Load any type (RSA/ECDSA) of public key via left|rightsigkey

2025-10-06 00:00:47 -04:00 · 2013-04-01 16:42:53 +02:00 · 2013-04-01 16:42:53 +02:00 · 87692be215
commit 87692be215
parent fa1d3d39dc
15 changed files with 43 additions and 39 deletions
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@ -755,14 +755,16 @@ None of the kernel backends currently supports opaque or port ranges and uses
 .B %any
 for policy installation instead.
 .TP
-.BR leftrsasigkey " = <raw rsa public key> | <path to public key>"
-the left participant's public key for RSA signature authentication, in PKCS#1
-format using hex (0x prefix) or base64 (0s prefix) encoding. With the optional
+.BR leftsigkey " = <raw public key> | <path to public key>"
+the left participant's public key for public key signature authentication,
+in PKCS#1 format using hex (0x prefix) or base64 (0s prefix) encoding. With the
+optional
 .B dns:
 or
 .B ssh:
 prefix in front of 0x or 0s, the public key is expected to be in either
-the RFC 3110 or RFC 4253 public key format, respectively.
+the RFC 3110 (not the full RR, only RSA key part) or RFC 4253 public key format,
+respectively.
 Also accepted is the path to a file containing the public key in PEM or DER
 encoding.
 .TP
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@ -489,8 +489,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	pubkey = end->rsakey;
 	if (pubkey && !streq(pubkey, "") && !streq(pubkey, "%cert"))
 	{
-		certificate = this->cred->load_pubkey(this->cred, KEY_RSA, pubkey,
-											  identity);
+		certificate = this->cred->load_pubkey(this->cred, pubkey, identity);
 		if (certificate)
 		{
 			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@ -279,13 +279,13 @@ METHOD(stroke_cred_t, load_peer, certificate_t*,
 }

 METHOD(stroke_cred_t, load_pubkey, certificate_t*,
-	private_stroke_cred_t *this, key_type_t type, char *filename,
-	identification_t *identity)
+	private_stroke_cred_t *this, char *filename, identification_t *identity)
 {
 	certificate_t *cert;
+	public_key_t *key;
 	char path[PATH_MAX];
 	builder_part_t build_part;
-	key_type_t build_type = KEY_ANY;
+	key_type_t type = KEY_ANY;

 	if (streq(filename, "%dns"))
 	{
@ -294,8 +294,8 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 	if (strncaseeq(filename, "dns:", 4))
 	{	/* RFC 3110 format */
 		build_part = BUILD_BLOB_DNSKEY;
-		/* not a complete RR */
-		build_type = KEY_RSA;
+		/* not a complete RR, only RSA supported */
+		type = KEY_RSA;
 		filename += 4;
 	}
 	else if (strncaseeq(filename, "ssh:", 4))
@ -310,13 +310,12 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 	if (strncaseeq(filename, "0x", 2) || strncaseeq(filename, "0s", 2))
 	{
 		chunk_t printable_key, raw_key;
-		public_key_t *key;

 		printable_key = chunk_create(filename + 2, strlen(filename) - 2);
 		raw_key = strncaseeq(filename, "0x", 2) ?
 								 chunk_from_hex(printable_key, NULL) :
 								 chunk_from_base64(printable_key, NULL);
-		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, build_type,
+		key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, type,
 								 build_part, raw_key, BUILD_END);
 		chunk_free(&raw_key);
 		if (key)
@ -326,6 +325,7 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 									  BUILD_PUBLIC_KEY, key,
 									  BUILD_SUBJECT, identity,
 									  BUILD_END);
+			type = key->get_type(key);
 			key->destroy(key);
 			if (cert)
 			{
@ -335,8 +335,7 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 				return cert;
 			}
 		}
-		DBG1(DBG_CFG, "  loading %N public key for \"%Y\" failed",
-			 key_type_names, type, identity);
+		DBG1(DBG_CFG, "  loading public key for \"%Y\" failed", identity);
 	}
 	else
 	{
@ -357,12 +356,15 @@ METHOD(stroke_cred_t, load_pubkey, certificate_t*,
 		if (cert)
 		{
 			cert = this->creds->add_cert_ref(this->creds, TRUE, cert);
+			key = cert->get_public_key(cert);
+			type = key->get_type(key);
+			key->destroy(key);
 			DBG1(DBG_CFG, "  loaded %N public key for \"%Y\" from '%s'",
 				 key_type_names, type, identity, filename);
 			return cert;
 		}
-		DBG1(DBG_CFG, "  loading %N public key for \"%Y\" from '%s' failed",
-			 key_type_names, type, identity, filename);
+		DBG1(DBG_CFG, "  loading public key for \"%Y\" from '%s' failed",
+			 identity, filename);
 	}
 	return NULL;
 }
--- a/src/libcharon/plugins/stroke/stroke_cred.h
+++ b/src/libcharon/plugins/stroke/stroke_cred.h
@ -68,13 +68,12 @@ struct stroke_cred_t {
 	/**
 	 * Load a raw public key and serve it through the credential_set.
 	 *
-	 * @param type			type of the raw public key (RSA or ECDSA)
-	 * @param filename		file to load raw public key from
+	 * @param filename		encoding or file to load raw public key from
 	 * @param identity		identity of the raw public key owner
 	 * @return				reference to loaded raw public key, or NULL
 	 */
-	certificate_t* (*load_pubkey)(stroke_cred_t *this, key_type_t type,
-								  char *filename, identification_t *identity);
+	certificate_t* (*load_pubkey)(stroke_cred_t *this, char *filename,
+								  identification_t *identity);

 	/**
 	 * Add a shared secret to serve through the credential_set.
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@ -108,7 +108,7 @@ typedef enum {
 	KW_AUTH2,
 	KW_ID,
 	KW_ID2,
-	KW_RSASIGKEY,
+	KW_SIGKEY,
 	KW_CERT,
 	KW_CERT2,
 	KW_CERTPOLICY,
@ -137,7 +137,7 @@ typedef enum {
 	KW_LEFTAUTH2,
 	KW_LEFTID,
 	KW_LEFTID2,
-	KW_LEFTRSASIGKEY,
+	KW_LEFTSIGKEY,
 	KW_LEFTCERT,
 	KW_LEFTCERT2,
 	KW_LEFTCERTPOLICY,
@ -166,7 +166,7 @@ typedef enum {
 	KW_RIGHTAUTH2,
 	KW_RIGHTID,
 	KW_RIGHTID2,
-	KW_RIGHTRSASIGKEY,
+	KW_RIGHTSIGKEY,
 	KW_RIGHTCERT,
 	KW_RIGHTCERT2,
 	KW_RIGHTCERTPOLICY,
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@ -96,7 +96,8 @@ leftauth,          KW_LEFTAUTH
 leftauth2,         KW_LEFTAUTH2
 leftid,            KW_LEFTID
 leftid2,           KW_LEFTID2
-leftrsasigkey,     KW_LEFTRSASIGKEY
+leftsigkey,        KW_LEFTSIGKEY
+leftrsasigkey,     KW_LEFTSIGKEY
 leftcert,          KW_LEFTCERT
 leftcert2,         KW_LEFTCERT2
 leftcertpolicy,    KW_LEFTCERTPOLICY
@ -120,7 +121,8 @@ rightauth,         KW_RIGHTAUTH
 rightauth2,        KW_RIGHTAUTH2
 rightid,           KW_RIGHTID
 rightid2,          KW_RIGHTID2
-rightrsasigkey,    KW_RIGHTRSASIGKEY
+rightsigkey,       KW_RIGHTSIGKEY
+rightrsasigkey,    KW_RIGHTSIGKEY
 rightcert,         KW_RIGHTCERT
 rightcert2,        KW_RIGHTCERT2
 rightcertpolicy,   KW_RIGHTCERTPOLICY
--- a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf
@ -14,7 +14,7 @@ conn net-net
 	left=PH_IP_MOON
 	leftid=moon.strongswan.org
 	leftsubnet=10.1.0.0/16
-	leftrsasigkey=moonPub.der
+	leftsigkey=moonPub.der
 	leftauth=pubkey
 	leftfirewall=yes
 	right=sun.strongswan.org
--- a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf
@ -14,7 +14,7 @@ conn net-net
 	left=PH_IP_SUN
 	leftid=sun.strongswan.org
 	leftsubnet=10.2.0.0/16
-	leftrsasigkey=sunPub.der
+	leftsigkey=sunPub.der
 	leftauth=pubkey
 	leftfirewall=yes
 	right=moon.strongswan.org
--- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf
@ -13,12 +13,12 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
-	leftrsasigkey=moonPub.der
+	leftsigkey=moonPub.der
 	leftauth=pubkey
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
-	rightrsasigkey=sunPub.der
+	rightsigkey=sunPub.der
 	rightauth=pubkey
 	auto=add
--- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf
@ -13,10 +13,10 @@ conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
-	leftrsasigkey=sunPub.der
+	leftsigkey=sunPub.der
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	rightrsasigkey=moonPub.der
+	rightsigkey=moonPub.der
 	auto=add
--- a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf
@ -13,12 +13,12 @@ conn net-net
 	left=PH_IP_MOON
 	leftsubnet=10.1.0.0/16
 	leftid=@moon.strongswan.org
-	leftrsasigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	leftsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
 	leftauth=pubkey
 	leftfirewall=yes
 	right=PH_IP_SUN
 	rightsubnet=10.2.0.0/16
 	rightid=@sun.strongswan.org
-	rightrsasigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	rightsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
 	rightauth=pubkey
 	auto=add
--- a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf
@ -13,10 +13,10 @@ conn net-net
 	left=PH_IP_SUN
 	leftsubnet=10.2.0.0/16
 	leftid=@sun.strongswan.org
-	leftrsasigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
+	leftsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT
 	leftfirewall=yes
 	right=PH_IP_MOON
 	rightsubnet=10.1.0.0/16
 	rightid=@moon.strongswan.org
-	rightrsasigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
+	rightsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj
 	auto=add
--- a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf
@ -13,7 +13,7 @@ conn home
 	left=%any
 	leftsourceip=%config
 	leftid=carol.strongswan.org
-	leftrsasigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
+	leftsigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE="
 	leftauth=pubkey
 	leftfirewall=yes
 	right=moon.strongswan.org
--- a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf
@ -13,7 +13,7 @@ conn home
 	left=%any
 	leftsourceip=%config
 	leftid=dave.strongswan.org
-	leftrsasigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
+	leftsigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U="
 	leftauth=pubkey
 	leftfirewall=yes
 	right=moon.strongswan.org
--- a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf
@ -14,7 +14,7 @@ conn rw
 	leftsubnet=10.1.0.0/16
 	leftid=moon.strongswan.org
 	leftauth=pubkey
-	leftrsasigkey=moonPub.der
+	leftsigkey=moonPub.der
 	leftfirewall=yes
 	right=%any
 	rightauth=pubkey