[strongSwan-dev] Python vici library

[Martin Willi]

Hi Sam,

> I have been running into some issues getting it load certs. I think it
> is just my misunderstanding of the datatype that the load_conn 'certs'
> field is expecting.

The vici syntax tree is mostly the same as the syntax tree in
swanctl.conf. However, there are a few exceptions, and the "certs" field
is one of them. Unfortunately that is not yet documented.

> In the swanctl documentation it says a comma separated list of paths to
> certifications.

While the swanctl.conf option takes path names, swanctl loads any
credential files locally, reads the data, performs any credential
decryption if required, and passes on the loaded credential as DER
encoded blob over vici. Alternatively you can pass a PEM encoded blob,
but you should do the decryption on the client side, as it is where you
can query the user for passwords.

The list of path names gets translated to a vici list of the credential
blobs. Look for the is_file_list_key() function in [1] for which
keywords this is done.

There are some other exceptions, where a "comma separated list" of items
gets translated to a vici list locally in swanctl. In contrast to the
vici format, swanctl.conf/strongswan.conf does not know the concept of
lists, hence we manually translate comma separated lists. Check the
is_list_key() function in [1] for the keywords.


Important to add: The certs/cacerts options in the conn section define
end entity or CA connection constraints; you may
alternatively/additionally load these certificates to the global
certificate pool using the load-cert vici command (which takes the
certificate as blob as well).

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/swanctl/commands/load_conns.c