api/.vscode/launch.json

@@ -10,13 +10,6 @@
             "request": "launch",
             "module": "kiwi_vpn_api.main",
             "justMyCode": true
-        },
-        {
-            "name": "EasyRSA script",
-            "type": "python",
-            "request": "launch",
-            "module": "kiwi_vpn_api.easyrsa",
-            "justMyCode": true
         }
     ]
 }

api/kiwi_vpn_api/config.py

@@ -206,7 +206,7 @@ class ServerDN(BaseModel):
     common_name: str
 
 
-class KeyAlgorithm(Enum):
+class CertificateAlgo(Enum):
     """
     Supported certificate signing algorithms
     """
@@ -227,7 +227,7 @@ class CryptoConfig(BaseModel):
     schemes: list[str] = ["bcrypt"]
 
     # pki settings
-    key_algorithm: KeyAlgorithm | None
+    cert_algo: CertificateAlgo | None
     ca_password: str | None
     ca_expiry_days: int | None
     cert_expiry_days: int | None

api/kiwi_vpn_api/easyrsa.py

@@ -12,7 +12,7 @@ from OpenSSL import crypto
 from passlib import pwd
 from pydantic import BaseModel
 
-from .config import Config, KeyAlgorithm, Settings
+from .config import CertificateAlgo, Config, Settings
 from .db import Connection, Device
 
 
@@ -167,29 +167,24 @@ class EasyRSA:
         if expiry_days is not None:
             extra_args += [f"--days={expiry_days}"]
 
-        if (algorithm := config.crypto.key_algorithm) is not None:
-            args_map = {
-                KeyAlgorithm.rsa2048: [
-                    "--use-algo=rsa", "--keysize=2048"
-                ],
-                KeyAlgorithm.rsa2048: [
-                    "--use-algo=rsa", "--keysize=2048"
-                ],
-                KeyAlgorithm.secp256r1: [
-                    "--use-algo=ec", "--curve=secp256r1"
-                ],
-                KeyAlgorithm.secp384r1: [
-                    "--use-algo=ec", "--curve=secp384r1"
-                ],
-                KeyAlgorithm.ed25519: [
-                    "--use-algo=ed", "--curve=ed25519"
-                ]
-            }
+        if (algo := config.crypto.cert_algo) is not None:
+            if algo is CertificateAlgo.rsa2048:
+                extra_args += ("--use-algo=rsa", "--keysize=2048")
 
-            if algorithm not in args_map:
-                raise ValueError(f"Unexpected algorithm: {algorithm}")
+            elif algo is CertificateAlgo.rsa4096:
+                extra_args += ("--use-algo=rsa", "--keysize=4096")
 
-            extra_args += args_map[algorithm]
+            elif algo is CertificateAlgo.secp256r1:
+                extra_args += ("--use-algo=ec", "--curve=secp256r1")
+
+            elif algo is CertificateAlgo.secp384r1:
+                extra_args += ("--use-algo=ec", "--curve=secp384r1")
+
+            elif algo is CertificateAlgo.ed25519:
+                extra_args += ("--use-algo=ed", "--curve=ed25519")
+
+            else:
+                raise ValueError(f"Unexpected algorithm: {algo}")
 
         self.__easyrsa(
             *extra_args,