[Swan-dev] How to specify a CKAID in the config file
Paul Wouters
paul at nohats.ca
Thu Apr 28 01:57:43 UTC 2016
On Wed, 27 Apr 2016, Andrew Cagney wrote:
> My question is; how to specify this in the config file and on the
> whack command line?
>
> For the moment I've got:
>
> leftrsasigkey=%ckaid
> leftcert=22169af2dd143838caa67837bcfede1fde5d4e2a
My preference is for leftcert= to be for certificates in the NSS DB,
not pubkeys. Unless we are going to generate pubkeys and store them
in certificates in the NSS DB.
So I would prefer: leftrsasigkey=22169af2dd143838caa67837bcfede1fde5d4e2a
That is, if we recognise it is not %specialvalue or 0sPUBKEY or
0xHEXKEY, that we assume it is a CKAID. I would like to avoid
calling something a cert when it is not.
We could also introduce a new keyword, leftckaid= or make leftckaid=
an alias for leftrsasigkey= although we will still need to have
leftrsasigkey= for the remote endpoint when we configure it by public
key. And it should get renamed leftpubkey= with leftrsasigkey= as
a backwards compatible alias.
> and:
>
> whack .. --ckaid 22169af2dd143838caa67837bcfede1fde5d4e2a ...
that works for me.
> I'm not so sure about the config file; in part because I'm suspicious
> of the existing behaviour. For instance, I suspect:
>
> - leftrsasigkey=%dnsondemand leftcert=east
> still loads "east"
That is a bogus configuration anyway. It is undefined behaviour as far
as I am concerned.
> - leftrsasigkey=<raw-cert> leftrsasigkey2=%dnsondemand
> leads to leftrsasigkey2 being ignored
The "on demand" option is for remote keys, not local keys. The 2nd key
option is only for local keys. So again undefined behaviour.
> - and come ECC, having something like "rsasigkey=%cert" will be decidedly weird.
Yes, it should be renamed leftpubey.
> - I'm pretty sure leftcert=%dnsondemand wasn't implemented because
> "%dnsondemand" is a valid alias (nickname)
leftcert= was always meant for a locally stored keypair, so never be
"on demand".
> - leftckaid=.. but then what happens when it is mixed with leftcert=
> et.al. - the parser doesn't track which one came first/last
Reject a connection that specifies both.
> - leftpubkey=%ckaid:22169af2dd143838caa67837bcfede1fde5d4e2a or
not my preference :)
> leftpubkey=%dnsondemand or leftpubkey=%cert:east or ...?
same :P
> - leftrsasigkey=%ckaid:22169af2dd143838caa67837bcfede1fde5d4e2a
same :)
Paul
More information about the Swan-dev
mailing list