Added support for elliptic curve keys

Author: jkroepke

REFERENCE.md

@@ -244,9 +244,12 @@ The following parameters are available in the `openvpn::ca` defined type:
 * [`email`](#email)
 * [`common_name`](#common_name)
 * [`group`](#group)
+* [`ssl_key_algo`](#ssl_key_algo)
 * [`ssl_key_size`](#ssl_key_size)
+* [`ssl_key_curve`](#ssl_key_curve)
 * [`key_expire`](#key_expire)
 * [`ca_expire`](#ca_expire)
+* [`digest`](#digest)
 * [`key_name`](#key_name)
 * [`key_ou`](#key_ou)
 * [`key_cn`](#key_cn)
@@ -310,14 +313,30 @@ User to drop privileges to after startup
 
 Default value: ``undef``
 
+##### <a name="ssl_key_algo"></a>`ssl_key_algo`
+
+Data type: `Enum['rsa', 'ec', 'ed']`
+
+SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys
+
+Default value: `'rsa'`
+
 ##### <a name="ssl_key_size"></a>`ssl_key_size`
 
 Data type: `Integer`
 
-Length of SSL keys (in bits) generated by this module.
+Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa
 
 Default value: `2048`
 
+##### <a name="ssl_key_curve"></a>`ssl_key_curve`
+
+Data type: `String`
+
+Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed
+
+Default value: `'secp384r1'`
+
 ##### <a name="key_expire"></a>`key_expire`
 
 Data type: `Integer`
@@ -334,6 +353,14 @@ The number of days to certify the CA certificate for
 
 Default value: `3650`
 
+##### <a name="digest"></a>`digest`
+
+Data type: `Enum['md5','sha1','sha256','sha224','sha384','sha512']`
+
+Cryptographic digest to use
+
+Default value: `'sha512'`
+
 ##### <a name="key_name"></a>`key_name`
 
 Data type: `Optional[String]`
@@ -938,7 +965,10 @@ The following parameters are available in the `openvpn::server` defined type:
 * [`route`](#route)
 * [`route_ipv6`](#route_ipv6)
 * [`keepalive`](#keepalive)
+* [`ssl_key_algo`](#ssl_key_algo)
 * [`ssl_key_size`](#ssl_key_size)
+* [`ssl_key_curve`](#ssl_key_curve)
+* [`ecdh_curve`](#ecdh_curve)
 * [`topology`](#topology)
 * [`c2c`](#c2c)
 * [`tcp_nodelay`](#tcp_nodelay)
@@ -976,6 +1006,7 @@ The following parameters are available in the `openvpn::server` defined type:
 * [`persist_tun`](#persist_tun)
 * [`key_expire`](#key_expire)
 * [`crl_days`](#crl_days)
+* [`digest`](#digest)
 * [`ca_expire`](#ca_expire)
 * [`key_name`](#key_name)
 * [`key_ou`](#key_ou)
@@ -1264,14 +1295,38 @@ Add keepalive directive (ping and ping-restart) to server. Should match the form
 
 Default value: ``undef``
 
+##### <a name="ssl_key_algo"></a>`ssl_key_algo`
+
+Data type: `Enum['rsa', 'ec', 'ed']`
+
+SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys
+
+Default value: `'rsa'`
+
 ##### <a name="ssl_key_size"></a>`ssl_key_size`
 
 Data type: `Integer`
 
-Length of SSL keys (in bits) generated by this module.
+Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa
 
 Default value: `2048`
 
+##### <a name="ssl_key_curve"></a>`ssl_key_curve`
+
+Data type: `String`
+
+Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed
+
+Default value: `'secp384r1'`
+
+##### <a name="ecdh_curve"></a>`ecdh_curve`
+
+Data type: `String`
+
+Define the named curve for ECDH key exchange, used if ssl_key_algo is ec, ed
+
+Default value: `'secp384r1'`
+
 ##### <a name="topology"></a>`topology`
 
 Data type: `String`
@@ -1568,6 +1623,14 @@ The number of days the client revocation list will be valid for after generating
 
 Default value: `30`
 
+##### <a name="digest"></a>`digest`
+
+Data type: `Enum['md5','sha1','sha256','sha224','sha384','sha512']`
+
+Cryptographic digest to use
+
+Default value: `'sha512'`
+
 ##### <a name="ca_expire"></a>`ca_expire`
 
 Data type: `Integer`

manifests/ca.pp

@@ -7,9 +7,12 @@
 # @param email Email address to be used for the SSL certificate
 # @param common_name Common name to be used for the SSL certificate
 # @param group User to drop privileges to after startup
-# @param ssl_key_size Length of SSL keys (in bits) generated by this module.
+# @param ssl_key_algo SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys
+# @param ssl_key_size Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa
+# @param ssl_key_curve Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed
 # @param key_expire The number of days to certify the server certificate for
 # @param ca_expire The number of days to certify the CA certificate for
+# @param digest Cryptographic digest to use
 # @param key_name Value for name_default variable in openssl.cnf and KEY_NAME in vars
 # @param key_ou Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars
 # @param key_cn Value for commonName_default variable in openssl.cnf and KEY_CN in vars
@@ -23,22 +26,25 @@
 #    }
 #
 define openvpn::ca (
-  Optional[String] $country      = undef,
-  Optional[String] $province     = undef,
-  Optional[String] $city         = undef,
-  Optional[String] $organization = undef,
-  Optional[String] $email        = undef,
-  String $common_name            = 'server',
-  Optional[String] $group        = undef,
-  Integer $ssl_key_size          = 2048,
-  Integer $ca_expire             = 3650,
-  Integer $key_expire            = 3650,
-  Integer $crl_days              = 30,
-  Optional[String] $key_cn       = undef,
-  Optional[String] $key_name     = undef,
-  Optional[String] $key_ou       = undef,
-  Boolean $tls_auth              = false,
-  Boolean $tls_static_key        = false,
+  Optional[String] $country                                      = undef,
+  Optional[String] $province                                     = undef,
+  Optional[String] $city                                         = undef,
+  Optional[String] $organization                                 = undef,
+  Optional[String] $email                                        = undef,
+  String $common_name                                            = 'server',
+  Optional[String] $group                                        = undef,
+  Enum['rsa', 'ec', 'ed'] $ssl_key_algo                          = 'rsa',
+  Integer $ssl_key_size                                          = 2048,
+  String $ssl_key_curve                                          = 'secp384r1',
+  Integer $ca_expire                                             = 3650,
+  Integer $key_expire                                            = 3650,
+  Integer $crl_days                                              = 30,
+  Enum['md5','sha1','sha256','sha224','sha384','sha512'] $digest = 'sha512',
+  Optional[String] $key_cn                                       = undef,
+  Optional[String] $key_name                                     = undef,
+  Optional[String] $key_ou                                       = undef,
+  Boolean $tls_auth                                              = false,
+  Boolean $tls_static_key                                        = false,
 ) {
   if $tls_auth {
     warning('Parameter $tls_auth is deprecated. Use $tls_static_key instead.')
@@ -80,6 +86,10 @@
 
   case $openvpn::easyrsa_version {
     '2.0': {
+      if $ssl_key_algo != 'rsa' {
+        fail('easy-rsa 2.0 supports only rsa keys.')
+      }
+
       file { "${server_directory}/${name}/easy-rsa/vars":
         ensure  => file,
         mode    => '0550',
@@ -136,10 +146,13 @@
           {
             'server_directory' => $server_directory,
             'openvpn_server'   => $name,
+            'ssl_key_algo'     => $ssl_key_algo,
+            'ssl_key_curve'    => $ssl_key_curve,
             'ssl_key_size'     => $ssl_key_size,
             'ca_expire'        => $ca_expire,
             'key_expire'       => $key_expire,
             'crl_days'         => $crl_days,
+            'digest'           => $digest,
             'country'          => $country,
             'province'         => $province,
             'city'             => $city,
@@ -168,13 +181,15 @@
         require  => File["${server_directory}/${name}/easy-rsa/vars"],
       }
 
-      exec { "generate dh param ${name}":
-        command  => './easyrsa --batch gen-dh',
-        timeout  => 20000,
-        cwd      => "${server_directory}/${name}/easy-rsa",
-        creates  => "${server_directory}/${name}/easy-rsa/keys/dh.pem",
-        provider => 'shell',
-        require  => Exec["generate server cert ${name}"],
+      if ($ssl_key_algo == 'rsa') {
+        exec { "generate dh param ${name}":
+          command  => './easyrsa --batch gen-dh',
+          timeout  => 20000,
+          cwd      => "${server_directory}/${name}/easy-rsa",
+          creates  => "${server_directory}/${name}/easy-rsa/keys/dh.pem",
+          provider => 'shell',
+          require  => Exec["generate server cert ${name}"],
+        }
       }
 
       exec { "generate server cert ${name}":

manifests/server.pp

@@ -33,7 +33,10 @@
 # @param route Add route to routing table after connection is established. Multiple routes can be specified.
 # @param route_ipv6  Add IPv6 route to routing table after connection is established. Multiple routes can be specified.
 # @param keepalive Add keepalive directive (ping and ping-restart) to server. Should match the form "n m".
-# @param ssl_key_size Length of SSL keys (in bits) generated by this module.
+# @param ssl_key_algo SSL Key Algo. ec can enable elliptic curve support. ed uses ed25519 keys
+# @param ssl_key_size Length of SSL keys (in bits) generated by this module, used if ssl_key_algo is rsa
+# @param ssl_key_curve Define the named curve for the ssl keys, used if ssl_key_algo is ec, ed
+# @param ecdh_curve Define the named curve for ECDH key exchange, used if ssl_key_algo is ec, ed
 # @param topology  Define the network topology type
 # @param c2c Enable client to client visibility
 # @param tcp_nodelay Enable/Disable.
@@ -71,6 +74,7 @@
 # @param persist_tun  Try to retain access to resources that may be unavailable because of privilege downgrades
 # @param key_expire The number of days to certify the server certificate for
 # @param crl_days The number of days the client revocation list will be valid for after generating
+# @param digest Cryptographic digest to use
 # @param ca_expire The number of days to certify the CA certificate for
 # @param key_name Value for name_default variable in openssl.cnf and  KEY_NAME in vars
 # @param key_ou Value for organizationalUnitName_default variable in openssl.cnf and KEY_OU in vars
@@ -175,7 +179,10 @@
   Array $route_ipv6                                                 = [],
   Optional[String[1]] $keepalive                                    = undef,
   Variant[Boolean, Integer] $fragment                               = false,
+  Enum['rsa', 'ec', 'ed'] $ssl_key_algo                             = 'rsa',
   Integer $ssl_key_size                                             = 2048,
+  String $ssl_key_curve                                             = 'secp384r1',
+  String $ecdh_curve                                                = 'secp384r1',
   String $topology                                                  = 'net30',
   Boolean $c2c                                                      = false,
   Boolean $tcp_nodelay                                              = false,
@@ -209,6 +216,7 @@
   Integer $ca_expire                                                = 3650,
   Integer $key_expire                                               = 3650,
   Integer[1] $crl_days                                              = 30,
+  Enum['md5','sha1','sha256','sha224','sha384','sha512'] $digest    = 'sha512',
   Optional[String] $key_cn                                          = undef,
   Optional[String] $key_name                                        = undef,
   Optional[String] $key_ou                                          = undef,
@@ -365,10 +373,13 @@
         email          => $email,
         common_name    => $common_name,
         group          => $group,
+        ssl_key_algo   => $ssl_key_algo,
         ssl_key_size   => $ssl_key_size,
+        ssl_key_curve  => $ssl_key_curve,
         ca_expire      => $ca_expire,
         key_expire     => $key_expire,
         crl_days       => $crl_days,
+        digest         => $digest,
         key_cn         => $key_cn,
         key_name       => $key_name,
         key_ou         => $key_ou,