From bbf5d1685442431812387c77ed1cfd546824de88 Mon Sep 17 00:00:00 2001
From: Cristian Yxen <cryx@h3q.com>
Date: Thu, 14 Mar 2024 14:34:45 +0100
Subject: make use of AES256 encrypted EC keys and use newer hashes

---
 vchat-keygen | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'vchat-keygen')

diff --git a/vchat-keygen b/vchat-keygen
index 91fcbba..4163838 100755
--- a/vchat-keygen
+++ b/vchat-keygen
@@ -29,7 +29,8 @@ if [ ! -e $KEYBASE.key ]; then
    echo "vchat-keygen: generating RSA key $KEYBASE.key"
    echo "vchat-keygen: please set passphrase for local security"
    umask 0077
-   openssl genrsa -des3 -out $KEYBASE.key 4096
+   openssl ecparam -genkey -name secp384r1 | \
+   openssl ec -out $KEYBASE.key -aes256
 else
    echo "vchat-keygen: private key $KEYBASE.key exists"
 fi
@@ -40,11 +41,11 @@ fi
          echo "vchat-keygen: generating config-file for self-signing $KEYBASE.ca.keyconf"
          cat >$KEYBASE.ca.keyconf <<EOT
 [ req ]
-default_bits                    = 4096
 default_keyfile                 = user.key
 distinguished_name              = req_distinguished_name
 string_mask                     = nombstr
 req_extensions                  = v3_req
+default_md			= sha384
 [ req_distinguished_name ]
 commonName                      = Name
 commonName_max                  = 64
@@ -57,7 +58,7 @@ EOT
       fi
       echo "vchat-keygen: generating Certificate Signing Request $KEYBASE.csr"
 		echo "vchat-keygen: please enter your nickname at the 'Name []:' prompt"
-      openssl req -new -sha1 -config $KEYBASE.ca.keyconf -key $KEYBASE.key -out $KEYBASE.csr
+      openssl req -new -sha256 -config $KEYBASE.ca.keyconf -key $KEYBASE.key -out $KEYBASE.csr
 		echo "vchat-keygen: send this ($KEYBASE.csr) Certificate Signing Request to
 		vchat@vchat.berlin.ccc.de to get it signed by the vchat-CA. You will
 		receive your signed Certificate shortly."
-- 
cgit v1.2.3