Load any type (RSA/ECDSA) of public key via left|rightsigkey
authorTobias Brunner <tobias@strongswan.org>
Mon, 1 Apr 2013 14:42:53 +0000 (16:42 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 7 May 2013 15:08:31 +0000 (17:08 +0200)
15 files changed:
man/ipsec.conf.5.in
src/libcharon/plugins/stroke/stroke_config.c
src/libcharon/plugins/stroke/stroke_cred.c
src/libcharon/plugins/stroke/stroke_cred.h
src/starter/keywords.h
src/starter/keywords.txt
testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf

index a893353..4ee884b 100644 (file)
@@ -755,14 +755,16 @@ None of the kernel backends currently supports opaque or port ranges and uses
 .B %any
 for policy installation instead.
 .TP
-.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
-the left participant's public key for RSA signature authentication, in PKCS#1
-format using hex (0x prefix) or base64 (0s prefix) encoding. With the optional
+.BR leftsigkey " = <raw public key> | <path to public key>"
+the left participant's public key for public key signature authentication,
+in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
+optional
 .B dns:
 or
 .B ssh:
 prefix in front of 0x or 0s, the public key is expected to be in either
-the RFC 3110 or RFC 4253 public key format, respectively.
+the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+respectively.
 Also accepted is the path to a file containing the public key in PEM or DER
 encoding.
 .TP
index 86f0fe4..988129f 100644 (file)
@@ -489,8 +489,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
        pubkey = end->rsakey;
        if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
        {
-               certificate = this->cred->load_pubkey(this->cred, KEY_RSA, pubkey,
-                                                                                         identity);
+               certificate = this->cred->load_pubkey(this->cred, pubkey, identity);
                if (certificate)
                {
                        cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
index bee16c5..f24082e 100644 (file)
@@ -279,13 +279,13 @@ METHOD(stroke_cred_t, load_peer, certificate_t*,
 }
 
 METHOD(stroke_cred_t, load_pubkey, certificate_t*,
-       private_stroke_cred_t *this, key_type_t type, char *filename,
-       identification_t *identity)
+       private_stroke_cred_t *this, char *filename, identification_t *identity)
 {
        certificate_t *cert;
+       public_key_t *key;
        char path[PATH_MAX];
        builder_part_t build_part;
-       key_type_t build_type = KEY_ANY;
+       key_type_t type = KEY_ANY;
 
        if (streq(filename, "%dns"))
        {
@@ -294,8 +294,8 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
        if (strncaseeq(filename, "dns:", 4))
        {       /* RFC 3110 format */
                build_part = BUILD_BLOB_DNSKEY;
-               /* not a complete RR */
-               build_type = KEY_RSA;
+               /* not a complete RR, only RSA supported */
+               type = KEY_RSA;
                filename += 4;
        }
        else if (strncaseeq(filename, "ssh:", 4))
@@ -310,13 +310,12 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
        if (strncaseeq(filename, "0x", 2) || strncaseeq(filename, "0s", 2))
        {
                chunk_t printable_key, raw_key;
-               public_key_t *key;
 
                printable_key = chunk_create(filename + 2, strlen(filename) - 2);
                raw_key = strncaseeq(filename, "0x", 2) ?
                                                                 chunk_from_hex(printable_key, NULL) :
                                                                 chunk_from_base64(printable_key, NULL);
-               key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, build_type,
+               key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type,
                                                                 build_part, raw_key, BUILD_END);
                chunk_free(&raw_key);
                if (key)
@@ -326,6 +325,7 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
                                                                          BUILD_PUBLIC_KEY, key,
                                                                          BUILD_SUBJECT, identity,
                                                                          BUILD_END);
+                       type = key->get_type(key);
                        key->destroy(key);
                        if (cert)
                        {
@@ -335,8 +335,7 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
                                return cert;
                        }
                }
-               DBG1(DBG_CFG, "  loading %N public key for \"%Y\" failed",
-                        key_type_names, type, identity);
+               DBG1(DBG_CFG, "  loading public key for \"%Y\" failed", identity);
        }
        else
        {
@@ -357,12 +356,15 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
                if (cert)
                {
                        cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
+                       key = cert->get_public_key(cert);
+                       type = key->get_type(key);
+                       key->destroy(key);
                        DBG1(DBG_CFG, "  loaded %N public key for \"%Y\" from '%s'",
                                 key_type_names, type, identity, filename);
                        return cert;
                }
-               DBG1(DBG_CFG, "  loading %N public key for \"%Y\" from '%s' failed",
-                        key_type_names, type, identity, filename);
+               DBG1(DBG_CFG, "  loading public key for \"%Y\" from '%s' failed",
+                        identity, filename);
        }
        return NULL;
 }
index c37d058..f6fbb96 100644 (file)
@@ -68,13 +68,12 @@ struct stroke_cred_t {
        /**
         * Load a raw public key and serve it through the credential_set.
         *
-        * @param type                  type of the raw public key (RSA or ECDSA)
-        * @param filename              file to load raw public key from
+        * @param filename              encoding or file to load raw public key from
         * @param identity              identity of the raw public key owner
         * @return                              reference to loaded raw public key, or NULL
         */
-       certificate_t* (*load_pubkey)(stroke_cred_t *this, key_type_t type,
-                                                                 char *filename, identification_t *identity);
+       certificate_t* (*load_pubkey)(stroke_cred_t *this, char *filename,
+                                                                 identification_t *identity);
 
        /**
         * Add a shared secret to serve through the credential_set.
index 4a96a41..83ce4a7 100644 (file)
@@ -108,7 +108,7 @@ typedef enum {
        KW_AUTH2,
        KW_ID,
        KW_ID2,
-       KW_RSASIGKEY,
+       KW_SIGKEY,
        KW_CERT,
        KW_CERT2,
        KW_CERTPOLICY,
@@ -137,7 +137,7 @@ typedef enum {
        KW_LEFTAUTH2,
        KW_LEFTID,
        KW_LEFTID2,
-       KW_LEFTRSASIGKEY,
+       KW_LEFTSIGKEY,
        KW_LEFTCERT,
        KW_LEFTCERT2,
        KW_LEFTCERTPOLICY,
@@ -166,7 +166,7 @@ typedef enum {
        KW_RIGHTAUTH2,
        KW_RIGHTID,
        KW_RIGHTID2,
-       KW_RIGHTRSASIGKEY,
+       KW_RIGHTSIGKEY,
        KW_RIGHTCERT,
        KW_RIGHTCERT2,
        KW_RIGHTCERTPOLICY,
index cd964b0..20d35de 100644 (file)
@@ -96,7 +96,8 @@ leftauth,          KW_LEFTAUTH
 leftauth2,         KW_LEFTAUTH2
 leftid,            KW_LEFTID
 leftid2,           KW_LEFTID2
-leftrsasigkey,     KW_LEFTRSASIGKEY
+leftsigkey,        KW_LEFTSIGKEY
+leftrsasigkey,     KW_LEFTSIGKEY
 leftcert,          KW_LEFTCERT
 leftcert2,         KW_LEFTCERT2
 leftcertpolicy,    KW_LEFTCERTPOLICY
@@ -120,7 +121,8 @@ rightauth,         KW_RIGHTAUTH
 rightauth2,        KW_RIGHTAUTH2
 rightid,           KW_RIGHTID
 rightid2,          KW_RIGHTID2
-rightrsasigkey,    KW_RIGHTRSASIGKEY
+rightsigkey,       KW_RIGHTSIGKEY
+rightrsasigkey,    KW_RIGHTSIGKEY
 rightcert,         KW_RIGHTCERT
 rightcert2,        KW_RIGHTCERT2
 rightcertpolicy,   KW_RIGHTCERTPOLICY
index 6c11645..ea10eb0 100644 (file)
@@ -14,7 +14,7 @@ conn net-net
        left=PH_IP_MOON
        leftid=moon.strongswan.org
        leftsubnet=10.1.0.0/16
-       leftrsasigkey=moonPub.der
+       leftsigkey=moonPub.der
        leftauth=pubkey
        leftfirewall=yes
        right=sun.strongswan.org
index 76e41cd..9e31005 100644 (file)
@@ -14,7 +14,7 @@ conn net-net
        left=PH_IP_SUN
        leftid=sun.strongswan.org
        leftsubnet=10.2.0.0/16
-       leftrsasigkey=sunPub.der
+       leftsigkey=sunPub.der
        leftauth=pubkey
        leftfirewall=yes
        right=moon.strongswan.org
index 29d15a6..bcc6d5b 100644 (file)
@@ -13,12 +13,12 @@ conn net-net
        left=PH_IP_MOON
        leftsubnet=10.1.0.0/16
        leftid=@moon.strongswan.org
-       leftrsasigkey=moonPub.der
+       leftsigkey=moonPub.der
        leftauth=pubkey
        leftfirewall=yes
        right=PH_IP_SUN
        rightsubnet=10.2.0.0/16
        rightid=@sun.strongswan.org
-       rightrsasigkey=sunPub.der
+       rightsigkey=sunPub.der
        rightauth=pubkey
        auto=add
index c60cf91..4fe2e67 100644 (file)
@@ -13,10 +13,10 @@ conn net-net
        left=PH_IP_SUN
        leftsubnet=10.2.0.0/16
        leftid=@sun.strongswan.org
-       leftrsasigkey=sunPub.der
+       leftsigkey=sunPub.der
        leftfirewall=yes
        right=PH_IP_MOON
        rightsubnet=10.1.0.0/16
        rightid=@moon.strongswan.org
-       rightrsasigkey=moonPub.der
+       rightsigkey=moonPub.der
        auto=add
index a2cb928..c0ee062 100644 (file)
@@ -13,12 +13,12 @@ conn net-net
        left=PH_IP_MOON
        leftsubnet=10.1.0.0/16
        leftid=@moon.strongswan.org
-       leftrsasigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+       leftsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
        leftauth=pubkey
        leftfirewall=yes
        right=PH_IP_SUN
        rightsubnet=10.2.0.0/16
        rightid=@sun.strongswan.org
-       rightrsasigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+       rightsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
        rightauth=pubkey
        auto=add
index 1c483fb..b089e9f 100644 (file)
@@ -13,10 +13,10 @@ conn net-net
        left=PH_IP_SUN
        leftsubnet=10.2.0.0/16
        leftid=@sun.strongswan.org
-       leftrsasigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+       leftsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
        leftfirewall=yes
        right=PH_IP_MOON
        rightsubnet=10.1.0.0/16
        rightid=@moon.strongswan.org
-       rightrsasigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+       rightsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
        auto=add
index baf5b61..082b18a 100644 (file)
@@ -13,7 +13,7 @@ conn home
        left=%any
        leftsourceip=%config
        leftid=carol.strongswan.org
-       leftrsasigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
+       leftsigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
        leftauth=pubkey
        leftfirewall=yes
        right=moon.strongswan.org
index 45d85e2..a68f981 100644 (file)
@@ -13,7 +13,7 @@ conn home
        left=%any
        leftsourceip=%config
        leftid=dave.strongswan.org
-       leftrsasigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
+       leftsigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
        leftauth=pubkey
        leftfirewall=yes
        right=moon.strongswan.org
index a199a48..74ddc6e 100644 (file)
@@ -14,7 +14,7 @@ conn rw
        leftsubnet=10.1.0.0/16
        leftid=moon.strongswan.org
        leftauth=pubkey
-       leftrsasigkey=moonPub.der
+       leftsigkey=moonPub.der
        leftfirewall=yes
        right=%any
        rightauth=pubkey