[strongSwan-dev] load-authority request over VICI interface

Erick Gonzalez erick at codemonkeylabs.de
Sat Sep 30 00:34:05 CEST 2017 

Hi. I am wondering if someone can give me a hand with something. I wrote some Haskell bindings for the VICI protocol and that is working great and all, however I am having trouble understanding from the documentation, how exactly one is supposed to load a CA into the daemon.

I issued a "load-cert" command and loaded a PEM encoded X.509 certificate using the following Key/Value pairs: "type" "X509", "flag" "CA" and then the PEM data with the "data" key. This succeeds and I can see the certificate by issuing a "load-certs" request and reading the event streams as per the documentation etc, etc.. so so far so good. However, I believe now I am supposed to issue the "load-authority" command to load that CA certificate. To this effect, I tried issuing the "load-authority" command with a message using a section with a name of my choosing for the "name" of the certificate (also tried the Subject Name, etc just in case that matters) and tried setting the "handle" key to the HEX encoded public key signature.. this is all very fuzzy to me from the documentation so it is not *that* clear if this is what is expected but it looks to me so, from perusing the libVICI code etc. This is unfortunately not working.. no matter what I try here I always get a "success": "no" response and the error msg says "CA certificate missing: <name>" I assume this is simply a misunderstanding on how I am supposed to load a CA into the daemon via VICI remotely.. (this is the reason I am not simply passing the file key instead in the message) since I want to load the PEM data over VICI itself.. any help, tips or pointers to further documentation that I might have failed so far to find would be greatly appreciated. Thanks!!

oh and the charon logs I get..

Sep 29 21:19:14 ubuntu charon: 11[CFG] vici client 30 requests: load-authority
Sep 29 21:19:14 ubuntu charon: 11[CFG]  authority foo CA:
Sep 29 21:19:14 ubuntu charon: 11[CFG] PKCS#11 certificate 09:a7:83:d7:26:2d:f3:b6:24:c1:7e:60:cf:48:d1:fb:a7:cc:0f:cb not found
Sep 29 21:19:14 ubuntu charon: 11[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders

Thanks in advance for any help or pointers anyone can give me!

Cheers

Erick

More information about the Dev mailing list