[strongSwan] Current support status of Ed448 Cert/keys in StrongSwan
Rodrigo Tartajo Mart??nez
Rodrigo.Tartajo at viavisolutions.com
Fri Jan 17 13:57:22 CET 2020
Hello,
I have been testing StrongSwang with Ed25519 and Ed448 and found a roadblock:
I got the sample "Roadwarrior with virtual IP" with "pubkey" authentication scenario in the tutorials with Ed25519 keys without much problem (using "pki" to generate the keys/certificates). Due to lack of support for Ed448 keys in the "pki" tool, I followed the document "Guide for building an EDDSA pki" [0] to first create a valid certificate chain using Ed25519 that strongswan had no problem working with (after minimal modifications to the DN and subjectAltName values).
The problem appeared when I repeated the same steps to create an Ed448 certificate chain: while the certificates and keys were created without problems, StrongSwan refuses to load the certificates or keys.
StrongSwan 8.7.2 changelog [1] claims that the openssl plugin added support for both Ed25519 and Ed448 keys and certificates for signing.
I am running Linux Ubuntu 18.04, with strongswan 8.4.2 compiled from sources and openssl plugin enabled against the system OpenSSL 1.1.1
Does working with Ed448 certificates require a special and inexistent module just like 25519 already has? Is there any special step to force strongswan to use the openssl plugin to manage these certificates that I should follow?
Cheers,
Rodrigo.
[0]: https://tools.ietf.org/html/draft-moskowitz-eddsa-pki-02
[1]: https://www.strongswan.org/blog/2018/12/27/strongswan-5.7.2-released.html
>swanctl --load-all
no files found matching '/etc/swanctl/conf.d/*.conf'
loading '/etc/swanctl/x509/moon.strongswan.org.cert.pem' failed: parsing X509 certificate failed
loading '/etc/swanctl/x509ca/intermediate.cert.pem' failed: parsing X509 certificate failed
loading '/etc/swanctl/x509ca/ca.cert.pem' failed: parsing X509 certificate failed
building CRED_PRIVATE_KEY - ANY failed, tried 9 builders
loaded private key from '/etc/swanctl/private/moon.strongswan.org.key.pem'
no authorities found, 0 unloaded
loaded pool 'rw_pool'
successfully loaded 1 pools, 0 unloaded
loaded connection 'rw'
successfully loaded 1 connections, 0 unloaded
>pki --print --in /etc/swanctl/x509ca/ca.cert.pem -v 4
file content is not binary ASN.1
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
L0 - x509:
=> 618 bytes @ 0x55ae96c8c880
0: 30 82 02 66 30 82 01 E6 A0 03 02 01 02 02 09 00 0..f0...........
16: B8 A2 8D 65 18 AC D4 F6 30 05 06 03 2B 65 71 30 ...e....0...+eq0
...
608: CE 3C 48 DB 2F DF 64 DF 1B 00 .<H./.d...
L1 - tbsCertificate:
=> 490 bytes @ 0x55ae96c8c884
0: 30 82 01 E6 A0 03 02 01 02 02 09 00 B8 A2 8D 65 0..............e
16: 18 AC D4 F6 30 05 06 03 2B 65 71 30 68 31 0B 30 ....0...+eq0h1.0
...
480: 75 74 69 6F 6E 73 2E 63 6F 6D utions.com
L2 - DEFAULT v1:
L3 - version:
=> 1 bytes @ 0x55ae96c8c88c
0: 02 .
X.509v3
L2 - serialNumber:
=> 9 bytes @ 0x55ae96c8c88f
0: 00 B8 A2 8D 65 18 AC D4 F6 ....e....
L2 - signature:
L3 - algorithmIdentifier:
L4 - algorithm:
'id-Ed448'
L2 - issuer:
=> 106 bytes @ 0x55ae96c8c89f
0: 30 68 31 0B 30 09 06 03 55 04 06 13 02 49 45 31 0h1.0...U....IE1
...
96: 03 0C 07 52 6F 6F 74 20 43 41 ...Root CA
'C=IE, ST=DU, L=Dun Laoghaire, O=Viavi, OU=protocols, CN=Root CA'
L2 - validity:
L3 - notBefore:
L4 - utcTime:
'Jan 15 11:19:08 UTC 2020'
L3 - notAfter:
L4 - utcTime:
'Jan 10 11:19:08 UTC 2040'
L2 - subject:
=> 106 bytes @ 0x55ae96c8c929
0: 30 68 31 0B 30 09 06 03 55 04 06 13 02 49 45 31 0h1.0...U....IE1
...
96: 03 0C 07 52 6F 6F 74 20 43 41 ...Root CA
'C=IE, ST=DU, L=Dun Laoghaire, O=Viavi, OU=protocols, CN=Root CA'
L2 - subjectPublicKeyInfo:
-- > --
L0 - subjectPublicKeyInfo:
L1 - algorithm:
L2 - algorithmIdentifier:
L3 - algorithm:
'id-Ed448'
-- < --
unsupported public key algorithm
OpenSSL X.509 parsing failed
building CRED_CERTIFICATE - X509 failed, tried 4 builders
parsing input failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200117/a36b6b0e/attachment.html>
More information about the Users
mailing list