[Swan-dev] How to specify a CKAID in the config file

[Andrew Cagney]

If you type:

# certutil -K -d sql:/etc/ipsec.d
certutil: Checking token "NSS Certificate DB" in slot "NSS User
Private Key and Certificate Services"
< 0> rsa      22169af2dd143838caa67837bcfede1fde5d4e2a   east

the middle hex is the CKAID for the key-pair "east" (as an aside, I've
yet to figure out how to dump the CKAID of a certificate from the
command line).  Since it is derived from the public key, it can be
used to identify a certificate (the sane way is to use the nickname -
"east" - but we're not being sane).

My question is; how to specify this in the config file and on the
whack command line?

For the moment I've got:

    leftrsasigkey=%ckaid
    leftcert=22169af2dd143838caa67837bcfede1fde5d4e2a

and:

    whack .. --ckaid 22169af2dd143838caa67837bcfede1fde5d4e2a ...

I think whack is ok (For the moment <<whack --dnsondemand --cert west
--ckaid 22169af2dd143838caa67837bcfede1fde5d4e2a  --cert east --ckaid
22169af2dd143838caa67837bcfede1fde5d4e2a>> is reduced to <<whack
--dnsondemand --ckaid 22169af2dd143838caa67837bcfede1fde5d4e2a>> which
doesn't seem too bad).

I'm not so sure about the config file; in part because I'm suspicious
of the existing behaviour.  For instance, I suspect:

-  leftrsasigkey=%dnsondemand leftcert=east
   still loads "east"

- leftrsasigkey=<raw-cert> leftrsasigkey2=%dnsondemand
  leads to leftrsasigkey2 being ignored

- and come ECC, having something like "rsasigkey=%cert" will be decidedly weird.

- I'm pretty sure leftcert=%dnsondemand wasn't implemented because
"%dnsondemand" is a valid alias (nickname)

So?

Off hand I can think of:

- the above - it seems to work :-)

- leftckaid=.. but then what happens when it is mixed with leftcert=
et.al. - the parser doesn't track which one came first/last

- leftpubkey=%ckaid:22169af2dd143838caa67837bcfede1fde5d4e2a or
leftpubkey=%dnsondemand or leftpubkey=%cert:east or ...?

- leftrsasigkey=%ckaid:22169af2dd143838caa67837bcfede1fde5d4e2a

- or ...

Andrew