[Swan-dev] How to specify a CKAID in the config file

Paul Wouters paul at nohats.ca
Thu Apr 28 01:57:43 UTC 2016

On Wed, 27 Apr 2016, Andrew Cagney wrote:

> My question is; how to specify this in the config file and on the
> whack command line?
> For the moment I've got:
>    leftrsasigkey=%ckaid
>    leftcert=22169af2dd143838caa67837bcfede1fde5d4e2a

My preference is for leftcert= to be for certificates in the NSS DB,
not pubkeys. Unless we are going to generate pubkeys and store them
in certificates in the NSS DB.

So I would prefer: leftrsasigkey=22169af2dd143838caa67837bcfede1fde5d4e2a

That is, if we recognise it is not %specialvalue or 0sPUBKEY or
0xHEXKEY, that we assume it is a CKAID. I would like to avoid
calling something a cert when it is not.

We could also introduce a new keyword, leftckaid= or make leftckaid=
an alias for leftrsasigkey= although we will still need to have
leftrsasigkey= for the remote endpoint when we configure it by public
key. And it should get renamed leftpubkey= with leftrsasigkey= as
a backwards compatible alias.

> and:
>    whack .. --ckaid 22169af2dd143838caa67837bcfede1fde5d4e2a ...

that works for me.

> I'm not so sure about the config file; in part because I'm suspicious
> of the existing behaviour.  For instance, I suspect:
> -  leftrsasigkey=%dnsondemand leftcert=east
>   still loads "east"

That is a bogus configuration anyway. It is undefined behaviour as far
as I am concerned.

> - leftrsasigkey=<raw-cert> leftrsasigkey2=%dnsondemand
>  leads to leftrsasigkey2 being ignored

The "on demand" option is for remote keys, not local keys. The 2nd key
option is only for local keys. So again undefined behaviour.

> - and come ECC, having something like "rsasigkey=%cert" will be decidedly weird.

Yes, it should be renamed leftpubey.

> - I'm pretty sure leftcert=%dnsondemand wasn't implemented because
> "%dnsondemand" is a valid alias (nickname)

leftcert= was always meant for a locally stored keypair, so never be
"on demand".

> - leftckaid=.. but then what happens when it is mixed with leftcert=
> et.al. - the parser doesn't track which one came first/last

Reject a connection that specifies both.

> - leftpubkey=%ckaid:22169af2dd143838caa67837bcfede1fde5d4e2a or

not my preference :)

> leftpubkey=%dnsondemand or leftpubkey=%cert:east or ...?

same :P

> - leftrsasigkey=%ckaid:22169af2dd143838caa67837bcfede1fde5d4e2a

same :)


More information about the Swan-dev mailing list