[strongSwan] ECDSA mixed results with the Android client

Daniel Pocock daniel at pocock.com.au
Mon Jul 8 09:57:38 CEST 2013


On 08/07/13 09:49, Tobias Brunner wrote:
>> Test 2:
>> VPN gateway using an ECDSA cert signed by an RSA root
>> Android using an ECDSA cert signed by the RSA root
>> Android fails, log:
>> "signature scheme RSA_EMSA_PKCS1_SHA1 not supported in EC"
>> "failed to load private key"
>>
>> Test 3:
>> VPN gateway using an ECDSA cert signed by an RSA root
>> Android using an ECDSA cert signed by an ECDSA root
>> Android fails, log:
>> "failed to load private key"
>>
>> In both the ECDSA failures, it is failing during initialization, it is
>> not even starting to connect to the peer
> This is due to a bug in the Android API we use to access the private
> keys:  http://wiki.strongswan.org/issues/349
Thanks for pointing that out

The Android bug report looks very thin - do you know if the ECDSA keys
really are stored somewhere in the phone (e.g. import was successful but
it is just failing to read the key?)  Or maybe the import itself is
failing.  Maybe it is possible to tweak the PKCS#12 file in some way
that it loads successfully.

Could this be worked around using Bouncy Castle or some other API to
store the keys?  That may offer more backwards compatibility although it
would mean keys are only available for strongSwan.

I was looking at adding a CSR workflow to Lumicall to provision client
certificates for SIP - I suspect that the same thing would be useful to
the strongSwan app and would be more convenient than the PKCS#12 import
process.






More information about the Users mailing list