[Swan-dev] How to specify a CKAID in the config file

Andrew Cagney andrew.cagney at gmail.com
Tue May 3 18:27:30 UTC 2016 

FYI,

I've pushed sufficient code to hopefully let us play.

First, whack, it seems somewhat straight forward:

whack --ckaid CKAID
whack --cert NICKNAME
- follows existing "--cert NICKNAME" behaviour, that is: look in NSS
DB for a certificate matching CKAID|NICKNAME; the certificate's ID is
saved (see load_end_nss_certificate); when a connection opens, the ID
is used to search for a matching pubkey (see RSA_check_signature_gen)
- an alternative would be to search for the ID xor CKAID in
RSA_check_signature_gen
- RSA_check_signature_gen should perhaps re-check the NSS DB

whack --cert NICKNAME --ckaid CKAID
- should error out; mutually exclusive

whack  --dnskeyondemand ( --ckaid CKAID | --cert NICKNAME )
- per-above will find the certificate matching CKAID|NICKNAME and try
matching on the certificate's ID; but if it fails it will then try
DNS; at least that is what I think RSA_check_signature_gen does

I'm sitting on (testing) a patch to get something like the following working:

whack --keyid FOO --addkey --pubkeyrsa RFC-2537 ...
whack ... --ckaid RFC-2537-CKAID ...

For this I've one question:

- instead of imitating <<--cert NICKNAME>> and using the cert's ID,
should it use CKAID when looking for matching public keys in
RSA_check_signature_gen

Next is ipsec.conf, lets try:

leftckaid=HEX
- just like whack ... --ckaid HEX ...

leftcert=nickname
- just like whack ... --cert NICKNAME ... ; this would make the
existing "invalid" behaviour "official", and make leftrsasigkey=%cert
redundant

leftckaid=HEX leftcert=nickname
- just like whack; an error

leftrsasigkey=RFC-2537 leftrsasigkey2=RFC-2537-2 leftckaid=RFC-2537-CKAID-2
- note that even pubkeys added by an unrelated connection like "conn
rsapubkeys leftrsasigkey=... rightrsasigkey=" are included in the
CKAID search
- similar to whack --keyid ... ; whack ... --ckaid ...????
- I'm guessing --leftid is treated like whack's --keyid, but the
behaviour seems fast and loose
- I'm really left wondering if ipsec.secrets would be better as a way
to provide non certificate pubkeys (or just document the above "conn
rsapubkeys hack" :-)

leftrsasigkey=%dnsondemand leftckaid=HEX
- similar to whack --dnskeyondemand --ckaid ....
- I suspect, like whack, there should be a separate explicit
dnskeyondemand={yes,no}; it reflects how the code is designed

As for ipsec.secrets, any RSA pubkeys end up in &pluto_secrets instead
of &pluto_pubkeys, so, if there's interest in having that work I'll
need to change it.

Andrew

More information about the Swan-dev mailing list