7 files changed, 100 insertions, 62 deletions

diff --git a/rpkid/rpki/irdb/models.py b/rpkid/rpki/irdb/models.py
index 8e492409..6772b542 100644
--- a/rpkid/rpki/irdb/models.py
+++ b/rpkid/rpki/irdb/models.py
@@ -401,7 +401,7 @@ class EECertificate(Certificate):
       self.private_key = rpki.x509.RSA.generate(quiet = True)
     self.certificate = self.issuer.certify(
       subject_name      = self.subject_name,
-      subject_key       = self.private_key.get_RSApublic(),
+      subject_key       = self.private_key.get_public(),
       validity_interval = ee_certificate_lifetime,
       is_ca             = False)
 
diff --git a/rpkid/rpki/rootd.py b/rpkid/rpki/rootd.py
index e0c59726..43e84873 100644
--- a/rpkid/rpki/rootd.py
+++ b/rpkid/rpki/rootd.py
@@ -229,7 +229,7 @@ class main(object):
     manifest_keypair = rpki.x509.RSA.generate()
     manifest_cert = self.rpki_root_cert.issue(
       keypair     = self.rpki_root_key,
-      subject_key = manifest_keypair.get_RSApublic(),
+      subject_key = manifest_keypair.get_public(),
       serial      = self.serial_number,
       sia         = (None, None, self.rpki_base_uri + self.rpki_root_manifest),
       aia         = self.rpki_root_cert_uri,
diff --git a/rpkid/rpki/rpkid.py b/rpkid/rpki/rpkid.py
index 69d7a242..0b564b57 100644
--- a/rpkid/rpki/rpkid.py
+++ b/rpkid/rpki/rpkid.py
@@ -766,10 +766,10 @@ class ca_detail_obj(rpki.sql.sql_persistent):
     "ca_detail",
     "ca_detail_id",
     ("private_key_id",          rpki.x509.RSA),
-    ("public_key",              rpki.x509.RSApublic),
+    ("public_key",              rpki.x509.PublicKey),
     ("latest_ca_cert",          rpki.x509.X509),
     ("manifest_private_key_id", rpki.x509.RSA),
-    ("manifest_public_key",     rpki.x509.RSApublic),
+    ("manifest_public_key",     rpki.x509.PublicKey),
     ("latest_manifest_cert",    rpki.x509.X509),
     ("latest_manifest",         rpki.x509.SignedManifest),
     ("latest_crl",              rpki.x509.CRL),
@@ -1116,10 +1116,10 @@ class ca_detail_obj(rpki.sql.sql_persistent):
     self.state = "pending"
 
     self.private_key_id = rpki.x509.RSA.generate()
-    self.public_key = self.private_key_id.get_RSApublic()
+    self.public_key = self.private_key_id.get_public()
 
     self.manifest_private_key_id = rpki.x509.RSA.generate()
-    self.manifest_public_key = self.manifest_private_key_id.get_RSApublic()
+    self.manifest_public_key = self.manifest_private_key_id.get_public()
 
     self.sql_store()
     return self
@@ -1875,7 +1875,7 @@ class roa_obj(rpki.sql.sql_persistent):
     self.cert = ca_detail.issue_ee(
       ca          = ca,
       resources   = resources,
-      subject_key = keypair.get_RSApublic(),
+      subject_key = keypair.get_public(),
       sia         = (None, None, self.uri_from_key(keypair)))
     self.roa = rpki.x509.ROA.build(self.asn, self.ipv4, self.ipv6, keypair, (self.cert,))
     self.published = rpki.sundial.now()
@@ -2070,7 +2070,7 @@ class ghostbuster_obj(rpki.sql.sql_persistent):
     self.cert = ca_detail.issue_ee(
       ca          = ca,
       resources   = resources,
-      subject_key = keypair.get_RSApublic(),
+      subject_key = keypair.get_public(),
       sia         = (None, None, self.uri_from_key(keypair)))
     self.ghostbuster = rpki.x509.Ghostbuster.build(self.vcard, keypair, (self.cert,))
     self.published = rpki.sundial.now()
diff --git a/rpkid/rpki/x509.py b/rpkid/rpki/x509.py
index 15adf12b..c69090e2 100644
--- a/rpkid/rpki/x509.py
+++ b/rpkid/rpki/x509.py
@@ -312,14 +312,26 @@ class DER_object(object):
   def get_DER(self):
     """
     Get the DER value of this object.
-
-    Subclasses will almost certainly override this method.
+    Subclasses may need to override this method.
     """
     self.check()
     if self.DER:
       return self.DER
+    if self.POW:
+      self.DER = self.POW.derWrite()
+      return self.get_DER()
     raise rpki.exceptions.DERObjectConversionError("No conversion path to DER available")
 
+  def get_POW(self):
+    """
+    Get the rpki.POW value of this object.
+    Subclasses may need to override this method.
+    """
+    self.check()
+    if not self.POW:                    # pylint: disable=E0203
+      self.POW = self.POW_class.derRead(self.get_DER())
+    return self.POW
+
   def get_Base64(self):
     """
     Get the Base64 encoding of the DER value of this object.
@@ -536,27 +548,6 @@ class X509(DER_object):
 
   POW_class = rpki.POW.X509
 
-  def get_DER(self):
-    """
-    Get the DER value of this certificate.
-    """
-    self.check()
-    if self.DER:
-      return self.DER
-    if self.POW:
-      self.DER = self.POW.derWrite()
-      return self.get_DER()
-    raise rpki.exceptions.DERObjectConversionError("No conversion path to DER available")
-
-  def get_POW(self):
-    """
-    Get the rpki.POW value of this certificate.
-    """
-    self.check()
-    if not self.POW:                    # pylint: disable=E0203
-      self.POW = rpki.POW.X509.derRead(self.get_DER())
-    return self.POW
-
   def getIssuer(self):
     """
     Get the issuer of this certificate.
@@ -591,7 +582,7 @@ class X509(DER_object):
     """
     Extract the public key from this certificate.
     """
-    return RSApublic(POW = self.get_POW().getPublicKey())
+    return PublicKey(POW = self.get_POW().getPublicKey())
 
   def get_SKI(self):
     """
@@ -757,7 +748,7 @@ class X509(DER_object):
       keypair = keypair,
       issuer_name = subject_name,
       subject_name = subject_name,
-      subject_key = keypair.get_RSApublic(),
+      subject_key = keypair.get_public(),
       serial = serial,
       now = now,
       notAfter = notAfter,
@@ -769,7 +760,7 @@ class X509(DER_object):
     """
     Issue a normal BPKI certificate.
     """
-    assert keypair.get_RSApublic() == self.getPublicKey()
+    assert keypair.get_public() == self.getPublicKey()
     return self._bpki_certify(
       keypair = keypair,
       issuer_name = self.getSubject(),
@@ -793,7 +784,7 @@ class X509(DER_object):
     if now is None:
       now = rpki.sundial.now()
 
-    issuer_key = keypair.get_RSApublic()
+    issuer_key = keypair.get_public()
 
     assert (issuer_key == subject_key) == (issuer_name == subject_name)
     assert is_ca or issuer_name != subject_name
@@ -890,7 +881,7 @@ class PKCS10(DER_object):
     """
     Extract the public key from this certification request.
     """
-    return RSApublic(POW = self.get_POW().getPublicKey())
+    return PublicKey(POW = self.get_POW().getPublicKey())
 
   def get_SKI(self):
     """
@@ -1129,9 +1120,10 @@ class insecure_debug_only_rsa_key_generator(object):
     self.keyno += 1
     return v
 
-class RSA(DER_object):
+
+class PrivateKey(DER_object):
   """
-  Class to hold an RSA key pair.
+  Class to hold a Public/Private key pair.
   """
   
   POW_class = rpki.POW.Asymmetric
@@ -1170,18 +1162,6 @@ class RSA(DER_object):
     assert self.empty()
     self.POW = self.POW_class.pemReadPrivate(pem)
 
-  @classmethod
-  def generate(cls, keylength = 2048, quiet = False):
-    """
-    Generate a new keypair.
-    """
-    if not quiet:
-      rpki.log.debug("Generating new %d-bit RSA key" % keylength)
-    if generate_insecure_debug_only_rsa_key is not None:
-      return cls(POW = generate_insecure_debug_only_rsa_key())
-    else:
-      return cls(POW = rpki.POW.Asymmetric.generateRSA(keylength))
-
   def get_public_DER(self):
     """
     Get the DER encoding of the public key from this keypair.
@@ -1194,15 +1174,15 @@ class RSA(DER_object):
     """
     return self.get_POW().calculateSKI()
 
-  def get_RSApublic(self):
+  def get_public(self):
     """
-    Convert the public key of this keypair into a RSApublic object.
+    Convert the public key of this keypair into a PublicKey object.
     """
-    return RSApublic(DER = self.get_public_DER())
+    return PublicKey(DER = self.get_public_DER())
 
-class RSApublic(DER_object):
+class PublicKey(DER_object):
   """
-  Class to hold an RSA public key.
+  Class to hold a public key.
   """
   
   POW_class = rpki.POW.Asymmetric
@@ -1247,6 +1227,56 @@ class RSApublic(DER_object):
     """
     return self.get_POW().calculateSKI()
 
+class KeyParams(DER_object):
+  """
+  Wrapper for OpenSSL's asymmetric key parameter classes.
+  """
+
+  POW_class = rpki.POW.AsymmetricParams
+
+  @classmethod
+  def generateEC(cls, curve = rpki.POW.EC_P256_CURVE):
+    return cls(POW = rpki.POW.AsymmetricParams.generateEC(curve = curve))
+
+class RSA(PrivateKey):
+  """
+  Class to hold an RSA key pair.
+  """
+
+  @classmethod
+  def generate(cls, keylength = 2048, quiet = False):
+    """
+    Generate a new keypair.
+    """
+    if not quiet:
+      rpki.log.debug("Generating new %d-bit RSA key" % keylength)
+    if generate_insecure_debug_only_rsa_key is not None:
+      return cls(POW = generate_insecure_debug_only_rsa_key())
+    else:
+      return cls(POW = rpki.POW.Asymmetric.generateRSA(keylength))
+
+class ECDSA(PrivateKey):
+  """
+  Class to hold an ECDSA key pair.
+  """
+
+  @classmethod
+  def generate(cls, params = None, quiet = False):
+    """
+    Generate a new keypair.
+    """
+
+    if params is None:
+      if not quiet:
+        rpki.log.debug("Generating new ECDSA key parameters")
+      params = KeyParams.generateEC()
+
+    assert isinstance(params, KeyParams)
+
+    if not quiet:
+      rpki.log.debug("Generating new ECDSA key")
+
+    return cls(POW = rpki.POW.Asymmetric.generateFromParams(params.get_POW()))
 
 class CMS_object(DER_object):
   """
diff --git a/rpkid/tests/smoketest.py b/rpkid/tests/smoketest.py
index 7f284550..5512b5bc 100644
--- a/rpkid/tests/smoketest.py
+++ b/rpkid/tests/smoketest.py
@@ -134,6 +134,8 @@ pubd_pubd_cert = None
 
 pubd_last_cms_time = None
 
+ecdsa_params = None
+
 class CantRekeyYAMLLeaf(Exception):
   """
   Can't rekey YAML leaf.
@@ -380,12 +382,18 @@ class router_cert(object):
   Representation for a router_cert object.
   """
 
+  _ecparams = None
+
+  @classmethod
+  def ecparams(cls):
+    if cls._ecparams is None:
+       cls._ecparams = rpki.x509.KeyParams.generateEC()
+    return cls._ecparams
+
   def __init__(self, asn, router_id):
     self.asn = rpki.resource_set.resource_set_as("".join(str(asn).split()))
     self.router_id = router_id
-
-    rpki.log.warn("Code to generate ECDSA keys not written yet, generating RSA as hack for testing")
-    self.keypair = rpki.x509.RSA.generate()
+    self.keypair = rpki.x509.ECDSA.generate(self.ecparams())
     self.pkcs10 = rpki.x509.PKCS10.create(
       keypair = self.keypair,
       cn      = "ROUTER-%d" % self.asn[0].min,
diff --git a/rpkid/tests/yamlconf.py b/rpkid/tests/yamlconf.py
index 81698fbf..3c71d3cd 100644
--- a/rpkid/tests/yamlconf.py
+++ b/rpkid/tests/yamlconf.py
@@ -467,7 +467,7 @@ class allocation(object):
 
     root_cert = rpki.x509.X509.self_certify(
       keypair     = root_key,
-      subject_key = root_key.get_RSApublic(),
+      subject_key = root_key.get_public(),
       serial      = 1,
       sia         = root_sia,
       notAfter    = rpki.sundial.now() + rpki.sundial.timedelta(days = 365),
@@ -481,7 +481,7 @@ class allocation(object):
 
     with open(cleanpath(test_dir, "root.tal"), "w") as f:
       f.write("rsync://%s/root/root.cer\n\n%s" % (
-        self.rsync_server, root_key.get_RSApublic().get_Base64()))
+        self.rsync_server, root_key.get_public().get_Base64()))
 
   def mkdir(self, *path):
     path = self.path(*path)
diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py
index 08da81f3..9131a595 100644
--- a/rpkid/tests/yamltest.py
+++ b/rpkid/tests/yamltest.py
@@ -553,7 +553,7 @@ def create_root_certificate(db_root):
 
   root_cert = rpki.x509.X509.self_certify(
     keypair     = root_key,
-    subject_key = root_key.get_RSApublic(),
+    subject_key = root_key.get_public(),
     serial      = 1,
     sia         = root_sia,
     notAfter    = rpki.sundial.now() + rpki.sundial.timedelta(days = 365),
@@ -569,7 +569,7 @@ def create_root_certificate(db_root):
 
   f = open(os.path.join(test_dir, "root.tal"), "w")
   f.write("rsync://localhost:%d/root/root.cer\n\n" % db_root.pubd.rsync_port)
-  f.write(root_key.get_RSApublic().get_Base64())
+  f.write(root_key.get_public().get_Base64())
   f.close()