[Swan] RSA keys help

Kostya Vasilyev kman at fastmail.com
Wed Jan 23 19:58:12 UTC 2019 

On Wed, Jan 23, 2019, at 10:14 PM, Paul Wouters wrote:
> On Wed, 23 Jan 2019, Kostya Vasilyev wrote:
> 
> > p12 would be fine - since that opens up a way to exchange with other formats.
> >
> > But right now importing or exporting to/from NSS seems to be limited to *certificates* not keys...
> 
> import and export work fine.

You are exporting and importing certificates (with their keys). Not keys by themselves.

What I meant is:

1 - Generate host key

ipsec newhostkey
Generated RSA key pair with CKAID 904e2f6f7062f268218fe9ae6df500d36794fadb was stored in the NSS database

2 - List keys in NSS

certutil -d sql:/var/lib/ipsec/nss/ -K 
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      f72f337df81658d9f1192d6714a3074e9b006d12   mytunnel_server_2
< 1> rsa      904e2f6f7062f268218fe9ae6df500d36794fadb   (orphan)

OK, the "orphan" is the new one just created by newhostkey

3 - Try to export (to p12)

??? now what ???

pk12util -d sql:/var/lib/ipsec/nss/ -H

Usage:	 pk12util -o exportfile -n certname

No way (as far as I can tell) to export the 904e2f6f7062f268218fe9ae6df500d36794fadb which is a standalone ("orphan") key.

Same with import I believe (although I'm not sure if I'm doing it right).

1 - Create a p12 with just a private key and no certificate

openssl pkcs12 -export -out test.p12 -inkey mytunnel_server_2.key -nocerts

2 - Check what we got there

openssl pkcs12 -info -in test.p12 -nodes
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes: <No Attributes>
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Look ma, no cert.

3 - Try to import into NSS

pk12util -d sql:. -i test.p12 -W ""
pk12util: PKCS12 decode validate bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.  Error attempting to import private key.

The "Error attempting to import private key" is a deliberate policy decision in NSS (although it is a p12!).

Which brings me back to:

The only way to bring a server public / private key into libreswan (and have it interoperate with the harsh outside world that doesn't understand raw RSA keys) is to use a certificate, import that into NSS, and then use leftrsasigkey=%cert.

And I'm just saying it would be nice if there was a more direct path (openssl format -> p12 -> NSS for keys specifically).

But for now I've got my tunnel up and running with RSA keys (from cert) so everything is fine, just took time to figure out.

-- K

> 
> [root at thinkpad tmp]# certutil -L -d sql:/etc/ipsec.d
> Certificate Nickname                                         Trust
> Attributes
>                                                               SSL,S/MIME,JAR/XPI
> 
> letoams.nohats.ca                                            u,u,u
> Certificate Agency (CA) - No Hats Corporation                CT,, 
> pwouters.nohats.ca                                           u,u,u
> Certificate Agency (CA) - NetDev                             CT,, 
> strongWest                                                   u,u,u
> strongSwan CA - strongSwan                                   CT,,
> 
> [root at thinkpad tmp]# certutil -K -d sql:/etc/ipsec.d
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private 
> Key and Certificate Services"
> < 0> rsa      2ad438fc7f3b65706f0381520f9f106a9eba7a96 letoams.nohats.ca
> < 1> rsa      12fad02b4cfdd324049101ed1e79d5066cfc965d   (orphan)
> < 2> rsa      1d20a472e6e75c7cee710e7304b7b10223cc8ab9 
> pwouters.nohats.ca
> < 3> rsa      b9d591b99433b94ccc27af7f19235fe0e01b9214   (orphan)
> < 4> ec       38ccad88c730f0cad273369617d2df83ecee02ae   strongWest
> 
> [root at thinkpad tmp]# pk12util -o test.p12 -d sql:/etc/ipsec.d -W 
> password -n pwouters.nohats.ca 
> pk12util: PKCS12 EXPORT SUCCESSFUL
> 
> [root at thinkpad tmp]# ls -l test.p12
> -rw------- 1 root root 3907 Jan 23 14:11 test.p12
> [root at thinkpad tmp]# mkdir /tmp/test
> [root at thinkpad tmp]# ipsec initnss --nssdir /tmp/test
> Initializing NSS database
> 
> [root at thinkpad tmp]# ipsec import --nssdir /tmp/test test.p12
> Enter password for PKCS12 file: 
> pk12util: PKCS12 IMPORT SUCCESSFUL
> correcting trust bits for Certificate Agency (CA) - NetDev
> [root at thinkpad tmp]# certutil -L -d sql:/tmp/test
> 
> Certificate Nickname                                         Trust
> Attributes
>                                                               SSL,S/MIME,JAR/XPI
> 
> pwouters.nohats.ca                                           u,u,u
> Certificate Agency (CA) - NetDev                             CT,, 
> [root at thinkpad tmp]# certutil -K -d sql:/tmp/test
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
> Key and Certificate Services"
> < 0> rsa      1d20a472e6e75c7cee710e7304b7b10223cc8ab9 pwouters.nohats.ca

More information about the Swan mailing list