Merge branch 'priv-key-any'
Adds the ability to parse KEY_ANY keys via the pkcs1 and openssl plugins. This is then used in the pki utility, where private keys may now be loaded via `priv` keyword instead of having to specify the type of the key explicitly. And swanctl can load any type of key from the swanctl/private directory.
This commit is contained in:
commit
1bfa3f2a10
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright (C) 2008-2012 Tobias Brunner
|
||||
* Copyright (C) 2008-2016 Tobias Brunner
|
||||
* Copyright (C) 2009 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -304,7 +304,26 @@ static private_openssl_ec_private_key_t *create_empty(void)
|
|||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
/*
|
||||
* See header.
|
||||
*/
|
||||
private_key_t *openssl_ec_private_key_create(EVP_PKEY *key)
|
||||
{
|
||||
private_openssl_ec_private_key_t *this;
|
||||
EC_KEY *ec;
|
||||
|
||||
ec = EVP_PKEY_get1_EC_KEY(key);
|
||||
EVP_PKEY_free(key);
|
||||
if (!ec)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
this = create_empty();
|
||||
this->ec = ec;
|
||||
return &this->public.key;
|
||||
}
|
||||
|
||||
/*
|
||||
* See header.
|
||||
*/
|
||||
openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
* Copyright (C) 2008-2016 Tobias Brunner
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -21,6 +21,8 @@
|
|||
#ifndef OPENSSL_EC_PRIVATE_KEY_H_
|
||||
#define OPENSSL_EC_PRIVATE_KEY_H_
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include <credentials/builder.h>
|
||||
#include <credentials/keys/private_key.h>
|
||||
|
||||
|
@ -61,4 +63,12 @@ openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
|
|||
openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type,
|
||||
va_list args);
|
||||
|
||||
/**
|
||||
* Wrap an EVP_PKEY object of type EVP_PKEY_EC
|
||||
*
|
||||
* @param key EVP_PKEY_EC key object (adopted)
|
||||
* @return loaded key, NULL on failure
|
||||
*/
|
||||
private_key_t *openssl_ec_private_key_create(EVP_PKEY *key);
|
||||
|
||||
#endif /** OPENSSL_EC_PRIVATE_KEY_H_ @}*/
|
||||
|
|
|
@ -23,10 +23,6 @@
|
|||
#include <library.h>
|
||||
#include <credentials/sets/mem_cred.h>
|
||||
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
#define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type)
|
||||
#endif
|
||||
|
||||
typedef struct private_pkcs12_t private_pkcs12_t;
|
||||
|
||||
/**
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright (C) 2008-2013 Tobias Brunner
|
||||
* Copyright (C) 2008-2016 Tobias Brunner
|
||||
* Copyright (C) 2008 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -269,6 +269,53 @@ static bool seed_rng()
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Generic key loader
|
||||
*/
|
||||
static private_key_t *openssl_private_key_load(key_type_t type, va_list args)
|
||||
{
|
||||
chunk_t blob = chunk_empty;
|
||||
EVP_PKEY *key;
|
||||
|
||||
while (TRUE)
|
||||
{
|
||||
switch (va_arg(args, builder_part_t))
|
||||
{
|
||||
case BUILD_BLOB_ASN1_DER:
|
||||
blob = va_arg(args, chunk_t);
|
||||
continue;
|
||||
case BUILD_END:
|
||||
break;
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
if (blob.ptr)
|
||||
{
|
||||
key = d2i_AutoPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
|
||||
if (key)
|
||||
{
|
||||
switch (EVP_PKEY_base_id(key))
|
||||
{
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
case EVP_PKEY_RSA:
|
||||
return openssl_rsa_private_key_create(key);
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ECDSA
|
||||
case EVP_PKEY_EC:
|
||||
return openssl_ec_private_key_create(key);
|
||||
#endif
|
||||
default:
|
||||
EVP_PKEY_free(key);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
METHOD(plugin_t, get_name, char*,
|
||||
private_openssl_plugin_t *this)
|
||||
{
|
||||
|
@ -504,6 +551,9 @@ METHOD(plugin_t, get_features, int,
|
|||
PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
|
||||
#endif
|
||||
#endif /* OPENSSL_NO_ECDSA */
|
||||
/* generic key loader */
|
||||
PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE),
|
||||
PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
|
||||
PLUGIN_REGISTER(RNG, openssl_rng_create),
|
||||
PLUGIN_PROVIDE(RNG, RNG_STRONG),
|
||||
PLUGIN_PROVIDE(RNG, RNG_WEAK),
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* Copyright (C) 2008-2016 Tobias Brunner
|
||||
* Copyright (C) 2009 Martin Willi
|
||||
* Copyright (C) 2008 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -327,7 +327,7 @@ static private_openssl_rsa_private_key_t *create_empty()
|
|||
return this;
|
||||
}
|
||||
|
||||
/**
|
||||
/*
|
||||
* See header.
|
||||
*/
|
||||
openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
|
||||
|
@ -383,7 +383,26 @@ error:
|
|||
return NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
/*
|
||||
* See header
|
||||
*/
|
||||
private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key)
|
||||
{
|
||||
private_openssl_rsa_private_key_t *this;
|
||||
RSA *rsa;
|
||||
|
||||
rsa = EVP_PKEY_get1_RSA(key);
|
||||
EVP_PKEY_free(key);
|
||||
if (!rsa)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
this = create_empty();
|
||||
this->rsa = rsa;
|
||||
return &this->public.key;
|
||||
}
|
||||
|
||||
/*
|
||||
* See header
|
||||
*/
|
||||
openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
|
||||
|
@ -528,7 +547,7 @@ static bool login(ENGINE *engine, chunk_t keyid)
|
|||
}
|
||||
#endif /* OPENSSL_NO_ENGINE */
|
||||
|
||||
/**
|
||||
/*
|
||||
* See header.
|
||||
*/
|
||||
openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* Copyright (C) 2008 Tobias Brunner
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
* Copyright (C) 2008-2016 Tobias Brunner
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -21,6 +21,8 @@
|
|||
#ifndef OPENSSL_RSA_PRIVATE_KEY_H_
|
||||
#define OPENSSL_RSA_PRIVATE_KEY_H_
|
||||
|
||||
#include <openssl/evp.h>
|
||||
|
||||
#include <credentials/builder.h>
|
||||
#include <credentials/keys/private_key.h>
|
||||
|
||||
|
@ -61,6 +63,14 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
|
|||
openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
|
||||
va_list args);
|
||||
|
||||
/**
|
||||
* Wrap an EVP_PKEY object of type EVP_PKEY_RSA
|
||||
*
|
||||
* @param key EVP_PKEY_RSA key object (adopted)
|
||||
* @return loaded key, NULL on failure
|
||||
*/
|
||||
private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key);
|
||||
|
||||
/**
|
||||
* Connect to a RSA private key on a smartcard.
|
||||
*
|
||||
|
|
|
@ -135,6 +135,13 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj);
|
|||
*/
|
||||
time_t openssl_asn1_to_time(ASN1_TIME *time);
|
||||
|
||||
/**
|
||||
* Compatibility macros
|
||||
*/
|
||||
#ifdef OPENSSL_IS_BORINGSSL
|
||||
#define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type)
|
||||
#endif
|
||||
|
||||
/**
|
||||
* Macros to define fallback getters/setters to access keys (BIGNUM*) for types
|
||||
* that were made opaque with OpenSSL 1.1.0.
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
/*
|
||||
* Copyright (C) 2008-2016 Tobias Brunner
|
||||
* Copyright (C) 2008-2009 Martin Willi
|
||||
* Copyright (C) 2008 Tobias Brunner
|
||||
* Copyright (C) 2000-2008 Andreas Steffen
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -204,7 +204,6 @@ static private_key_t *parse_rsa_private_key(chunk_t blob)
|
|||
case PRIV_KEY_VERSION:
|
||||
if (object.len > 0 && *object.ptr != 0)
|
||||
{
|
||||
DBG1(DBG_ASN, "PKCS#1 private key format is not version 1");
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
|
@ -248,6 +247,63 @@ end:
|
|||
BUILD_RSA_EXP2, exp2, BUILD_RSA_COEFF, coeff, BUILD_END);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the ASN.1 structure looks like an EC private key according to
|
||||
* RFC 5915.
|
||||
*
|
||||
* ECPrivateKey :=: SEQUENCE {
|
||||
* version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
|
||||
* privateKey OCTET STRING,
|
||||
* parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
|
||||
* publicKey [1] BIT STRING OPTIONAL
|
||||
* }
|
||||
*
|
||||
* While the parameters and publicKey fields are OPTIONAL, RFC 5915 says that
|
||||
* paramaters MUST be included and publicKey SHOULD be.
|
||||
*/
|
||||
static bool is_ec_private_key(chunk_t blob)
|
||||
{
|
||||
chunk_t data;
|
||||
return asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE &&
|
||||
asn1_unwrap(&blob, &data) == ASN1_INTEGER &&
|
||||
asn1_parse_integer_uint64(data) == 1 &&
|
||||
asn1_unwrap(&blob, &data) == ASN1_OCTET_STRING &&
|
||||
asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_0 &&
|
||||
asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_1;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the ASN.1 structure looks like a BLISS private key.
|
||||
*/
|
||||
static bool is_bliss_private_key(chunk_t blob)
|
||||
{
|
||||
chunk_t data;
|
||||
return asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE &&
|
||||
asn1_unwrap(&blob, &data) == ASN1_OID &&
|
||||
asn1_unwrap(&blob, &data) == ASN1_BIT_STRING &&
|
||||
asn1_unwrap(&blob, &data) == ASN1_BIT_STRING &&
|
||||
asn1_unwrap(&blob, &data) == ASN1_BIT_STRING;
|
||||
}
|
||||
|
||||
/**
|
||||
* Load a private key from an ASN.1 encoded blob trying to detect the type
|
||||
* automatically.
|
||||
*/
|
||||
static private_key_t *parse_private_key(chunk_t blob)
|
||||
{
|
||||
if (is_ec_private_key(blob))
|
||||
{
|
||||
return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
|
||||
BUILD_BLOB_ASN1_DER, blob, BUILD_END);
|
||||
}
|
||||
else if (is_bliss_private_key(blob))
|
||||
{
|
||||
return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
|
||||
BUILD_BLOB_ASN1_DER, blob, BUILD_END);
|
||||
}
|
||||
return parse_rsa_private_key(blob);
|
||||
}
|
||||
|
||||
/**
|
||||
* See header.
|
||||
*/
|
||||
|
@ -301,6 +357,14 @@ private_key_t *pkcs1_private_key_load(key_type_t type, va_list args)
|
|||
}
|
||||
break;
|
||||
}
|
||||
return parse_rsa_private_key(blob);
|
||||
switch (type)
|
||||
{
|
||||
case KEY_ANY:
|
||||
return parse_private_key(blob);
|
||||
case KEY_RSA:
|
||||
return parse_rsa_private_key(blob);
|
||||
default:
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/*
|
||||
* Copyright (C) 2009 Martin Willi
|
||||
* Hochschule fuer Technik Rapperswil
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify it
|
||||
* under the terms of the GNU General Public License as published by the
|
||||
|
@ -42,6 +42,10 @@ METHOD(plugin_t, get_features, int,
|
|||
private_pkcs1_plugin_t *this, plugin_feature_t *features[])
|
||||
{
|
||||
static plugin_feature_t f[] = {
|
||||
PLUGIN_REGISTER(PRIVKEY, pkcs1_private_key_load, FALSE),
|
||||
PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
|
||||
PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
|
||||
PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
|
||||
PLUGIN_REGISTER(PRIVKEY, pkcs1_private_key_load, FALSE),
|
||||
PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
|
||||
PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE),
|
||||
|
|
|
@ -117,6 +117,11 @@ static int issue()
|
|||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_BLISS;
|
||||
}
|
||||
else if (streq(arg, "priv"))
|
||||
{
|
||||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_ANY;
|
||||
}
|
||||
else if (!streq(arg, "pub"))
|
||||
{
|
||||
error = "invalid input type";
|
||||
|
@ -580,7 +585,7 @@ static void __attribute__ ((constructor))reg()
|
|||
command_register((command_t) {
|
||||
issue, 'i', "issue",
|
||||
"issue a certificate using a CA certificate and key",
|
||||
{"[--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
|
||||
{"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
|
||||
" --cacert file [--dn subject-dn] [--san subjectAltName]+",
|
||||
"[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
|
||||
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
|
||||
|
|
|
@ -26,7 +26,7 @@
|
|||
static int keyid()
|
||||
{
|
||||
credential_type_t type = CRED_PRIVATE_KEY;
|
||||
int subtype = KEY_RSA;
|
||||
int subtype = KEY_ANY;
|
||||
certificate_t *cert;
|
||||
private_key_t *private;
|
||||
public_key_t *public;
|
||||
|
@ -42,21 +42,29 @@ static int keyid()
|
|||
case 'h':
|
||||
return command_usage(NULL);
|
||||
case 't':
|
||||
if (streq(arg, "rsa-priv"))
|
||||
if (streq(arg, "rsa") ||
|
||||
streq(arg, "rsa-priv"))
|
||||
{
|
||||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_RSA;
|
||||
}
|
||||
else if (streq(arg, "ecdsa-priv"))
|
||||
else if (streq(arg, "ecdsa") ||
|
||||
streq(arg, "ecdsa-priv"))
|
||||
{
|
||||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_ECDSA;
|
||||
}
|
||||
else if (streq(arg, "bliss-priv"))
|
||||
else if (streq(arg, "bliss") ||
|
||||
streq(arg, "bliss-priv"))
|
||||
{
|
||||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_BLISS;
|
||||
}
|
||||
else if (streq(arg, "priv"))
|
||||
{
|
||||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_ANY;
|
||||
}
|
||||
else if (streq(arg, "pub"))
|
||||
{
|
||||
type = CRED_PUBLIC_KEY;
|
||||
|
@ -169,11 +177,11 @@ static void __attribute__ ((constructor))reg()
|
|||
command_register((command_t)
|
||||
{ keyid, 'k', "keyid",
|
||||
"calculate key identifiers of a key/certificate",
|
||||
{"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"},
|
||||
{"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"},
|
||||
{
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "input file, default: stdin"},
|
||||
{"type", 't', 1, "type of key, default: rsa-priv"},
|
||||
{"type", 't', 1, "type of key, default: priv"},
|
||||
}
|
||||
});
|
||||
}
|
||||
|
|
|
@ -89,17 +89,25 @@ static int print()
|
|||
type = CRED_CERTIFICATE;
|
||||
subtype = CERT_TRUSTED_PUBKEY;
|
||||
}
|
||||
else if (streq(arg, "rsa-priv"))
|
||||
else if (streq(arg, "priv"))
|
||||
{
|
||||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_ANY;
|
||||
}
|
||||
else if (streq(arg, "rsa") ||
|
||||
streq(arg, "rsa-priv"))
|
||||
{
|
||||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_RSA;
|
||||
}
|
||||
else if (streq(arg, "ecdsa-priv"))
|
||||
else if (streq(arg, "ecdsa") ||
|
||||
streq(arg, "ecdsa-priv"))
|
||||
{
|
||||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_ECDSA;
|
||||
}
|
||||
else if (streq(arg, "bliss-priv"))
|
||||
else if (streq(arg, "bliss") ||
|
||||
streq(arg, "bliss-priv"))
|
||||
{
|
||||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_BLISS;
|
||||
|
@ -173,7 +181,7 @@ static void __attribute__ ((constructor))reg()
|
|||
command_register((command_t)
|
||||
{ print, 'a', "print",
|
||||
"print a credential in a human readable form",
|
||||
{"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"},
|
||||
{"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"},
|
||||
{
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "input file, default: stdin"},
|
||||
|
|
|
@ -28,7 +28,7 @@ static int pub()
|
|||
{
|
||||
cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER;
|
||||
credential_type_t type = CRED_PRIVATE_KEY;
|
||||
int subtype = KEY_RSA;
|
||||
int subtype = KEY_ANY;
|
||||
certificate_t *cert;
|
||||
private_key_t *private;
|
||||
public_key_t *public;
|
||||
|
@ -59,6 +59,11 @@ static int pub()
|
|||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_BLISS;
|
||||
}
|
||||
else if (streq(arg, "priv"))
|
||||
{
|
||||
type = CRED_PRIVATE_KEY;
|
||||
subtype = KEY_ANY;
|
||||
}
|
||||
else if (streq(arg, "pub"))
|
||||
{
|
||||
type = CRED_PUBLIC_KEY;
|
||||
|
@ -189,13 +194,13 @@ static void __attribute__ ((constructor))reg()
|
|||
command_register((command_t) {
|
||||
pub, 'p', "pub",
|
||||
"extract the public key from a private key/certificate",
|
||||
{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]",
|
||||
{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv|pub|pkcs10|x509]",
|
||||
"[--outform der|pem|dnskey|sshkey]"},
|
||||
{
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "input file, default: stdin"},
|
||||
{"keyid", 'x', 1, "keyid on smartcard of private key"},
|
||||
{"type", 't', 1, "type of credential, default: rsa"},
|
||||
{"type", 't', 1, "type of credential, default: priv"},
|
||||
{"outform", 'f', 1, "encoding of extracted public key, default: der"},
|
||||
}
|
||||
});
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
static int req()
|
||||
{
|
||||
cred_encoding_type_t form = CERT_ASN1_DER;
|
||||
key_type_t type = KEY_RSA;
|
||||
key_type_t type = KEY_ANY;
|
||||
hash_algorithm_t digest = HASH_UNKNOWN;
|
||||
certificate_t *cert = NULL;
|
||||
private_key_t *private = NULL;
|
||||
|
@ -62,6 +62,10 @@ static int req()
|
|||
{
|
||||
type = KEY_BLISS;
|
||||
}
|
||||
else if (streq(arg, "priv"))
|
||||
{
|
||||
type = KEY_ANY;
|
||||
}
|
||||
else
|
||||
{
|
||||
error = "invalid input type";
|
||||
|
@ -194,14 +198,14 @@ static void __attribute__ ((constructor))reg()
|
|||
command_register((command_t) {
|
||||
req, 'r', "req",
|
||||
"create a PKCS#10 certificate request",
|
||||
{" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
|
||||
{" [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
|
||||
"[--san subjectAltName]+ [--password challengePassword]",
|
||||
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
|
||||
"[--outform der|pem]"},
|
||||
{
|
||||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "private key input file, default: stdin"},
|
||||
{"type", 't', 1, "type of input key, default: rsa"},
|
||||
{"type", 't', 1, "type of input key, default: priv"},
|
||||
{"dn", 'd', 1, "subject distinguished name"},
|
||||
{"san", 'a', 1, "subjectAltName to include in cert request"},
|
||||
{"password",'p', 1, "challengePassword to include in cert request"},
|
||||
|
|
|
@ -94,6 +94,10 @@ static int self()
|
|||
{
|
||||
type = KEY_BLISS;
|
||||
}
|
||||
else if (streq(arg, "priv"))
|
||||
{
|
||||
type = KEY_ANY;
|
||||
}
|
||||
else
|
||||
{
|
||||
error = "invalid input type";
|
||||
|
@ -417,7 +421,7 @@ static void __attribute__ ((constructor))reg()
|
|||
command_register((command_t) {
|
||||
self, 's', "self",
|
||||
"create a self signed certificate",
|
||||
{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
|
||||
{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]",
|
||||
" --dn distinguished-name [--san subjectAltName]+",
|
||||
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
|
||||
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
|
||||
|
@ -431,7 +435,7 @@ static void __attribute__ ((constructor))reg()
|
|||
{"help", 'h', 0, "show usage information"},
|
||||
{"in", 'i', 1, "private key input file, default: stdin"},
|
||||
{"keyid", 'x', 1, "keyid on smartcard of private key"},
|
||||
{"type", 't', 1, "type of input key, default: rsa"},
|
||||
{"type", 't', 1, "type of input key, default: priv"},
|
||||
{"dn", 'd', 1, "subject and issuer distinguished name"},
|
||||
{"san", 'a', 1, "subjectAltName to include in certificate"},
|
||||
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
|
||||
|
|
|
@ -67,9 +67,10 @@ Public key or PKCS#10 certificate request file to issue. If not given the
|
|||
key/request is read from \fISTDIN\fR.
|
||||
.TP
|
||||
.BI "\-t, \-\-type " type
|
||||
Type of the input. One of \fIpub\fR (public key), \fIrsa\fR (RSA private key),
|
||||
\fIecdsa\fR (ECDSA private key), or \fIpkcs10\fR (PKCS#10 certificate request),
|
||||
defaults to \fIpub\fR.
|
||||
Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
|
||||
\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS
|
||||
private key) or \fIpkcs10\fR (PKCS#10 certificate request), defaults to
|
||||
\fIpub\fR.
|
||||
.TP
|
||||
.BI "\-k, \-\-cakey " file
|
||||
CA private key file. Either this or
|
||||
|
|
|
@ -44,9 +44,10 @@ Read command line options from \fIfile\fR.
|
|||
Input file. If not given the input is read from \fISTDIN\fR.
|
||||
.TP
|
||||
.BI "\-t, \-\-type " type
|
||||
Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
|
||||
private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate
|
||||
request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR.
|
||||
Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
|
||||
\fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS private key),
|
||||
\fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate request),
|
||||
\fIx509\fR (X.509 certificate), defaults to \fIpriv\fR.
|
||||
.
|
||||
.SH "EXAMPLES"
|
||||
.
|
||||
|
|
|
@ -44,10 +44,11 @@ Read command line options from \fIfile\fR.
|
|||
Input file. If not given the input is read from \fISTDIN\fR.
|
||||
.TP
|
||||
.BI "\-t, \-\-type " type
|
||||
Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
|
||||
private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
|
||||
(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate),
|
||||
defaults to \fIx509\fR.
|
||||
Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate
|
||||
Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key),
|
||||
\fpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private
|
||||
key), \fIbliss\fR (BLISS private key), \fIpriv\fR (private key), defaults to
|
||||
\fIx509\fR.
|
||||
.
|
||||
.SH "SEE ALSO"
|
||||
.
|
||||
|
|
|
@ -47,10 +47,9 @@ Read command line options from \fIfile\fR.
|
|||
Input file. If not given the input is read from \fISTDIN\fR.
|
||||
.TP
|
||||
.BI "\-t, \-\-type " type
|
||||
Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA
|
||||
private key), \fIpub\fR (public key),
|
||||
\fIpkcs10\fR (PKCS#10 certificate request), or \fIx509\fR (X.509 certificate),
|
||||
defaults to \fIrsa\fR.
|
||||
Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
|
||||
\fIecdsa\fR (ECDSA private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10
|
||||
certificate request), or \fIx509\fR (X.509 certificate), defaults to \fIpriv\fR.
|
||||
.TP
|
||||
.BI "\-f, \-\-outform " encoding
|
||||
Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR
|
||||
|
|
|
@ -49,7 +49,8 @@ Read command line options from \fIfile\fR.
|
|||
Private key input file. If not given the key is read from \fISTDIN\fR.
|
||||
.TP
|
||||
.BI "\-t, \-\-type " type
|
||||
Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
|
||||
Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
|
||||
defaults to \fIpriv\fR.
|
||||
.TP
|
||||
.BI "\-d, \-\-dn " distinguished-name
|
||||
Subject distinguished name (DN). Required.
|
||||
|
|
|
@ -68,7 +68,8 @@ Private key input file. If not given the key is read from \fISTDIN\fR.
|
|||
Key ID of a private key on a smartcard.
|
||||
.TP
|
||||
.BI "\-t, \-\-type " type
|
||||
Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
|
||||
Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
|
||||
defaults to \fIpriv\fR.
|
||||
.TP
|
||||
.BI "\-d, \-\-dn " distinguished-name
|
||||
Subject and issuer distinguished name (DN). Required.
|
||||
|
|
|
@ -70,6 +70,7 @@ install-data-local: swanctl.conf
|
|||
test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
|
||||
test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
* Copyright (C) 2014 Martin Willi
|
||||
* Copyright (C) 2014 revosec AG
|
||||
*
|
||||
* Copyright (C) 2016 Tobias Brunner
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
|
@ -128,7 +129,8 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
|
|||
|
||||
req = vici_begin("load-key");
|
||||
|
||||
if (streq(type, "pkcs8"))
|
||||
if (streq(type, "private") ||
|
||||
streq(type, "pkcs8"))
|
||||
{ /* as used by vici */
|
||||
vici_add_key_valuef(req, "type", "any");
|
||||
}
|
||||
|
@ -251,6 +253,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype,
|
|||
credential_type_t credtype;
|
||||
int subtype;
|
||||
} map[] = {
|
||||
{ "private", CRED_PRIVATE_KEY, KEY_ANY, },
|
||||
{ "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, },
|
||||
{ "rsa", CRED_PRIVATE_KEY, KEY_RSA, },
|
||||
{ "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, },
|
||||
|
@ -565,6 +568,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
|
|||
"eap",
|
||||
"xauth",
|
||||
"ike",
|
||||
"private",
|
||||
"rsa",
|
||||
"ecdsa",
|
||||
"bliss",
|
||||
|
@ -700,10 +704,11 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
|
|||
load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
|
||||
load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR);
|
||||
|
||||
load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
|
||||
load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
|
||||
load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
|
||||
load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
|
||||
load_keys(conn, format, noprompt, cfg, "private", SWANCTL_PRIVATEDIR);
|
||||
load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
|
||||
load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
|
||||
load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
|
||||
load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
|
||||
|
||||
load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
|
||||
|
||||
|
|
|
@ -2,6 +2,7 @@
|
|||
* Copyright (C) 2014 Martin Willi
|
||||
* Copyright (C) 2014 revosec AG
|
||||
*
|
||||
* Copyright (C) 2016 Tobias Brunner
|
||||
* Copyright (C) 2015 Andreas Steffen
|
||||
* HSR Hochschule fuer Technik Rapperswil
|
||||
*
|
||||
|
@ -64,6 +65,11 @@
|
|||
*/
|
||||
#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
|
||||
|
||||
/**
|
||||
* Directory for private keys
|
||||
*/
|
||||
#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private"
|
||||
|
||||
/**
|
||||
* Directory for RSA private keys
|
||||
*/
|
||||
|
|
|
@ -835,6 +835,15 @@ secrets.ike<suffix>.id<suffix> =
|
|||
may be specified, each having an _id_ prefix, if a secret is shared between
|
||||
multiple peers.
|
||||
|
||||
secrets.private<suffix> { # }
|
||||
Private key decryption passphrase for a key in the _private_ folder.
|
||||
|
||||
secrets.private<suffix>.file =
|
||||
File name in the _private_ folder for which this passphrase should be used.
|
||||
|
||||
secrets.private<suffix>.secret
|
||||
Value of decryption passphrase for private key.
|
||||
|
||||
secrets.rsa<suffix> { # }
|
||||
Private key decryption passphrase for a key in the _rsa_ folder.
|
||||
|
||||
|
|
Loading…
Reference in New Issue