[strongSwan] Current support status of Ed448 Cert/keys in StrongSwan

Rodrigo Tartajo Mart??nez Rodrigo.Tartajo at viavisolutions.com
Tue Jan 21 12:33:52 CET 2020


Hello,
I have been running a number of test and everything seems to work. The use of the "pki" tool has been minimal an only to check the certificates and not generate then: so there could hide a problem I have not see. A little detail: when loading the Ed25519 key I get this output from swanctl:
---
no files found matching '/etc/swanctl/conf.d/*.conf'
loaded certificate from '/etc/swanctl/x509/moon.strongswan.org.cert.pem'
loaded certificate from '/etc/swanctl/x509ca/intermediate.cert.pem'
loaded certificate from '/etc/swanctl/x509ca/ca.cert.pem'
unsupported key type in '/etc/swanctl/private/moon.strongswan.org.key.pem'
loaded private key from '/etc/swanctl/private/moon.strongswan.org.key.pem'
no authorities found, 0 unloaded
loaded pool 'rw_pool'
successfully loaded 1 pools, 0 unloaded
loaded connection 'rw'
successfully loaded 1 connections, 0 unloaded
---

But loading the 448 key get this:
----
no files found matching '/etc/swanctl/conf.d/*.conf'
loaded certificate from '/etc/swanctl/x509/moon.strongswan.org.cert.pem'
loaded certificate from '/etc/swanctl/x509ca/intermediate.cert.pem'
loaded certificate from '/etc/swanctl/x509ca/ca.cert.pem'
building CRED_PRIVATE_KEY - ANY failed, tried 9 builders
loaded private key from '/etc/swanctl/private/moon.strongswan.org.key.pem'
no authorities found, 0 unloaded
loaded pool 'rw_pool'
successfully loaded 1 pools, 0 unloaded
loaded connection 'rw'
successfully loaded 1 connections, 0 unloaded
----

Notice the failing first try for loading the key happens on both cases, but report a different error string (maybe because we use the ed25519 plugin for the first and the openssl plugin for the second?).

Aside from this small cosmetic difference, the keys are loaded and the client can successfully connect, making my tested configuration scenarios work.


Thank you,
Rodrigo.
________________________________
From: Tobias Brunner <tobias at strongswan.org>
Sent: 20 January 2020 18:14
To: Rodrigo Tartajo Mart??nez <Rodrigo.Tartajo at viavisolutions.com>; users at lists.strongswan.org <users at lists.strongswan.org>
Subject: Re: [strongSwan] Current support status of Ed448 Cert/keys in StrongSwan

Hi Rodrigo,

I pushed some (untested) changes to the ed448-certs branch.  The first
one adds support to parse Ed448 public keys to the pkcs1 plugin (as used
by the x509 plugin, the openssl plugin is still required to parse the
actual key).  The second patch adds support for Ed25519/448 keys when
certificates are parsed via openssl plugin (both the x509 and pkcs1
plugins are then theoretically not required).  Finally, the last two
commits add support to create Ed448 keys/certificates with pki and parse
PEM-encoded Ed448 keys (if the key type is explicitly passed via pki,
which should not be necessary).
Let me know if those changes work for you.

Regards,
Tobias

[1]
https://urldefense.com/v3/__https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs*heads*ed448-certs__;Ly8!!Aa6LgkyVeQ!7AcF_-c8pbGmjWVhG5EdNzpR9tmuumnbvITWAMhG2zQOTEE4V5k0qBUa6SZmz_aiRXsHzQ6uiFU$
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200121/ff5f4517/attachment.html>


More information about the Users mailing list