51121dcf37
Since upstream openwrt has been using openssl 3.0 for quite some time, figured we could clean up some of the legacy code. This PR updates the code for EC/RSA key generation. nginx-util currently only generates 'ecc' keys, even though the framework is there for rsa as well. In order properly test the changes, I created two binaries: 'nginx-util-ssl' (generates ec keys) 'nginx-util-ssl-rsa' (generates rsa keys) where I would change line:455 in `src/nginx-ssl-util.hpp` `auto pkey = gen_eckey(NID_secp384r1)` to `auto pkey = gen_rsakey(2048)` Example with UCI config ``` config server '_rsa' list listen '443 ssl default_server' list listen '[::]:443 ssl default_server' option server_name '_rsa' list include 'restrict_locally' list include 'conf.d/*.locations' option uci_manage_ssl 'self-signed' option key_type 'rsa' option ssl_certificate '/etc/nginx/conf.d/_rsa.crt' option ssl_certificate_key '/etc/nginx/conf.d/_rsa.key' option ssl_session_cache 'shared:SSL:32k' option ssl_session_timeout '64m' option access_log 'off; # logd openwrt' ``` ➤ /opt/bin/nginx-ssl-util-rsa add_ssl _rsa Adding SSL directives to UCI server: nginx._rsa uci_manage_ssl='self-signed' Created self-signed SSL certificate '/etc/nginx/conf.d/_rsa.crt' with key '/etc/nginx/conf.d/_rsa.key'. [04/14/24 18:37:15](K-6.6.27) root@WRX36 ~ ➤ openssl x509 -in /etc/nginx/conf.d/_rsa.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 6d:55:a6💿52:25:31:fd:3c:78:66:24:82:5f:bb:b6:a6:fe:8f:c7 Signature Algorithm: sha256WithRSAEncryption Issuer: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrtBF399B64ACF71BC3 Validity Not Before: Apr 14 22:37:15 2024 GMT Not After : Jul 16 22:37:15 2027 GMT Subject: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrtBF399B64ACF71BC3 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:52:71:af:25:e9:05:0a:a5:d7:86:d3:8d:0b: 66:e0:09:cf:2a💿a1:63:57:36:46:61:04:16:fe: 94:84:d0:20:ab:01:15:55:aa:a1:89:c2:85:a9:84: 47:ba:84:d7:1f:a9:0c:c0:f0:67:2f:81:1d:1b:3b: 31:d5:94:6e:a0:f0:e6:ec:26:91:4a:e2:fd:58:4c: ac:b5:9e:a1:cd:7d:91:51:29:81:1d:3e:4a:d9:d1: d5:f1:2f:34:2f:ca:95:dc:42:d5:c4:d3:d6:b2:91: d5:19:61:a2:b5:b1:90:f0:83:88:ef:92:c9:bf:a4: 59:a9:d6:00:6f:1c:0d:70:16:40:cc:cb:c0🇩🇪c4: 8f:00:83:a3:2f:77:ca:18:cd:7b:d4:77:96:47:78: 1b:c1:ff:08:86:93:79:91:8f:a7:95:71:46:06:69: fc:cc:65:64:e7:99:11:cc:82:bb:39:6b:12:27:73: 0e:d1:e7:65:51:9e:ad:dc:b3:ff:3f:ba:b0:72:4f: 22:ad:7e:41:bb:3c:c7:80:30:81:5f:8b:32:f4:7f: 22:48:3f:3d:a9:eb:28:27:12:db:a9:63:c9:7e:e2: ed:36:de:e7:68:31:4e:9c:c0:36:e8:f2:d9:3f:50: 09:50:a3:e8:7a:03:00:4f:8d:e1:10:eb:a1:87:44: be:23 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption Signature Value: 06:7d:84:00:ac:8f:8b:a6:b6:b7:b5:ed:ee:7f:61:76:6d:ee: 11:53:f6:d1:f8:95:ad:6c:d7:d0:3e:01:ac:bb:d7:7a:8d:59: 80:ec:ba:b2:7b:78:5c:4f:5e:3f:f1:74:ad:d9:8c:a2:6b:08: 9c:bf:b1:42:fd:8d:a6:35:48:4d:a7:2d:92:c9:45:66:77:32: a4:e0:ea:eb:e0:4a:42:f5:dd:ea:a2:c0:0a:66:5a:32:03:1d: e7:87:3a:7f:1e:00:ed:d0:21:01:d5:f9:e2:b1:e6:b7:cb:1c: 67:11:de:69:7f:a2:ce:d0:fc:2d:f2:6c:33:84:4c:3d:f4:f6: 60:6b:2e:31:b7:0c:41:2c:73:31:7e:94:19:a2:2b:6a:56:3f: 07:37:71:97:28:58:91:63:b2:58:97:b2:aa:1e:d5:d9:6d:af: 6f:a0:02:e0:06:39:b0:c9:f5:50:41:b5:58:41:6a:30:72:89: 9a:67:7e:a1:7a:a5:02:b9:2a:f3:f8:93:4f:59:6e:b1:27:54: 86:d1:ec:96:7a:dd:d1:44:6b:1e:3b:17:cf:15:64:ad:83:6b: 63:20:2d:42:c3:28:68:14:de:12:4e:8a:c3:f3:10:c8:4b:4f: c7:d8:2b:a8:45:fb:3a:bd:9d:bd:08:71:08:09:ed:ea:9b:b9: 3b:33:a6:a6 [04/14/24 18:37:27](K-6.6.27) root@WRX36 ~ ➤ /opt/bin/nginx-ssl-util add_ssl _ec Adding SSL directives to UCI server: nginx._ec uci_manage_ssl='self-signed' Created self-signed SSL certificate '/etc/nginx/conf.d/_ec.crt' with key '/etc/nginx/conf.d/_ec.key'. [04/14/24 18:37:43](K-6.6.27) root@WRX36 ~ ➤ openssl x509 -in /etc/nginx/conf.d/_ec.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 55:32:fe:07:09:79:d1:40:d7:43:2e:45:3d:98:4a:77:65:d0:29:41 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrt2EDD40F41960C8C1 Validity Not Before: Apr 14 22:37:43 2024 GMT Not After : Jul 16 22:37:43 2027 GMT Subject: C = ZZ, ST = Somewhere, L = None, CN = OpenWrt, O = OpenWrt2EDD40F41960C8C1 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:97:d2:b2:f0:c9:60:60:89:7e:ea:6f:48:1c:90: 8e:6d:1d:d8:58:46:8c🇩🇪e9:50:e2:74:ea:d8:dd: 8c:d9:ed:f4:4c:b7:41:95:55:98:38:5a:9e:66:83: b9:7c:79:71:9b:ec:18:ed:d9:09:3c:f7:64:32:ae: 59:ad:92🇩🇪d7:c4:15:2e:e5:89:65:f4:29:8a:62: a0:85:21:95:22:3a:38:e3:11:e6:f2:01:f6:50:62: 01:ed:68:0d:d0:0c:d4 ASN1 OID: secp384r1 NIST CURVE: P-384 Signature Algorithm: ecdsa-with-SHA256 Signature Value: 30:65:02:30:78:af:d1:4f:57:b1:97:2b:87:aa:7f:a2:26:39: 19:30:5c:4f:9c:f0:d7:ee:24:8e:a2:39:ec:70:af:16:eb:a6: 72:96:d4:a7:2f:c1:38:f4:65:ed:ed:bf:22:c6:a4:6d:02:31: 00:bc:ec:19:0e:3d:6a:d1:5a:ae:6d:5c:a3:ec:96:60:32:f9: 6a:88:06:92:ed:c1:a7:44:2c:33:7a:22:72:0f:2a:ce:83:f0: f2:04:9e:49:60:ef:83:b4:7f:8b:af:61:c9 ``` Maintainer: Peter Stadler <peter.stadler@student.uibk.ac.at> Compile tested: aarch64, qualcommax, Master Branch Run tested: aarch64, Dynalink DL-WRX36, Master Branch Signed-off-by: Sean Khan <datapronix@protonmail.com> |
||
---|---|---|
.circleci | ||
.github | ||
.keys | ||
admin | ||
devel | ||
fonts/dejavu-fonts-ttf | ||
ipv6 | ||
kernel | ||
lang | ||
libs | ||
multimedia | ||
net | ||
sound | ||
utils | ||
CONTRIBUTING.md | ||
LICENSE | ||
README.md |
README.md
OpenWrt packages feed
Description
This is the OpenWrt "packages"-feed containing community-maintained build scripts, options and patches for applications, modules and libraries used within OpenWrt.
Installation of pre-built packages is handled directly by the opkg utility within your running OpenWrt system or by using the OpenWrt SDK on a build system.
Usage
This repository is intended to be layered on-top of an OpenWrt buildroot. If you do not have an OpenWrt buildroot installed, see the documentation at: OpenWrt Buildroot – Installation on the OpenWrt support site.
This feed is enabled by default. To install all its package definitions, run:
./scripts/feeds update packages
./scripts/feeds install -a -p packages
License
See LICENSE file.
Package Guidelines
See CONTRIBUTING.md file.