[Swan-dev] does basic-pluto-01-nosecrets have a usecase?

Andrew Cagney andrew.cagney at gmail.com
Thu Sep 17 02:35:07 UTC 2020

First, I believe ikev2-03-basic-rawrsa-ckaid is fixed.  It uses
the CKAID to directly locate the raw key in the NSS DB.  To confirm it is
working, look in west.pluto.log for "CKAID".
The use case for this test is pretty easy:
- generate the raw key
- use certutil to find the ckaid
- add ...ckaid= to the config file
(how does the other end get the pubkey?)

So what's the use case for basic-pluto-01-nosecrets?  Why would an end use
this when they can specify the raw key using the ckaid?  And what sequence
of commands would be used to configure it?

For what it is worth, the fix means either a double lookup at "up" time:
-> using @west find the raw rsapubkey
-> using the raw rsapubkey's ckaid find the raw private key in the NSS DB
or, like basic-pluto-01, an attempt to load the raw key during "add" time
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200916/b5562f14/attachment-0001.html>

More information about the Swan-dev mailing list