<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Hello,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
I have been running a number of test and everything seems to work. The use of the "pki" tool has been minimal an only to check the certificates and not generate then: so there could hide a problem I have not see. A little detail: when loading the Ed25519 key
I get this output from swanctl:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
---<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span>no files found matching '/etc/swanctl/conf.d/*.conf'<br>
</span>
<div>loaded certificate from '/etc/swanctl/x509/moon.strongswan.org.cert.pem'<br>
</div>
<div>loaded certificate from '/etc/swanctl/x509ca/intermediate.cert.pem'<br>
</div>
<div>loaded certificate from '/etc/swanctl/x509ca/ca.cert.pem'<br>
</div>
<div>unsupported key type in '/etc/swanctl/private/moon.strongswan.org.key.pem'<br>
</div>
<div>loaded private key from '/etc/swanctl/private/moon.strongswan.org.key.pem'<br>
</div>
<div>no authorities found, 0 unloaded<br>
</div>
<div>loaded pool 'rw_pool'<br>
</div>
<div>successfully loaded 1 pools, 0 unloaded<br>
</div>
<div>loaded connection 'rw'<br>
</div>
<div>successfully loaded 1 connections, 0 unloaded<br>
</div>
<span></span>---</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
But loading the 448 key get this:</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
----</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<span>no files found matching '/etc/swanctl/conf.d/*.conf'<br>
</span>
<div>loaded certificate from '/etc/swanctl/x509/moon.strongswan.org.cert.pem'<br>
</div>
<div>loaded certificate from '/etc/swanctl/x509ca/intermediate.cert.pem'<br>
</div>
<div>loaded certificate from '/etc/swanctl/x509ca/ca.cert.pem'<br>
</div>
<div>building CRED_PRIVATE_KEY - ANY failed, tried 9 builders<br>
</div>
<div>loaded private key from '/etc/swanctl/private/moon.strongswan.org.key.pem'<br>
</div>
<div>no authorities found, 0 unloaded<br>
</div>
<div>loaded pool 'rw_pool'<br>
</div>
<div>successfully loaded 1 pools, 0 unloaded<br>
</div>
<div>loaded connection 'rw'<br>
</div>
<div>successfully loaded 1 connections, 0 unloaded<br>
</div>
----</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Notice the failing first try for loading the key happens on both cases, but report a different error string (maybe because we use the ed25519 plugin for the first and the openssl plugin for the second?).</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Aside from this small cosmetic difference, the keys are loaded and the client can successfully connect, making my tested configuration scenarios work.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Thank you,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
Rodrigo.<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Tobias Brunner <tobias@strongswan.org><br>
<b>Sent:</b> 20 January 2020 18:14<br>
<b>To:</b> Rodrigo Tartajo Mart??nez <Rodrigo.Tartajo@viavisolutions.com>; users@lists.strongswan.org <users@lists.strongswan.org><br>
<b>Subject:</b> Re: [strongSwan] Current support status of Ed448 Cert/keys in StrongSwan</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">Hi Rodrigo,<br>
<br>
I pushed some (untested) changes to the ed448-certs branch. The first<br>
one adds support to parse Ed448 public keys to the pkcs1 plugin (as used<br>
by the x509 plugin, the openssl plugin is still required to parse the<br>
actual key). The second patch adds support for Ed25519/448 keys when<br>
certificates are parsed via openssl plugin (both the x509 and pkcs1<br>
plugins are then theoretically not required). Finally, the last two<br>
commits add support to create Ed448 keys/certificates with pki and parse<br>
PEM-encoded Ed448 keys (if the key type is explicitly passed via pki,<br>
which should not be necessary).<br>
Let me know if those changes work for you.<br>
<br>
Regards,<br>
Tobias<br>
<br>
[1]<br>
<a href="https://urldefense.com/v3/__https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs*heads*ed448-certs__;Ly8!!Aa6LgkyVeQ!7AcF_-c8pbGmjWVhG5EdNzpR9tmuumnbvITWAMhG2zQOTEE4V5k0qBUa6SZmz_aiRXsHzQ6uiFU$">https://urldefense.com/v3/__https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs*heads*ed448-certs__;Ly8!!Aa6LgkyVeQ!7AcF_-c8pbGmjWVhG5EdNzpR9tmuumnbvITWAMhG2zQOTEE4V5k0qBUa6SZmz_aiRXsHzQ6uiFU$</a>
<br>
</div>
</span></font></div>
</body>
</html>