[Swan] RSA keys help
Kostya Vasilyev
kman at fastmail.com
Wed Jan 23 19:58:12 UTC 2019
On Wed, Jan 23, 2019, at 10:14 PM, Paul Wouters wrote:
> On Wed, 23 Jan 2019, Kostya Vasilyev wrote:
>
> > p12 would be fine - since that opens up a way to exchange with other formats.
> >
> > But right now importing or exporting to/from NSS seems to be limited to *certificates* not keys...
>
> import and export work fine.
You are exporting and importing certificates (with their keys). Not keys by themselves.
What I meant is:
1 - Generate host key
ipsec newhostkey
Generated RSA key pair with CKAID 904e2f6f7062f268218fe9ae6df500d36794fadb was stored in the NSS database
2 - List keys in NSS
certutil -d sql:/var/lib/ipsec/nss/ -K
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa f72f337df81658d9f1192d6714a3074e9b006d12 mytunnel_server_2
< 1> rsa 904e2f6f7062f268218fe9ae6df500d36794fadb (orphan)
OK, the "orphan" is the new one just created by newhostkey
3 - Try to export (to p12)
??? now what ???
pk12util -d sql:/var/lib/ipsec/nss/ -H
Usage: pk12util -o exportfile -n certname
No way (as far as I can tell) to export the 904e2f6f7062f268218fe9ae6df500d36794fadb which is a standalone ("orphan") key.
Same with import I believe (although I'm not sure if I'm doing it right).
1 - Create a p12 with just a private key and no certificate
openssl pkcs12 -export -out test.p12 -inkey mytunnel_server_2.key -nocerts
2 - Check what we got there
openssl pkcs12 -info -in test.p12 -nodes
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes: <No Attributes>
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Look ma, no cert.
3 - Try to import into NSS
pk12util -d sql:. -i test.p12 -W ""
pk12util: PKCS12 decode validate bags failed: SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import. Error attempting to import private key.
The "Error attempting to import private key" is a deliberate policy decision in NSS (although it is a p12!).
Which brings me back to:
The only way to bring a server public / private key into libreswan (and have it interoperate with the harsh outside world that doesn't understand raw RSA keys) is to use a certificate, import that into NSS, and then use leftrsasigkey=%cert.
And I'm just saying it would be nice if there was a more direct path (openssl format -> p12 -> NSS for keys specifically).
But for now I've got my tunnel up and running with RSA keys (from cert) so everything is fine, just took time to figure out.
-- K
>
> [root at thinkpad tmp]# certutil -L -d sql:/etc/ipsec.d
> Certificate Nickname Trust
> Attributes
> SSL,S/MIME,JAR/XPI
>
> letoams.nohats.ca u,u,u
> Certificate Agency (CA) - No Hats Corporation CT,,
> pwouters.nohats.ca u,u,u
> Certificate Agency (CA) - NetDev CT,,
> strongWest u,u,u
> strongSwan CA - strongSwan CT,,
>
> [root at thinkpad tmp]# certutil -K -d sql:/etc/ipsec.d
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
> Key and Certificate Services"
> < 0> rsa 2ad438fc7f3b65706f0381520f9f106a9eba7a96 letoams.nohats.ca
> < 1> rsa 12fad02b4cfdd324049101ed1e79d5066cfc965d (orphan)
> < 2> rsa 1d20a472e6e75c7cee710e7304b7b10223cc8ab9
> pwouters.nohats.ca
> < 3> rsa b9d591b99433b94ccc27af7f19235fe0e01b9214 (orphan)
> < 4> ec 38ccad88c730f0cad273369617d2df83ecee02ae strongWest
>
> [root at thinkpad tmp]# pk12util -o test.p12 -d sql:/etc/ipsec.d -W
> password -n pwouters.nohats.ca
> pk12util: PKCS12 EXPORT SUCCESSFUL
>
> [root at thinkpad tmp]# ls -l test.p12
> -rw------- 1 root root 3907 Jan 23 14:11 test.p12
> [root at thinkpad tmp]# mkdir /tmp/test
> [root at thinkpad tmp]# ipsec initnss --nssdir /tmp/test
> Initializing NSS database
>
> [root at thinkpad tmp]# ipsec import --nssdir /tmp/test test.p12
> Enter password for PKCS12 file:
> pk12util: PKCS12 IMPORT SUCCESSFUL
> correcting trust bits for Certificate Agency (CA) - NetDev
> [root at thinkpad tmp]# certutil -L -d sql:/tmp/test
>
> Certificate Nickname Trust
> Attributes
> SSL,S/MIME,JAR/XPI
>
> pwouters.nohats.ca u,u,u
> Certificate Agency (CA) - NetDev CT,,
> [root at thinkpad tmp]# certutil -K -d sql:/tmp/test
> certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
> Key and Certificate Services"
> < 0> rsa 1d20a472e6e75c7cee710e7304b7b10223cc8ab9 pwouters.nohats.ca
More information about the Swan
mailing list