[strongSwan] Current support status of Ed448 Cert/keys in StrongSwan

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Jan 19 19:39:43 CET 2020


Hello Rodrigo,

Looks like either the certs/pubkeys you created use other formats than strongSwan recognizes based on their ASN.1 OIDS or they're not encoded in ASN.1 at all.
Do you mind sending me your CA cert? I'd like to take a look at it.

Kind regards

Noel

Am 17.01.20 um 13:57 schrieb Rodrigo Tartajo Mart??nez:
> Hello,
> I have been testing StrongSwang with Ed25519 and Ed448 and found a roadblock:
> I got the sample "Roadwarrior with virtual IP"  with "pubkey" authentication scenario in the tutorials with Ed25519 keys without much problem (using "pki" to generate the keys/certificates). Due to lack of support for Ed448 keys in the "pki" tool, I followed the document "Guide for building an EDDSA pki" [0] to first create a valid certificate chain using Ed25519 that strongswan had no problem working with (after minimal modifications to the DN and subjectAltName values).
> 
> The problem appeared when I repeated the same steps to create an Ed448 certificate chain: while the certificates and keys were created without problems, StrongSwan refuses to load the certificates or keys.
> 
> StrongSwan 8.7.2 changelog [1] claims that the openssl plugin added support for both Ed25519 and Ed448 keys and certificates for signing.
> 
> I am running Linux Ubuntu 18.04, with strongswan 8.4.2 compiled from sources and openssl plugin enabled against the system OpenSSL 1.1.1
> 
> Does working with Ed448 certificates require a special and inexistent module just like 25519 already has? Is there any special step to force strongswan to use the openssl plugin to manage these certificates that I should follow?
> 
> Cheers,
> Rodrigo.
> 
> [0]: https://tools.ietf.org/html/draft-moskowitz-eddsa-pki-02
> [1]: https://www.strongswan.org/blog/2018/12/27/strongswan-5.7.2-released.html
> 
> 
>>swanctl --load-all
> no files found matching '/etc/swanctl/conf.d/*.conf'
> loading '/etc/swanctl/x509/moon.strongswan.org.cert.pem' failed: parsing X509 certificate failed
> loading '/etc/swanctl/x509ca/intermediate.cert.pem' failed: parsing X509 certificate failed
> loading '/etc/swanctl/x509ca/ca.cert.pem' failed: parsing X509 certificate failed
> building CRED_PRIVATE_KEY - ANY failed, tried 9 builders
> loaded private key from '/etc/swanctl/private/moon.strongswan.org.key.pem'
> no authorities found, 0 unloaded
> loaded pool 'rw_pool'
> successfully loaded 1 pools, 0 unloaded
> loaded connection 'rw'
> successfully loaded 1 connections, 0 unloaded
> 
> 
>>pki --print --in /etc/swanctl/x509ca/ca.cert.pem -v 4                                                                                                                    
>   file content is not binary ASN.1
>   -----BEGIN CERTIFICATE-----
>   -----END CERTIFICATE-----
> L0 - x509:
> => 618 bytes @ 0x55ae96c8c880
>    0: 30 82 02 66 30 82 01 E6 A0 03 02 01 02 02 09 00  0..f0...........
>   16: B8 A2 8D 65 18 AC D4 F6 30 05 06 03 2B 65 71 30  ...e....0...+eq0
> ...
>  608: CE 3C 48 DB 2F DF 64 DF 1B 00                    .<H./.d...
> L1 - tbsCertificate:
> => 490 bytes @ 0x55ae96c8c884
>    0: 30 82 01 E6 A0 03 02 01 02 02 09 00 B8 A2 8D 65  0..............e
>   16: 18 AC D4 F6 30 05 06 03 2B 65 71 30 68 31 0B 30  ....0...+eq0h1.0
> ...
>  480: 75 74 69 6F 6E 73 2E 63 6F 6D                    utions.com
> L2 - DEFAULT v1:
> L3 - version:
> => 1 bytes @ 0x55ae96c8c88c
>    0: 02                                               .
>   X.509v3
> L2 - serialNumber:
> => 9 bytes @ 0x55ae96c8c88f
>    0: 00 B8 A2 8D 65 18 AC D4 F6                       ....e....
> L2 - signature:
> L3 - algorithmIdentifier:  
> L4 - algorithm:
>   'id-Ed448'
> L2 - issuer:
> => 106 bytes @ 0x55ae96c8c89f
>    0: 30 68 31 0B 30 09 06 03 55 04 06 13 02 49 45 31  0h1.0...U....IE1
> ...
>   96: 03 0C 07 52 6F 6F 74 20 43 41                    ...Root CA
>   'C=IE, ST=DU, L=Dun Laoghaire, O=Viavi, OU=protocols, CN=Root CA'
> L2 - validity:
> L3 - notBefore:
> L4 - utcTime:
>   'Jan 15 11:19:08 UTC 2020'
> L3 - notAfter:
> L4 - utcTime:
>   'Jan 10 11:19:08 UTC 2040'
> L2 - subject:
> => 106 bytes @ 0x55ae96c8c929
>    0: 30 68 31 0B 30 09 06 03 55 04 06 13 02 49 45 31  0h1.0...U....IE1
> ...
>   96: 03 0C 07 52 6F 6F 74 20 43 41                    ...Root CA
>   'C=IE, ST=DU, L=Dun Laoghaire, O=Viavi, OU=protocols, CN=Root CA'
> L2 - subjectPublicKeyInfo:  
> -- > --
> L0 - subjectPublicKeyInfo:  
> L1 - algorithm:
> L2 - algorithmIdentifier:  
> L3 - algorithm:
>   'id-Ed448'
> -- < --
> unsupported public key algorithm
> OpenSSL X.509 parsing failed
> building CRED_CERTIFICATE - X509 failed, tried 4 builders
> parsing input failed
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200119/97b67d86/attachment.sig>


More information about the Users mailing list