.B %any
for policy installation instead.
.TP
-.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
-the left participant's public key for RSA signature authentication, in PKCS#1
-format using hex (0x prefix) or base64 (0s prefix) encoding. With the optional
+.BR leftsigkey " = <raw public key> | <path to public key>"
+the left participant's public key for public key signature authentication,
+in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
+optional
.B dns:
or
.B ssh:
prefix in front of 0x or 0s, the public key is expected to be in either
-the RFC 3110 or RFC 4253 public key format, respectively.
+the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+respectively.
Also accepted is the path to a file containing the public key in PEM or DER
encoding.
.TP
pubkey = end->rsakey;
if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
{
- certificate = this->cred->load_pubkey(this->cred, KEY_RSA, pubkey,
- identity);
+ certificate = this->cred->load_pubkey(this->cred, pubkey, identity);
if (certificate)
{
cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
}
METHOD(stroke_cred_t, load_pubkey, certificate_t*,
- private_stroke_cred_t *this, key_type_t type, char *filename,
- identification_t *identity)
+ private_stroke_cred_t *this, char *filename, identification_t *identity)
{
certificate_t *cert;
+ public_key_t *key;
char path[PATH_MAX];
builder_part_t build_part;
- key_type_t build_type = KEY_ANY;
+ key_type_t type = KEY_ANY;
if (streq(filename, "%dns"))
{
if (strncaseeq(filename, "dns:", 4))
{ /* RFC 3110 format */
build_part = BUILD_BLOB_DNSKEY;
- /* not a complete RR */
- build_type = KEY_RSA;
+ /* not a complete RR, only RSA supported */
+ type = KEY_RSA;
filename += 4;
}
else if (strncaseeq(filename, "ssh:", 4))
if (strncaseeq(filename, "0x", 2) || strncaseeq(filename, "0s", 2))
{
chunk_t printable_key, raw_key;
- public_key_t *key;
printable_key = chunk_create(filename + 2, strlen(filename) - 2);
raw_key = strncaseeq(filename, "0x", 2) ?
chunk_from_hex(printable_key, NULL) :
chunk_from_base64(printable_key, NULL);
- key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, build_type,
+ key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type,
build_part, raw_key, BUILD_END);
chunk_free(&raw_key);
if (key)
BUILD_PUBLIC_KEY, key,
BUILD_SUBJECT, identity,
BUILD_END);
+ type = key->get_type(key);
key->destroy(key);
if (cert)
{
return cert;
}
}
- DBG1(DBG_CFG, " loading %N public key for \"%Y\" failed",
- key_type_names, type, identity);
+ DBG1(DBG_CFG, " loading public key for \"%Y\" failed", identity);
}
else
{
if (cert)
{
cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
+ key = cert->get_public_key(cert);
+ type = key->get_type(key);
+ key->destroy(key);
DBG1(DBG_CFG, " loaded %N public key for \"%Y\" from '%s'",
key_type_names, type, identity, filename);
return cert;
}
- DBG1(DBG_CFG, " loading %N public key for \"%Y\" from '%s' failed",
- key_type_names, type, identity, filename);
+ DBG1(DBG_CFG, " loading public key for \"%Y\" from '%s' failed",
+ identity, filename);
}
return NULL;
}
/**
* Load a raw public key and serve it through the credential_set.
*
- * @param type type of the raw public key (RSA or ECDSA)
- * @param filename file to load raw public key from
+ * @param filename encoding or file to load raw public key from
* @param identity identity of the raw public key owner
* @return reference to loaded raw public key, or NULL
*/
- certificate_t* (*load_pubkey)(stroke_cred_t *this, key_type_t type,
- char *filename, identification_t *identity);
+ certificate_t* (*load_pubkey)(stroke_cred_t *this, char *filename,
+ identification_t *identity);
/**
* Add a shared secret to serve through the credential_set.
KW_AUTH2,
KW_ID,
KW_ID2,
- KW_RSASIGKEY,
+ KW_SIGKEY,
KW_CERT,
KW_CERT2,
KW_CERTPOLICY,
KW_LEFTAUTH2,
KW_LEFTID,
KW_LEFTID2,
- KW_LEFTRSASIGKEY,
+ KW_LEFTSIGKEY,
KW_LEFTCERT,
KW_LEFTCERT2,
KW_LEFTCERTPOLICY,
KW_RIGHTAUTH2,
KW_RIGHTID,
KW_RIGHTID2,
- KW_RIGHTRSASIGKEY,
+ KW_RIGHTSIGKEY,
KW_RIGHTCERT,
KW_RIGHTCERT2,
KW_RIGHTCERTPOLICY,
leftauth2, KW_LEFTAUTH2
leftid, KW_LEFTID
leftid2, KW_LEFTID2
-leftrsasigkey, KW_LEFTRSASIGKEY
+leftsigkey, KW_LEFTSIGKEY
+leftrsasigkey, KW_LEFTSIGKEY
leftcert, KW_LEFTCERT
leftcert2, KW_LEFTCERT2
leftcertpolicy, KW_LEFTCERTPOLICY
rightauth2, KW_RIGHTAUTH2
rightid, KW_RIGHTID
rightid2, KW_RIGHTID2
-rightrsasigkey, KW_RIGHTRSASIGKEY
+rightsigkey, KW_RIGHTSIGKEY
+rightrsasigkey, KW_RIGHTSIGKEY
rightcert, KW_RIGHTCERT
rightcert2, KW_RIGHTCERT2
rightcertpolicy, KW_RIGHTCERTPOLICY
left=PH_IP_MOON
leftid=moon.strongswan.org
leftsubnet=10.1.0.0/16
- leftrsasigkey=moonPub.der
+ leftsigkey=moonPub.der
leftauth=pubkey
leftfirewall=yes
right=sun.strongswan.org
left=PH_IP_SUN
leftid=sun.strongswan.org
leftsubnet=10.2.0.0/16
- leftrsasigkey=sunPub.der
+ leftsigkey=sunPub.der
leftauth=pubkey
leftfirewall=yes
right=moon.strongswan.org
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
- leftrsasigkey=moonPub.der
+ leftsigkey=moonPub.der
leftauth=pubkey
leftfirewall=yes
right=PH_IP_SUN
rightsubnet=10.2.0.0/16
rightid=@sun.strongswan.org
- rightrsasigkey=sunPub.der
+ rightsigkey=sunPub.der
rightauth=pubkey
auto=add
left=PH_IP_SUN
leftsubnet=10.2.0.0/16
leftid=@sun.strongswan.org
- leftrsasigkey=sunPub.der
+ leftsigkey=sunPub.der
leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
- rightrsasigkey=moonPub.der
+ rightsigkey=moonPub.der
auto=add
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
- leftrsasigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+ leftsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
leftauth=pubkey
leftfirewall=yes
right=PH_IP_SUN
rightsubnet=10.2.0.0/16
rightid=@sun.strongswan.org
- rightrsasigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+ rightsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
rightauth=pubkey
auto=add
left=PH_IP_SUN
leftsubnet=10.2.0.0/16
leftid=@sun.strongswan.org
- leftrsasigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+ leftsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
- rightrsasigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+ rightsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
auto=add
left=%any
leftsourceip=%config
leftid=carol.strongswan.org
- leftrsasigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
+ leftsigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
leftauth=pubkey
leftfirewall=yes
right=moon.strongswan.org
left=%any
leftsourceip=%config
leftid=dave.strongswan.org
- leftrsasigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
+ leftsigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
leftauth=pubkey
leftfirewall=yes
right=moon.strongswan.org
leftsubnet=10.1.0.0/16
leftid=moon.strongswan.org
leftauth=pubkey
- leftrsasigkey=moonPub.der
+ leftsigkey=moonPub.der
leftfirewall=yes
right=%any
rightauth=pubkey