[strongSwan] Current support status of Ed448 Cert/keys in StrongSwan

Tobias Brunner tobias at strongswan.org
Tue Jan 21 14:42:05 CET 2020

Hi Rodrigo,

> I have been running a number of test and everything seems to work. The
> use of the "pki" tool has been minimal an only to check the certificates
> and not generate then: so there could hide a problem I have not see.

Thanks for testing.  I did some tests today, too, including generating a
PKI with Ed448 keys using `pki`, works fine.

> unsupported key type in '/etc/swanctl/private/moon.strongswan.org.key.pem'
> loaded private key from '/etc/swanctl/private/moon.strongswan.org.key.pem'

That's because there are two paths for loading private keys from files
in swanctl.  First, the key is parsed (optionally using a password to
decrypt it) and the key's type is then passed explicitly to the vici
plugin as a string.  The mapping there currently only has support for
RSA, ECDSA and Bliss (I guess that's mostly for legacy reasons, it's
usually not necessary anymore to explicitly specify the type or place
the key in the correct directory, but it may depend on the loaded plugins).

For other types you see that first error message, and the file contents
are passed to the vici plugin along with type "any" (if the key is
stored in the "private" or "pkcs8" directory, otherwise the type is
derived from the directory name).  So it's then up to the daemon to
parse the key, which apparently is successful here.

The latter is also what happens if the key can't be parsed by swanctl at
all (e.g. due to missing plugins):

> building CRED_PRIVATE_KEY - ANY failed, tried 9 builders
> loaded private key from '/etc/swanctl/private/moon.strongswan.org.key.pem'

Check what plugins are loaded by swanctl (via --help), maybe openssl is
missing.  But as you noticed, it doesn't really matter if the key can be
loaded by the daemon afterwards.


More information about the Users mailing list