[Swan-dev] does basic-pluto-01-nosecrets have a usecase?

Paul Wouters paul at nohats.ca
Thu Sep 17 20:13:35 UTC 2020

On Wed, 16 Sep 2020, Andrew Cagney wrote:

> First, I believe ikev2-03-basic-rawrsa-ckaid is fixed.  It uses the CKAID to directly locate the raw key in the NSS DB.  To confirm it is
> working, look in west.pluto.log for "CKAID".The use case for this test is pretty easy:- generate the raw key
> - use certutil to find the ckaid
> - add ...ckaid= to the config file
> (how does the other end get the pubkey?)

To me this is not a real solution. It is a hack of loading multiple
partial conns to get one working conn out of it. You created this
test case, but I don't see the point in it. You are basically
re-arranging the deck chairs from : RSA {} into a partial conn.

> So what's the use case for basic-pluto-01-nosecrets?

It is the simple one conn case real humans would configure. It shows a
need for the : RSA {} section in ipsec.secrets or else it fails to load
and work. Ideally, this : RSA {} is not needed and it can just load the
connection and find the private key once it oriented and requires the
private key.

> For what it is worth, the fix means either a double lookup at "up" time:
> -> using @west find the raw rsapubkey
> -> using the raw rsapubkey's ckaid find the raw private key in the NSS DB
> or, like basic-pluto-01, an attempt to load the raw key during "add" time

loading a conn is a sufficiently rare event that doing a double lookup
does not seem to be a big impact?


More information about the Swan-dev mailing list