Move from rsa to ecdsa key generation for gw client-certs.

As ecdsa requires shorter keys (with the same level of encryption protection), this is works a lot better on gateways with limited CPU capacity (like the MiniHub gateway).
brocaar · Jul 13, 2021 · e84b698 · e84b698
1 parent 82c3d7f
commit e84b698
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/internal/gateway/certificates.go b/internal/gateway/certificates.go
@@ -2,8 +2,9 @@ package gateway
 
 import (
 	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -58,7 +59,7 @@ func GenerateClientCertificate(gatewayID lorawan.EUI64) (time.Time, []byte, []by
 		KeyUsage:    x509.KeyUsageDigitalSignature,
 	}
 
-	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	certPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return time.Time{}, nil, nil, nil, errors.Wrap(err, "generate key error")
 
@@ -82,10 +83,15 @@ func GenerateClientCertificate(gatewayID lorawan.EUI64) (time.Time, []byte, []by
 		Bytes: certBytes,
 	})
 
+	b, err := x509.MarshalECPrivateKey(certPrivKey)
+	if err != nil {
+		return time.Time{}, nil, nil, nil, errors.Wrap(err, "create certificate error")
+	}
+
 	certPrivKeyPEM := new(bytes.Buffer)
 	pem.Encode(certPrivKeyPEM, &pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
+		Type:  "EC PRIVATE KEY",
+		Bytes: b,
 	})
 
 	return expiresAt, caCertB, certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil