commit 0e31b188fd38db611d4fbab7de9373a95f36aae5
author Jonathan Rudenberg <jonathan@titanous.com> Thu Sep 08 21:05:11 2016 -0400
committer Alex Vaghin <ddos@google.com> Sun Sep 11 05:36:18 2016 +0000
tree 6ce6f3e57d9e9cc5fd5a19c62bd9c7584954ef14
parent aa2481cbfe81d911eb62b642b7a6b5ec58bbea71

acme/autocert: use ECDSA P-256 for account key and issued certs

ECDSA P-256 keys are smaller than RSA 2048 keys and signing
operations are faster.

Change-Id: I735f358f17ada4569de307a7af2934d4abf69b91
Reviewed-on: https://go-review.googlesource.com/28851
Run-TryBot: Alex Vaghin <ddos@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Alex Vaghin <ddos@google.com>

acme/autocert/autocert.go

diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index 605cc00..2d95e27 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go
@@ -12,6 +12,7 @@
 	"bytes"
 	"crypto"
 	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
@@ -127,7 +128,7 @@
 	// Client is used to perform low-level operations, such as account registration
 	// and requesting new certificates.
 	// If Client is nil, a zero-value acme.Client is used with acme.LetsEncryptURL
-	// directory endpoint and a newly-generated 2048-bit RSA key.
+	// directory endpoint and a newly-generated ECDSA P-256 key.
 	//
 	// Mutating the field after the first call of GetCertificate method will have no effect.
 	Client *acme.Client
@@ -379,7 +380,7 @@
 		return state, nil
 	}
 	// new locked state
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, err
 	}
@@ -557,7 +558,7 @@
 	}
 	if client.Key == nil {
 		var err error
-		client.Key, err = rsa.GenerateKey(rand.Reader, 2048)
+		client.Key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 		if err != nil {
 			return nil, err
 		}