Merge branch 'priv-key-any'

Adds the ability to parse KEY_ANY keys via the pkcs1 and openssl plugins.
This is then used in the pki utility, where private keys may now be
loaded via `priv` keyword instead of having to specify the type of the key
explicitly.  And swanctl can load any type of key from the swanctl/private
directory.

src/libstrongswan/plugins/openssl/openssl_ec_private_key.c

@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -304,7 +304,26 @@ static private_openssl_ec_private_key_t *create_empty(void)
 	return this;
 }
 
-/**
+/*
+ * See header.
+ */
+private_key_t *openssl_ec_private_key_create(EVP_PKEY *key)
+{
+	private_openssl_ec_private_key_t *this;
+	EC_KEY *ec;
+
+	ec = EVP_PKEY_get1_EC_KEY(key);
+	EVP_PKEY_free(key);
+	if (!ec)
+	{
+		return NULL;
+	}
+	this = create_empty();
+	this->ec = ec;
+	return &this->public.key;
+}
+
+/*
  * See header.
  */
 openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,

src/libstrongswan/plugins/openssl/openssl_ec_private_key.h

@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2008-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -21,6 +21,8 @@
 #ifndef OPENSSL_EC_PRIVATE_KEY_H_
 #define OPENSSL_EC_PRIVATE_KEY_H_
 
+#include <openssl/evp.h>
+
 #include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
@@ -61,4 +63,12 @@ openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
 openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type,
 													  va_list args);
 
+/**
+ * Wrap an EVP_PKEY object of type EVP_PKEY_EC
+ *
+ * @param key		EVP_PKEY_EC key object (adopted)
+ * @return 			loaded key, NULL on failure
+ */
+private_key_t *openssl_ec_private_key_create(EVP_PKEY *key);
+
 #endif /** OPENSSL_EC_PRIVATE_KEY_H_ @}*/

src/libstrongswan/plugins/openssl/openssl_pkcs12.c

@@ -23,10 +23,6 @@
 #include <library.h>
 #include <credentials/sets/mem_cred.h>
 
-#ifdef OPENSSL_IS_BORINGSSL
-#define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type)
-#endif
-
 typedef struct private_pkcs12_t private_pkcs12_t;
 
 /**

src/libstrongswan/plugins/openssl/openssl_plugin.c

@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2008-2013 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -269,6 +269,53 @@ static bool seed_rng()
 	return TRUE;
 }
 
+/**
+ * Generic key loader
+ */
+static private_key_t *openssl_private_key_load(key_type_t type, va_list args)
+{
+	chunk_t blob = chunk_empty;
+	EVP_PKEY *key;
+
+	while (TRUE)
+	{
+		switch (va_arg(args, builder_part_t))
+		{
+			case BUILD_BLOB_ASN1_DER:
+				blob = va_arg(args, chunk_t);
+				continue;
+			case BUILD_END:
+				break;
+			default:
+				return NULL;
+		}
+		break;
+	}
+
+	if (blob.ptr)
+	{
+		key = d2i_AutoPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
+		if (key)
+		{
+			switch (EVP_PKEY_base_id(key))
+			{
+#ifndef OPENSSL_NO_RSA
+				case EVP_PKEY_RSA:
+					return openssl_rsa_private_key_create(key);
+#endif
+#ifndef OPENSSL_NO_ECDSA
+				case EVP_PKEY_EC:
+					return openssl_ec_private_key_create(key);
+#endif
+				default:
+					EVP_PKEY_free(key);
+					break;
+			}
+		}
+	}
+	return NULL;
+}
+
 METHOD(plugin_t, get_name, char*,
 	private_openssl_plugin_t *this)
 {
@@ -504,6 +551,9 @@ METHOD(plugin_t, get_features, int,
 		PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
 #endif
 #endif /* OPENSSL_NO_ECDSA */
+		/* generic key loader */
+		PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
 		PLUGIN_REGISTER(RNG, openssl_rng_create),
 			PLUGIN_PROVIDE(RNG, RNG_STRONG),
 			PLUGIN_PROVIDE(RNG, RNG_WEAK),

src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c

@@ -1,7 +1,7 @@
 /*
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -327,7 +327,7 @@ static private_openssl_rsa_private_key_t *create_empty()
 	return this;
 }
 
-/**
+/*
  * See header.
  */
 openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
@@ -383,7 +383,26 @@ error:
 	return NULL;
 }
 
-/**
+/*
+ * See header
+ */
+private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key)
+{
+	private_openssl_rsa_private_key_t *this;
+	RSA *rsa;
+
+	rsa = EVP_PKEY_get1_RSA(key);
+	EVP_PKEY_free(key);
+	if (!rsa)
+	{
+		return NULL;
+	}
+	this = create_empty();
+	this->rsa = rsa;
+	return &this->public.key;
+}
+
+/*
  * See header
  */
 openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
@@ -528,7 +547,7 @@ static bool login(ENGINE *engine, chunk_t keyid)
 }
 #endif /* OPENSSL_NO_ENGINE */
 
-/**
+/*
  * See header.
  */
 openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,

src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h

@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2008-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -21,6 +21,8 @@
 #ifndef OPENSSL_RSA_PRIVATE_KEY_H_
 #define OPENSSL_RSA_PRIVATE_KEY_H_
 
+#include <openssl/evp.h>
+
 #include <credentials/builder.h>
 #include <credentials/keys/private_key.h>
 
@@ -61,6 +63,14 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
 openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
 														va_list args);
 
+/**
+ * Wrap an EVP_PKEY object of type EVP_PKEY_RSA
+ *
+ * @param key		EVP_PKEY_RSA key object (adopted)
+ * @return 			loaded key, NULL on failure
+ */
+private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key);
+
 /**
  * Connect to a RSA private key on a smartcard.
  *

src/libstrongswan/plugins/openssl/openssl_util.h

@@ -135,6 +135,13 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj);
  */
 time_t openssl_asn1_to_time(ASN1_TIME *time);
 
+/**
+ * Compatibility macros
+ */
+#ifdef OPENSSL_IS_BORINGSSL
+#define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type)
+#endif
+
 /**
  * Macros to define fallback getters/setters to access keys (BIGNUM*) for types
  * that were made opaque with OpenSSL 1.1.0.

src/libstrongswan/plugins/pkcs1/pkcs1_builder.c

@@ -1,8 +1,8 @@
 /*
+ * Copyright (C) 2008-2016 Tobias Brunner
  * Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
  * Copyright (C) 2000-2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -204,7 +204,6 @@ static private_key_t *parse_rsa_private_key(chunk_t blob)
 			case PRIV_KEY_VERSION:
 				if (object.len > 0 && *object.ptr != 0)
 				{
-					DBG1(DBG_ASN, "PKCS#1 private key format is not version 1");
 					goto end;
 				}
 				break;
@@ -248,6 +247,63 @@ end:
 			BUILD_RSA_EXP2, exp2, BUILD_RSA_COEFF, coeff, BUILD_END);
 }
 
+/**
+ * Check if the ASN.1 structure looks like an EC private key according to
+ * RFC 5915.
+ *
+ * ECPrivateKey :=: SEQUENCE {
+ *   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+ *   privateKey     OCTET STRING,
+ *   parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+ *   publicKey  [1] BIT STRING OPTIONAL
+ * }
+ *
+ * While the parameters and publicKey fields are OPTIONAL, RFC 5915 says that
+ * paramaters MUST be included and publicKey SHOULD be.
+ */
+static bool is_ec_private_key(chunk_t blob)
+{
+	chunk_t data;
+	return asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE &&
+		   asn1_unwrap(&blob, &data) == ASN1_INTEGER &&
+		   asn1_parse_integer_uint64(data) == 1 &&
+		   asn1_unwrap(&blob, &data) == ASN1_OCTET_STRING &&
+		   asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_0 &&
+		   asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_1;
+}
+
+/**
+ * Check if the ASN.1 structure looks like a BLISS private key.
+ */
+static bool is_bliss_private_key(chunk_t blob)
+{
+	chunk_t data;
+	return asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE &&
+		   asn1_unwrap(&blob, &data) == ASN1_OID &&
+		   asn1_unwrap(&blob, &data) == ASN1_BIT_STRING &&
+		   asn1_unwrap(&blob, &data) == ASN1_BIT_STRING &&
+		   asn1_unwrap(&blob, &data) == ASN1_BIT_STRING;
+}
+
+/**
+ * Load a private key from an ASN.1 encoded blob trying to detect the type
+ * automatically.
+ */
+static private_key_t *parse_private_key(chunk_t blob)
+{
+	if (is_ec_private_key(blob))
+	{
+		return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+								  BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+	}
+	else if (is_bliss_private_key(blob))
+	{
+		return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+								  BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+	}
+	return parse_rsa_private_key(blob);
+}
+
 /**
  * See header.
  */
@@ -301,6 +357,14 @@ private_key_t *pkcs1_private_key_load(key_type_t type, va_list args)
 		}
 		break;
 	}
-	return parse_rsa_private_key(blob);
+	switch (type)
+	{
+		case KEY_ANY:
+			return parse_private_key(blob);
+		case KEY_RSA:
+			return parse_rsa_private_key(blob);
+		default:
+			return NULL;
+	}
 }
 

src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c

@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -42,6 +42,10 @@ METHOD(plugin_t, get_features, int,
 	private_pkcs1_plugin_t *this, plugin_feature_t *features[])
 {
 	static plugin_feature_t f[] = {
+		PLUGIN_REGISTER(PRIVKEY, pkcs1_private_key_load, FALSE),
+			PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
+				PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
 		PLUGIN_REGISTER(PRIVKEY, pkcs1_private_key_load, FALSE),
 			PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
 		PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE),

src/pki/commands/issue.c

@@ -117,6 +117,11 @@ static int issue()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
 				else if (!streq(arg, "pub"))
 				{
 					error = "invalid input type";
@@ -580,7 +585,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		issue, 'i', "issue",
 		"issue a certificate using a CA certificate and key",
-		{"[--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
+		{"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
 		 " --cacert file [--dn subject-dn] [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",

src/pki/commands/keyid.c

@@ -26,7 +26,7 @@
 static int keyid()
 {
 	credential_type_t type = CRED_PRIVATE_KEY;
-	int subtype = KEY_RSA;
+	int subtype = KEY_ANY;
 	certificate_t *cert;
 	private_key_t *private;
 	public_key_t *public;
@@ -42,21 +42,29 @@ static int keyid()
 			case 'h':
 				return command_usage(NULL);
 			case 't':
-				if (streq(arg, "rsa-priv"))
+				if (streq(arg, "rsa") ||
+					streq(arg, "rsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_RSA;
 				}
-				else if (streq(arg, "ecdsa-priv"))
+				else if (streq(arg, "ecdsa") ||
+						 streq(arg, "ecdsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
-				else if (streq(arg, "bliss-priv"))
+				else if (streq(arg, "bliss") ||
+						 streq(arg, "bliss-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -169,11 +177,11 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ keyid, 'k', "keyid",
 		"calculate key identifiers of a key/certificate",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"},
+		{"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
-			{"type",	't', 1, "type of key, default: rsa-priv"},
+			{"type",	't', 1, "type of key, default: priv"},
 		}
 	});
 }

src/pki/commands/print.c

@@ -89,17 +89,25 @@ static int print()
 					type = CRED_CERTIFICATE;
 					subtype = CERT_TRUSTED_PUBKEY;
 				}
-				else if (streq(arg, "rsa-priv"))
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
+				else if (streq(arg, "rsa") ||
+						 streq(arg, "rsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_RSA;
 				}
-				else if (streq(arg, "ecdsa-priv"))
+				else if (streq(arg, "ecdsa") ||
+						 streq(arg, "ecdsa-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_ECDSA;
 				}
-				else if (streq(arg, "bliss-priv"))
+				else if (streq(arg, "bliss") ||
+						 streq(arg, "bliss-priv"))
 				{
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
@@ -173,7 +181,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t)
 		{ print, 'a', "print",
 		"print a credential in a human readable form",
-		{"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"},
+		{"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},

src/pki/commands/pub.c

@@ -28,7 +28,7 @@ static int pub()
 {
 	cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER;
 	credential_type_t type = CRED_PRIVATE_KEY;
-	int subtype = KEY_RSA;
+	int subtype = KEY_ANY;
 	certificate_t *cert;
 	private_key_t *private;
 	public_key_t *public;
@@ -59,6 +59,11 @@ static int pub()
 					type = CRED_PRIVATE_KEY;
 					subtype = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = CRED_PRIVATE_KEY;
+					subtype = KEY_ANY;
+				}
 				else if (streq(arg, "pub"))
 				{
 					type = CRED_PUBLIC_KEY;
@@ -189,13 +194,13 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		pub, 'p', "pub",
 		"extract the public key from a private key/certificate",
-		{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]",
+		{"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv|pub|pkcs10|x509]",
 		 "[--outform der|pem|dnskey|sshkey]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "input file, default: stdin"},
 			{"keyid",	'x', 1, "keyid on smartcard of private key"},
-			{"type",	't', 1, "type of credential, default: rsa"},
+			{"type",	't', 1, "type of credential, default: priv"},
 			{"outform",	'f', 1, "encoding of extracted public key, default: der"},
 		}
 	});

src/pki/commands/req.c

@@ -30,7 +30,7 @@
 static int req()
 {
 	cred_encoding_type_t form = CERT_ASN1_DER;
-	key_type_t type = KEY_RSA;
+	key_type_t type = KEY_ANY;
 	hash_algorithm_t digest = HASH_UNKNOWN;
 	certificate_t *cert = NULL;
 	private_key_t *private = NULL;
@@ -62,6 +62,10 @@ static int req()
 				{
 					type = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = KEY_ANY;
+				}
 				else
 				{
 					error = "invalid input type";
@@ -194,14 +198,14 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		req, 'r', "req",
 		"create a PKCS#10 certificate request",
-		{"  [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
+		{"  [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
 		 "[--san subjectAltName]+ [--password challengePassword]",
 		 "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
 		 "[--outform der|pem]"},
 		{
 			{"help",	'h', 0, "show usage information"},
 			{"in",		'i', 1, "private key input file, default: stdin"},
-			{"type",	't', 1, "type of input key, default: rsa"},
+			{"type",	't', 1, "type of input key, default: priv"},
 			{"dn",		'd', 1, "subject distinguished name"},
 			{"san",		'a', 1, "subjectAltName to include in cert request"},
 			{"password",'p', 1, "challengePassword to include in cert request"},

src/pki/commands/self.c

@@ -94,6 +94,10 @@ static int self()
 				{
 					type = KEY_BLISS;
 				}
+				else if (streq(arg, "priv"))
+				{
+					type = KEY_ANY;
+				}
 				else
 				{
 					error = "invalid input type";
@@ -417,7 +421,7 @@ static void __attribute__ ((constructor))reg()
 	command_register((command_t) {
 		self, 's', "self",
 		"create a self signed certificate",
-		{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
+		{" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]",
 		 " --dn distinguished-name [--san subjectAltName]+",
 		 "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
 		 "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -431,7 +435,7 @@ static void __attribute__ ((constructor))reg()
 			{"help",			'h', 0, "show usage information"},
 			{"in",				'i', 1, "private key input file, default: stdin"},
 			{"keyid",			'x', 1, "keyid on smartcard of private key"},
-			{"type",			't', 1, "type of input key, default: rsa"},
+			{"type",			't', 1, "type of input key, default: priv"},
 			{"dn",				'd', 1, "subject and issuer distinguished name"},
 			{"san",				'a', 1, "subjectAltName to include in certificate"},
 			{"lifetime",		'l', 1, "days the certificate is valid, default: 1095"},

src/pki/man/pki---issue.1.in

@@ -67,9 +67,10 @@ Public key or PKCS#10 certificate request file to issue. If not given the
 key/request is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of the input. One of \fIpub\fR (public key), \fIrsa\fR (RSA private key),
-\fIecdsa\fR (ECDSA private key), or \fIpkcs10\fR (PKCS#10 certificate request),
-defaults to \fIpub\fR.
+Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
+\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS
+private key) or \fIpkcs10\fR (PKCS#10 certificate request), defaults to
+\fIpub\fR.
 .TP
 .BI "\-k, \-\-cakey " file
 CA private key file. Either this or

src/pki/man/pki---keyid.1.in

@@ -44,9 +44,10 @@ Read command line options from \fIfile\fR.
 Input file. If not given the input is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
-private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate
-request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR.
+Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
+\fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS private key),
+\fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate request),
+\fIx509\fR (X.509 certificate), defaults to \fIpriv\fR.
 .
 .SH "EXAMPLES"
 .

src/pki/man/pki---print.1.in

@@ -44,10 +44,11 @@ Read command line options from \fIfile\fR.
 Input file. If not given the input is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
-private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
-(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate),
-defaults to \fIx509\fR.
+Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate
+Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key),
+\fpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private
+key), \fIbliss\fR (BLISS private key), \fIpriv\fR (private key), defaults to
+\fIx509\fR.
 .
 .SH "SEE ALSO"
 .

src/pki/man/pki---pub.1.in

@@ -47,10 +47,9 @@ Read command line options from \fIfile\fR.
 Input file. If not given the input is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA
-private key), \fIpub\fR (public key),
-\fIpkcs10\fR (PKCS#10 certificate request), or \fIx509\fR (X.509 certificate),
-defaults to \fIrsa\fR.
+Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
+\fIecdsa\fR (ECDSA private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10
+certificate request), or \fIx509\fR (X.509 certificate), defaults to \fIpriv\fR.
 .TP
 .BI "\-f, \-\-outform " encoding
 Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR

src/pki/man/pki---req.1.in

@@ -49,7 +49,8 @@ Read command line options from \fIfile\fR.
 Private key input file. If not given the key is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
+defaults to \fIpriv\fR.
 .TP
 .BI "\-d, \-\-dn " distinguished-name
 Subject distinguished name (DN). Required.

src/pki/man/pki---self.1.in

@@ -68,7 +68,8 @@ Private key input file. If not given the key is read from \fISTDIN\fR.
 Key ID of a private key on a smartcard.
 .TP
 .BI "\-t, \-\-type " type
-Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
+defaults to \fIpriv\fR.
 .TP
 .BI "\-d, \-\-dn " distinguished-name
 Subject and issuer distinguished name (DN). Required.

src/swanctl/Makefile.am

@@ -70,6 +70,7 @@ install-data-local: swanctl.conf
 	test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
 	test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
 	test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
+	test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true
 	test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
 	test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true

src/swanctl/commands/load_creds.c

@@ -2,6 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -128,7 +129,8 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
 
 	req = vici_begin("load-key");
 
-	if (streq(type, "pkcs8"))
+	if (streq(type, "private") ||
+		streq(type, "pkcs8"))
 	{	/* as used by vici */
 		vici_add_key_valuef(req, "type", "any");
 	}
@@ -251,6 +253,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype,
 		credential_type_t credtype;
 		int subtype;
 	} map[] = {
+		{ "private",		CRED_PRIVATE_KEY,		KEY_ANY,			},
 		{ "pkcs8",			CRED_PRIVATE_KEY,		KEY_ANY,			},
 		{ "rsa",			CRED_PRIVATE_KEY,		KEY_RSA,			},
 		{ "ecdsa",			CRED_PRIVATE_KEY,		KEY_ECDSA,			},
@@ -565,6 +568,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
 		"eap",
 		"xauth",
 		"ike",
+		"private",
 		"rsa",
 		"ecdsa",
 		"bliss",
@@ -700,10 +704,11 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
 	load_certs(conn, format, "x509crl",  SWANCTL_X509CRLDIR);
 	load_certs(conn, format, "pubkey",   SWANCTL_PUBKEYDIR);
 
-	load_keys(conn, format, noprompt, cfg, "rsa",   SWANCTL_RSADIR);
-	load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
-	load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
-	load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
+	load_keys(conn, format, noprompt, cfg, "private", SWANCTL_PRIVATEDIR);
+	load_keys(conn, format, noprompt, cfg, "rsa",     SWANCTL_RSADIR);
+	load_keys(conn, format, noprompt, cfg, "ecdsa",   SWANCTL_ECDSADIR);
+	load_keys(conn, format, noprompt, cfg, "bliss",   SWANCTL_BLISSDIR);
+	load_keys(conn, format, noprompt, cfg, "pkcs8",   SWANCTL_PKCS8DIR);
 
 	load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
 

src/swanctl/swanctl.h

@@ -2,6 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Tobias Brunner
  * Copyright (C) 2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -64,6 +65,11 @@
  */
 #define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
 
+/**
+ * Directory for private keys
+ */
+#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private"
+
 /**
  * Directory for RSA private keys
  */

src/swanctl/swanctl.opt

@@ -835,6 +835,15 @@ secrets.ike<suffix>.id<suffix> =
 	may be specified, each having an _id_ prefix, if a secret is shared between
 	multiple peers.
 
+secrets.private<suffix> { # }
+	Private key decryption passphrase for a key in the _private_ folder.
+
+secrets.private<suffix>.file =
+	File name in the _private_ folder for which this passphrase should be used.
+
+secrets.private<suffix>.secret
+	Value of decryption passphrase for private key.
+
 secrets.rsa<suffix> { # }
 	Private key decryption passphrase for a key in the _rsa_ folder.