Error> {
    let domain = to_idna(&domain)?;
    let ext = get_acme_value(cnf, "acme-ext", "acme-ext-file")?;
    let listen_addr = cnf.value_of("listen").unwrap_or(DEFAULT_LISTEN_ADDR);
    let (pk, cert) = X509Certificate::from_acme_ext(&domain, &ext, DEFAULT_CRT_KEY_TYPE)?;
    let crt_signature_alg = match cnf.value_of("crt-signature-alg") {
        Some(alg) => alg.parse()?,
        None => DEFAULT_CRT_KEY_TYPE,
    };
    let (pk, cert) = X509Certificate::from_acme_ext(&domain, &ext, crt_signature_alg)?;
    info!("Starting {} on {} for {}", APP_NAME, listen_addr, domain);
    server_start(listen_addr, &cert, &pk)?;
    Ok(())
 }
 fn main() {
    let default_crt_key_type = DEFAULT_CRT_KEY_TYPE.to_string();
    let matches = App::new(APP_NAME)
        .version(APP_VERSION)
        .arg(
@ -101,6 +106,15 @@ fn main() {
                .value_name("FILE")
                .conflicts_with("acme-ext")
        )
        .arg(
            Arg::with_name("crt-signature-alg")
                .long("crt-signature-alg")
                .help("The certificate's signature algorithm")
                .takes_value(true)
                .value_name("STRING")
                .possible_values(&KeyType::list_possible_values())
                .default_value(&default_crt_key_type)
        )
        .arg(
            Arg::with_name("log-level")
                .long("log-level")