diff options
25 files changed, 301 insertions, 63 deletions
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c index 24fe623eb..22bbf6dc7 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2008-2012 Tobias Brunner + * Copyright (C) 2008-2016 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -304,7 +304,26 @@ static private_openssl_ec_private_key_t *create_empty(void) return this; } -/** +/* + * See header. + */ +private_key_t *openssl_ec_private_key_create(EVP_PKEY *key) +{ + private_openssl_ec_private_key_t *this; + EC_KEY *ec; + + ec = EVP_PKEY_get1_EC_KEY(key); + EVP_PKEY_free(key); + if (!ec) + { + return NULL; + } + this = create_empty(); + this->ec = ec; + return &this->public.key; +} + +/* * See header. */ openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type, diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h index f56c95aa1..84314f671 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h @@ -1,6 +1,6 @@ /* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2008-2016 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -21,6 +21,8 @@ #ifndef OPENSSL_EC_PRIVATE_KEY_H_ #define OPENSSL_EC_PRIVATE_KEY_H_ +#include <openssl/evp.h> + #include <credentials/builder.h> #include <credentials/keys/private_key.h> @@ -61,4 +63,12 @@ openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type, openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type, va_list args); +/** + * Wrap an EVP_PKEY object of type EVP_PKEY_EC + * + * @param key EVP_PKEY_EC key object (adopted) + * @return loaded key, NULL on failure + */ +private_key_t *openssl_ec_private_key_create(EVP_PKEY *key); + #endif /** OPENSSL_EC_PRIVATE_KEY_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c index 705e96c69..bbd400cac 100644 --- a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c +++ b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c @@ -23,10 +23,6 @@ #include <library.h> #include <credentials/sets/mem_cred.h> -#ifdef OPENSSL_IS_BORINGSSL -#define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type) -#endif - typedef struct private_pkcs12_t private_pkcs12_t; /** diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 1330427cf..ab73d718f 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2008-2013 Tobias Brunner + * Copyright (C) 2008-2016 Tobias Brunner * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -269,6 +269,53 @@ static bool seed_rng() return TRUE; } +/** + * Generic key loader + */ +static private_key_t *openssl_private_key_load(key_type_t type, va_list args) +{ + chunk_t blob = chunk_empty; + EVP_PKEY *key; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_BLOB_ASN1_DER: + blob = va_arg(args, chunk_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + if (blob.ptr) + { + key = d2i_AutoPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len); + if (key) + { + switch (EVP_PKEY_base_id(key)) + { +#ifndef OPENSSL_NO_RSA + case EVP_PKEY_RSA: + return openssl_rsa_private_key_create(key); +#endif +#ifndef OPENSSL_NO_ECDSA + case EVP_PKEY_EC: + return openssl_ec_private_key_create(key); +#endif + default: + EVP_PKEY_free(key); + break; + } + } + } + return NULL; +} + METHOD(plugin_t, get_name, char*, private_openssl_plugin_t *this) { @@ -504,6 +551,9 @@ METHOD(plugin_t, get_features, int, PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521), #endif #endif /* OPENSSL_NO_ECDSA */ + /* generic key loader */ + PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE), + PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), PLUGIN_REGISTER(RNG, openssl_rng_create), PLUGIN_PROVIDE(RNG, RNG_STRONG), PLUGIN_PROVIDE(RNG, RNG_WEAK), diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index cf8c3d741..54ecf2542 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -1,7 +1,7 @@ /* + * Copyright (C) 2008-2016 Tobias Brunner * Copyright (C) 2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -327,7 +327,7 @@ static private_openssl_rsa_private_key_t *create_empty() return this; } -/** +/* * See header. */ openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type, @@ -383,7 +383,26 @@ error: return NULL; } -/** +/* + * See header + */ +private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key) +{ + private_openssl_rsa_private_key_t *this; + RSA *rsa; + + rsa = EVP_PKEY_get1_RSA(key); + EVP_PKEY_free(key); + if (!rsa) + { + return NULL; + } + this = create_empty(); + this->rsa = rsa; + return &this->public.key; +} + +/* * See header */ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, @@ -528,7 +547,7 @@ static bool login(ENGINE *engine, chunk_t keyid) } #endif /* OPENSSL_NO_ENGINE */ -/** +/* * See header. */ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h index 60889d651..34ce4c776 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h @@ -1,6 +1,6 @@ /* - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2008-2016 Tobias Brunner + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -21,6 +21,8 @@ #ifndef OPENSSL_RSA_PRIVATE_KEY_H_ #define OPENSSL_RSA_PRIVATE_KEY_H_ +#include <openssl/evp.h> + #include <credentials/builder.h> #include <credentials/keys/private_key.h> @@ -62,6 +64,14 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, va_list args); /** + * Wrap an EVP_PKEY object of type EVP_PKEY_RSA + * + * @param key EVP_PKEY_RSA key object (adopted) + * @return loaded key, NULL on failure + */ +private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key); + +/** * Connect to a RSA private key on a smartcard. * * Accepts the BUILD_SMARTCARD_KEYID and the BUILD_SMARTCARD_PIN diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h index f4186e8c4..7c5c367f7 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.h +++ b/src/libstrongswan/plugins/openssl/openssl_util.h @@ -136,6 +136,13 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj); time_t openssl_asn1_to_time(ASN1_TIME *time); /** + * Compatibility macros + */ +#ifdef OPENSSL_IS_BORINGSSL +#define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type) +#endif + +/** * Macros to define fallback getters/setters to access keys (BIGNUM*) for types * that were made opaque with OpenSSL 1.1.0. */ diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c index 767b3acf2..766832d39 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c @@ -1,8 +1,8 @@ /* + * Copyright (C) 2008-2016 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner * Copyright (C) 2000-2008 Andreas Steffen - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -204,7 +204,6 @@ static private_key_t *parse_rsa_private_key(chunk_t blob) case PRIV_KEY_VERSION: if (object.len > 0 && *object.ptr != 0) { - DBG1(DBG_ASN, "PKCS#1 private key format is not version 1"); goto end; } break; @@ -249,6 +248,63 @@ end: } /** + * Check if the ASN.1 structure looks like an EC private key according to + * RFC 5915. + * + * ECPrivateKey :=: SEQUENCE { + * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), + * privateKey OCTET STRING, + * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, + * publicKey [1] BIT STRING OPTIONAL + * } + * + * While the parameters and publicKey fields are OPTIONAL, RFC 5915 says that + * paramaters MUST be included and publicKey SHOULD be. + */ +static bool is_ec_private_key(chunk_t blob) +{ + chunk_t data; + return asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE && + asn1_unwrap(&blob, &data) == ASN1_INTEGER && + asn1_parse_integer_uint64(data) == 1 && + asn1_unwrap(&blob, &data) == ASN1_OCTET_STRING && + asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_0 && + asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_1; +} + +/** + * Check if the ASN.1 structure looks like a BLISS private key. + */ +static bool is_bliss_private_key(chunk_t blob) +{ + chunk_t data; + return asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE && + asn1_unwrap(&blob, &data) == ASN1_OID && + asn1_unwrap(&blob, &data) == ASN1_BIT_STRING && + asn1_unwrap(&blob, &data) == ASN1_BIT_STRING && + asn1_unwrap(&blob, &data) == ASN1_BIT_STRING; +} + +/** + * Load a private key from an ASN.1 encoded blob trying to detect the type + * automatically. + */ +static private_key_t *parse_private_key(chunk_t blob) +{ + if (is_ec_private_key(blob)) + { + return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, + BUILD_BLOB_ASN1_DER, blob, BUILD_END); + } + else if (is_bliss_private_key(blob)) + { + return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, + BUILD_BLOB_ASN1_DER, blob, BUILD_END); + } + return parse_rsa_private_key(blob); +} + +/** * See header. */ public_key_t *pkcs1_public_key_load(key_type_t type, va_list args) @@ -301,6 +357,14 @@ private_key_t *pkcs1_private_key_load(key_type_t type, va_list args) } break; } - return parse_rsa_private_key(blob); + switch (type) + { + case KEY_ANY: + return parse_private_key(blob); + case KEY_RSA: + return parse_rsa_private_key(blob); + default: + return NULL; + } } diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c index eb0903d47..ec1bdf565 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -43,6 +43,10 @@ METHOD(plugin_t, get_features, int, { static plugin_feature_t f[] = { PLUGIN_REGISTER(PRIVKEY, pkcs1_private_key_load, FALSE), + PLUGIN_PROVIDE(PRIVKEY, KEY_ANY), + PLUGIN_SDEPEND(PRIVKEY, KEY_RSA), + PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA), + PLUGIN_REGISTER(PRIVKEY, pkcs1_private_key_load, FALSE), PLUGIN_PROVIDE(PRIVKEY, KEY_RSA), PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE), PLUGIN_PROVIDE(PUBKEY, KEY_ANY), diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index fdc43d705..b15f90199 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -117,6 +117,11 @@ static int issue() type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } else if (!streq(arg, "pub")) { error = "invalid input type"; @@ -580,7 +585,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { issue, 'i', "issue", "issue a certificate using a CA certificate and key", - {"[--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] --cakey file|--cakeyid hex", + {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex", " --cacert file [--dn subject-dn] [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--pathlen len]", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c index 3bc62e74d..f79120b31 100644 --- a/src/pki/commands/keyid.c +++ b/src/pki/commands/keyid.c @@ -26,7 +26,7 @@ static int keyid() { credential_type_t type = CRED_PRIVATE_KEY; - int subtype = KEY_RSA; + int subtype = KEY_ANY; certificate_t *cert; private_key_t *private; public_key_t *public; @@ -42,21 +42,29 @@ static int keyid() case 'h': return command_usage(NULL); case 't': - if (streq(arg, "rsa-priv")) + if (streq(arg, "rsa") || + streq(arg, "rsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_RSA; } - else if (streq(arg, "ecdsa-priv")) + else if (streq(arg, "ecdsa") || + streq(arg, "ecdsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_ECDSA; } - else if (streq(arg, "bliss-priv")) + else if (streq(arg, "bliss") || + streq(arg, "bliss-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -169,11 +177,11 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { keyid, 'k', "keyid", "calculate key identifiers of a key/certificate", - {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"}, + {"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, - {"type", 't', 1, "type of key, default: rsa-priv"}, + {"type", 't', 1, "type of key, default: priv"}, } }); } diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index c367a21a9..8cb0a7b5d 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -89,17 +89,25 @@ static int print() type = CRED_CERTIFICATE; subtype = CERT_TRUSTED_PUBKEY; } - else if (streq(arg, "rsa-priv")) + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } + else if (streq(arg, "rsa") || + streq(arg, "rsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_RSA; } - else if (streq(arg, "ecdsa-priv")) + else if (streq(arg, "ecdsa") || + streq(arg, "ecdsa-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_ECDSA; } - else if (streq(arg, "bliss-priv")) + else if (streq(arg, "bliss") || + streq(arg, "bliss-priv")) { type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; @@ -173,7 +181,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { print, 'a', "print", "print a credential in a human readable form", - {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"}, + {"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c index ccc3c4251..1d876f6f7 100644 --- a/src/pki/commands/pub.c +++ b/src/pki/commands/pub.c @@ -28,7 +28,7 @@ static int pub() { cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER; credential_type_t type = CRED_PRIVATE_KEY; - int subtype = KEY_RSA; + int subtype = KEY_ANY; certificate_t *cert; private_key_t *private; public_key_t *public; @@ -59,6 +59,11 @@ static int pub() type = CRED_PRIVATE_KEY; subtype = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ANY; + } else if (streq(arg, "pub")) { type = CRED_PUBLIC_KEY; @@ -189,13 +194,13 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { pub, 'p', "pub", "extract the public key from a private key/certificate", - {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]", + {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv|pub|pkcs10|x509]", "[--outform der|pem|dnskey|sshkey]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "input file, default: stdin"}, {"keyid", 'x', 1, "keyid on smartcard of private key"}, - {"type", 't', 1, "type of credential, default: rsa"}, + {"type", 't', 1, "type of credential, default: priv"}, {"outform", 'f', 1, "encoding of extracted public key, default: der"}, } }); diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index 68d611250..23d07a28d 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -30,7 +30,7 @@ static int req() { cred_encoding_type_t form = CERT_ASN1_DER; - key_type_t type = KEY_RSA; + key_type_t type = KEY_ANY; hash_algorithm_t digest = HASH_UNKNOWN; certificate_t *cert = NULL; private_key_t *private = NULL; @@ -62,6 +62,10 @@ static int req() { type = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = KEY_ANY; + } else { error = "invalid input type"; @@ -194,14 +198,14 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { req, 'r', "req", "create a PKCS#10 certificate request", - {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name", + {" [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name", "[--san subjectAltName]+ [--password challengePassword]", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, - {"type", 't', 1, "type of input key, default: rsa"}, + {"type", 't', 1, "type of input key, default: priv"}, {"dn", 'd', 1, "subject distinguished name"}, {"san", 'a', 1, "subjectAltName to include in cert request"}, {"password",'p', 1, "challengePassword to include in cert request"}, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index f4e83c76c..6fb7b75ae 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -94,6 +94,10 @@ static int self() { type = KEY_BLISS; } + else if (streq(arg, "priv")) + { + type = KEY_ANY; + } else { error = "invalid input type"; @@ -417,7 +421,7 @@ static void __attribute__ ((constructor))reg() command_register((command_t) { self, 's', "self", "create a self signed certificate", - {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]", + {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", "[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+", @@ -431,7 +435,7 @@ static void __attribute__ ((constructor))reg() {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, {"keyid", 'x', 1, "keyid on smartcard of private key"}, - {"type", 't', 1, "type of input key, default: rsa"}, + {"type", 't', 1, "type of input key, default: priv"}, {"dn", 'd', 1, "subject and issuer distinguished name"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"}, diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index 20238b73d..bfc7bb1a5 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -67,9 +67,10 @@ Public key or PKCS#10 certificate request file to issue. If not given the key/request is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of the input. One of \fIpub\fR (public key), \fIrsa\fR (RSA private key), -\fIecdsa\fR (ECDSA private key), or \fIpkcs10\fR (PKCS#10 certificate request), -defaults to \fIpub\fR. +Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key), +\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS +private key) or \fIpkcs10\fR (PKCS#10 certificate request), defaults to +\fIpub\fR. .TP .BI "\-k, \-\-cakey " file CA private key file. Either this or diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in index 490f7afea..c69f7cbc7 100644 --- a/src/pki/man/pki---keyid.1.in +++ b/src/pki/man/pki---keyid.1.in @@ -44,9 +44,10 @@ Read command line options from \fIfile\fR. Input file. If not given the input is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA -private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate -request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR. +Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key), +\fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS private key), +\fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate request), +\fIx509\fR (X.509 certificate), defaults to \fIpriv\fR. . .SH "EXAMPLES" . diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in index 434d4ea16..09f81cdaa 100644 --- a/src/pki/man/pki---print.1.in +++ b/src/pki/man/pki---print.1.in @@ -44,10 +44,11 @@ Read command line options from \fIfile\fR. Input file. If not given the input is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA -private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR -(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate), -defaults to \fIx509\fR. +Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate +Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key), +\fpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private +key), \fIbliss\fR (BLISS private key), \fIpriv\fR (private key), defaults to +\fIx509\fR. . .SH "SEE ALSO" . diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in index c57e03a40..fe6c520f4 100644 --- a/src/pki/man/pki---pub.1.in +++ b/src/pki/man/pki---pub.1.in @@ -47,10 +47,9 @@ Read command line options from \fIfile\fR. Input file. If not given the input is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA -private key), \fIpub\fR (public key), -\fIpkcs10\fR (PKCS#10 certificate request), or \fIx509\fR (X.509 certificate), -defaults to \fIrsa\fR. +Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key), +\fIecdsa\fR (ECDSA private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 +certificate request), or \fIx509\fR (X.509 certificate), defaults to \fIpriv\fR. .TP .BI "\-f, \-\-outform " encoding Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in index a6f6a480a..4a39c5c94 100644 --- a/src/pki/man/pki---req.1.in +++ b/src/pki/man/pki---req.1.in @@ -49,7 +49,8 @@ Read command line options from \fIfile\fR. Private key input file. If not given the key is read from \fISTDIN\fR. .TP .BI "\-t, \-\-type " type -Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR. +Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR, +defaults to \fIpriv\fR. .TP .BI "\-d, \-\-dn " distinguished-name Subject distinguished name (DN). Required. diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in index 53f53f816..9461e3eff 100644 --- a/src/pki/man/pki---self.1.in +++ b/src/pki/man/pki---self.1.in @@ -68,7 +68,8 @@ Private key input file. If not given the key is read from \fISTDIN\fR. Key ID of a private key on a smartcard. .TP .BI "\-t, \-\-type " type -Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR. +Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR, +defaults to \fIpriv\fR. .TP .BI "\-d, \-\-dn " distinguished-name Subject and issuer distinguished name (DN). Required. diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index 409387849..9ca759ea3 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -70,6 +70,7 @@ install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true + test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index 4647934f7..6278f66b4 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -2,6 +2,7 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2016 Tobias Brunner * Copyright (C) 2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -128,7 +129,8 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format, req = vici_begin("load-key"); - if (streq(type, "pkcs8")) + if (streq(type, "private") || + streq(type, "pkcs8")) { /* as used by vici */ vici_add_key_valuef(req, "type", "any"); } @@ -251,6 +253,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype, credential_type_t credtype; int subtype; } map[] = { + { "private", CRED_PRIVATE_KEY, KEY_ANY, }, { "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, }, { "rsa", CRED_PRIVATE_KEY, KEY_RSA, }, { "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, }, @@ -565,6 +568,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg, "eap", "xauth", "ike", + "private", "rsa", "ecdsa", "bliss", @@ -700,10 +704,11 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format, load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR); load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR); - load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); - load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR); - load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR); - load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR); + load_keys(conn, format, noprompt, cfg, "private", SWANCTL_PRIVATEDIR); + load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); + load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR); + load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR); + load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR); load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR); diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h index 560e89513..eac1fc6d0 100644 --- a/src/swanctl/swanctl.h +++ b/src/swanctl/swanctl.h @@ -2,6 +2,7 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2016 Tobias Brunner * Copyright (C) 2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -65,6 +66,11 @@ #define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey" /** + * Directory for private keys + */ +#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private" + +/** * Directory for RSA private keys */ #define SWANCTL_RSADIR SWANCTLDIR "/rsa" diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index c4d9f86d6..a7d6d9fc3 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -835,6 +835,15 @@ secrets.ike<suffix>.id<suffix> = may be specified, each having an _id_ prefix, if a secret is shared between multiple peers. +secrets.private<suffix> { # } + Private key decryption passphrase for a key in the _private_ folder. + +secrets.private<suffix>.file = + File name in the _private_ folder for which this passphrase should be used. + +secrets.private<suffix>.secret + Value of decryption passphrase for private key. + secrets.rsa<suffix> { # } Private key decryption passphrase for a key in the _rsa_ folder. |