aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ec_private_key.c25
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_ec_private_key.h14
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_pkcs12.c4
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_plugin.c54
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c29
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h14
-rw-r--r--src/libstrongswan/plugins/openssl/openssl_util.h7
-rw-r--r--src/libstrongswan/plugins/pkcs1/pkcs1_builder.c72
-rw-r--r--src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c6
-rw-r--r--src/pki/commands/issue.c7
-rw-r--r--src/pki/commands/keyid.c20
-rw-r--r--src/pki/commands/print.c16
-rw-r--r--src/pki/commands/pub.c11
-rw-r--r--src/pki/commands/req.c10
-rw-r--r--src/pki/commands/self.c8
-rw-r--r--src/pki/man/pki---issue.1.in7
-rw-r--r--src/pki/man/pki---keyid.1.in7
-rw-r--r--src/pki/man/pki---print.1.in9
-rw-r--r--src/pki/man/pki---pub.1.in7
-rw-r--r--src/pki/man/pki---req.1.in3
-rw-r--r--src/pki/man/pki---self.1.in3
-rw-r--r--src/swanctl/Makefile.am1
-rw-r--r--src/swanctl/commands/load_creds.c15
-rw-r--r--src/swanctl/swanctl.h6
-rw-r--r--src/swanctl/swanctl.opt9
25 files changed, 301 insertions, 63 deletions
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index 24fe623eb..22bbf6dc7 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -1,7 +1,7 @@
/*
- * Copyright (C) 2008-2012 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -304,7 +304,26 @@ static private_openssl_ec_private_key_t *create_empty(void)
return this;
}
-/**
+/*
+ * See header.
+ */
+private_key_t *openssl_ec_private_key_create(EVP_PKEY *key)
+{
+ private_openssl_ec_private_key_t *this;
+ EC_KEY *ec;
+
+ ec = EVP_PKEY_get1_EC_KEY(key);
+ EVP_PKEY_free(key);
+ if (!ec)
+ {
+ return NULL;
+ }
+ this = create_empty();
+ this->ec = ec;
+ return &this->public.key;
+}
+
+/*
* See header.
*/
openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
index f56c95aa1..84314f671 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.h
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2008-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -21,6 +21,8 @@
#ifndef OPENSSL_EC_PRIVATE_KEY_H_
#define OPENSSL_EC_PRIVATE_KEY_H_
+#include <openssl/evp.h>
+
#include <credentials/builder.h>
#include <credentials/keys/private_key.h>
@@ -61,4 +63,12 @@ openssl_ec_private_key_t *openssl_ec_private_key_gen(key_type_t type,
openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type,
va_list args);
+/**
+ * Wrap an EVP_PKEY object of type EVP_PKEY_EC
+ *
+ * @param key EVP_PKEY_EC key object (adopted)
+ * @return loaded key, NULL on failure
+ */
+private_key_t *openssl_ec_private_key_create(EVP_PKEY *key);
+
#endif /** OPENSSL_EC_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
index 705e96c69..bbd400cac 100644
--- a/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
+++ b/src/libstrongswan/plugins/openssl/openssl_pkcs12.c
@@ -23,10 +23,6 @@
#include <library.h>
#include <credentials/sets/mem_cred.h>
-#ifdef OPENSSL_IS_BORINGSSL
-#define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type)
-#endif
-
typedef struct private_pkcs12_t private_pkcs12_t;
/**
diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c
index 1330427cf..ab73d718f 100644
--- a/src/libstrongswan/plugins/openssl/openssl_plugin.c
+++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c
@@ -1,7 +1,7 @@
/*
- * Copyright (C) 2008-2013 Tobias Brunner
+ * Copyright (C) 2008-2016 Tobias Brunner
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -269,6 +269,53 @@ static bool seed_rng()
return TRUE;
}
+/**
+ * Generic key loader
+ */
+static private_key_t *openssl_private_key_load(key_type_t type, va_list args)
+{
+ chunk_t blob = chunk_empty;
+ EVP_PKEY *key;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_BLOB_ASN1_DER:
+ blob = va_arg(args, chunk_t);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ if (blob.ptr)
+ {
+ key = d2i_AutoPrivateKey(NULL, (const u_char**)&blob.ptr, blob.len);
+ if (key)
+ {
+ switch (EVP_PKEY_base_id(key))
+ {
+#ifndef OPENSSL_NO_RSA
+ case EVP_PKEY_RSA:
+ return openssl_rsa_private_key_create(key);
+#endif
+#ifndef OPENSSL_NO_ECDSA
+ case EVP_PKEY_EC:
+ return openssl_ec_private_key_create(key);
+#endif
+ default:
+ EVP_PKEY_free(key);
+ break;
+ }
+ }
+ }
+ return NULL;
+}
+
METHOD(plugin_t, get_name, char*,
private_openssl_plugin_t *this)
{
@@ -504,6 +551,9 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ECDSA_521),
#endif
#endif /* OPENSSL_NO_ECDSA */
+ /* generic key loader */
+ PLUGIN_REGISTER(PRIVKEY, openssl_private_key_load, TRUE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
PLUGIN_REGISTER(RNG, openssl_rng_create),
PLUGIN_PROVIDE(RNG, RNG_STRONG),
PLUGIN_PROVIDE(RNG, RNG_WEAK),
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
index cf8c3d741..54ecf2542 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c
@@ -1,7 +1,7 @@
/*
+ * Copyright (C) 2008-2016 Tobias Brunner
* Copyright (C) 2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -327,7 +327,7 @@ static private_openssl_rsa_private_key_t *create_empty()
return this;
}
-/**
+/*
* See header.
*/
openssl_rsa_private_key_t *openssl_rsa_private_key_gen(key_type_t type,
@@ -383,7 +383,26 @@ error:
return NULL;
}
-/**
+/*
+ * See header
+ */
+private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key)
+{
+ private_openssl_rsa_private_key_t *this;
+ RSA *rsa;
+
+ rsa = EVP_PKEY_get1_RSA(key);
+ EVP_PKEY_free(key);
+ if (!rsa)
+ {
+ return NULL;
+ }
+ this = create_empty();
+ this->rsa = rsa;
+ return &this->public.key;
+}
+
+/*
* See header
*/
openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
@@ -528,7 +547,7 @@ static bool login(ENGINE *engine, chunk_t keyid)
}
#endif /* OPENSSL_NO_ENGINE */
-/**
+/*
* See header.
*/
openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type,
diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
index 60889d651..34ce4c776 100644
--- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
+++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.h
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2008 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2008-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -21,6 +21,8 @@
#ifndef OPENSSL_RSA_PRIVATE_KEY_H_
#define OPENSSL_RSA_PRIVATE_KEY_H_
+#include <openssl/evp.h>
+
#include <credentials/builder.h>
#include <credentials/keys/private_key.h>
@@ -62,6 +64,14 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type,
va_list args);
/**
+ * Wrap an EVP_PKEY object of type EVP_PKEY_RSA
+ *
+ * @param key EVP_PKEY_RSA key object (adopted)
+ * @return loaded key, NULL on failure
+ */
+private_key_t *openssl_rsa_private_key_create(EVP_PKEY *key);
+
+/**
* Connect to a RSA private key on a smartcard.
*
* Accepts the BUILD_SMARTCARD_KEYID and the BUILD_SMARTCARD_PIN
diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h
index f4186e8c4..7c5c367f7 100644
--- a/src/libstrongswan/plugins/openssl/openssl_util.h
+++ b/src/libstrongswan/plugins/openssl/openssl_util.h
@@ -136,6 +136,13 @@ int openssl_asn1_known_oid(ASN1_OBJECT *obj);
time_t openssl_asn1_to_time(ASN1_TIME *time);
/**
+ * Compatibility macros
+ */
+#ifdef OPENSSL_IS_BORINGSSL
+#define EVP_PKEY_base_id(p) EVP_PKEY_type(p->type)
+#endif
+
+/**
* Macros to define fallback getters/setters to access keys (BIGNUM*) for types
* that were made opaque with OpenSSL 1.1.0.
*/
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index 767b3acf2..766832d39 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -1,8 +1,8 @@
/*
+ * Copyright (C) 2008-2016 Tobias Brunner
* Copyright (C) 2008-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
* Copyright (C) 2000-2008 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -204,7 +204,6 @@ static private_key_t *parse_rsa_private_key(chunk_t blob)
case PRIV_KEY_VERSION:
if (object.len > 0 && *object.ptr != 0)
{
- DBG1(DBG_ASN, "PKCS#1 private key format is not version 1");
goto end;
}
break;
@@ -249,6 +248,63 @@ end:
}
/**
+ * Check if the ASN.1 structure looks like an EC private key according to
+ * RFC 5915.
+ *
+ * ECPrivateKey :=: SEQUENCE {
+ * version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+ * privateKey OCTET STRING,
+ * parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+ * publicKey [1] BIT STRING OPTIONAL
+ * }
+ *
+ * While the parameters and publicKey fields are OPTIONAL, RFC 5915 says that
+ * paramaters MUST be included and publicKey SHOULD be.
+ */
+static bool is_ec_private_key(chunk_t blob)
+{
+ chunk_t data;
+ return asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE &&
+ asn1_unwrap(&blob, &data) == ASN1_INTEGER &&
+ asn1_parse_integer_uint64(data) == 1 &&
+ asn1_unwrap(&blob, &data) == ASN1_OCTET_STRING &&
+ asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_0 &&
+ asn1_unwrap(&blob, &data) == ASN1_CONTEXT_C_1;
+}
+
+/**
+ * Check if the ASN.1 structure looks like a BLISS private key.
+ */
+static bool is_bliss_private_key(chunk_t blob)
+{
+ chunk_t data;
+ return asn1_unwrap(&blob, &blob) == ASN1_SEQUENCE &&
+ asn1_unwrap(&blob, &data) == ASN1_OID &&
+ asn1_unwrap(&blob, &data) == ASN1_BIT_STRING &&
+ asn1_unwrap(&blob, &data) == ASN1_BIT_STRING &&
+ asn1_unwrap(&blob, &data) == ASN1_BIT_STRING;
+}
+
+/**
+ * Load a private key from an ASN.1 encoded blob trying to detect the type
+ * automatically.
+ */
+static private_key_t *parse_private_key(chunk_t blob)
+{
+ if (is_ec_private_key(blob))
+ {
+ return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+ BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+ }
+ else if (is_bliss_private_key(blob))
+ {
+ return lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA,
+ BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+ }
+ return parse_rsa_private_key(blob);
+}
+
+/**
* See header.
*/
public_key_t *pkcs1_public_key_load(key_type_t type, va_list args)
@@ -301,6 +357,14 @@ private_key_t *pkcs1_private_key_load(key_type_t type, va_list args)
}
break;
}
- return parse_rsa_private_key(blob);
+ switch (type)
+ {
+ case KEY_ANY:
+ return parse_private_key(blob);
+ case KEY_RSA:
+ return parse_rsa_private_key(blob);
+ default:
+ return NULL;
+ }
}
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index eb0903d47..ec1bdf565 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -43,6 +43,10 @@ METHOD(plugin_t, get_features, int,
{
static plugin_feature_t f[] = {
PLUGIN_REGISTER(PRIVKEY, pkcs1_private_key_load, FALSE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
+ PLUGIN_SDEPEND(PRIVKEY, KEY_RSA),
+ PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
+ PLUGIN_REGISTER(PRIVKEY, pkcs1_private_key_load, FALSE),
PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE),
PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index fdc43d705..b15f90199 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -117,6 +117,11 @@ static int issue()
type = CRED_PRIVATE_KEY;
subtype = KEY_BLISS;
}
+ else if (streq(arg, "priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_ANY;
+ }
else if (!streq(arg, "pub"))
{
error = "invalid input type";
@@ -580,7 +585,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
issue, 'i', "issue",
"issue a certificate using a CA certificate and key",
- {"[--in file] [--type pub|pkcs10|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
+ {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
" --cacert file [--dn subject-dn] [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index 3bc62e74d..f79120b31 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -26,7 +26,7 @@
static int keyid()
{
credential_type_t type = CRED_PRIVATE_KEY;
- int subtype = KEY_RSA;
+ int subtype = KEY_ANY;
certificate_t *cert;
private_key_t *private;
public_key_t *public;
@@ -42,21 +42,29 @@ static int keyid()
case 'h':
return command_usage(NULL);
case 't':
- if (streq(arg, "rsa-priv"))
+ if (streq(arg, "rsa") ||
+ streq(arg, "rsa-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_RSA;
}
- else if (streq(arg, "ecdsa-priv"))
+ else if (streq(arg, "ecdsa") ||
+ streq(arg, "ecdsa-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_ECDSA;
}
- else if (streq(arg, "bliss-priv"))
+ else if (streq(arg, "bliss") ||
+ streq(arg, "bliss-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_BLISS;
}
+ else if (streq(arg, "priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_ANY;
+ }
else if (streq(arg, "pub"))
{
type = CRED_PUBLIC_KEY;
@@ -169,11 +177,11 @@ static void __attribute__ ((constructor))reg()
command_register((command_t)
{ keyid, 'k', "keyid",
"calculate key identifiers of a key/certificate",
- {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|pkcs10|x509]"},
+ {"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
- {"type", 't', 1, "type of key, default: rsa-priv"},
+ {"type", 't', 1, "type of key, default: priv"},
}
});
}
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index c367a21a9..8cb0a7b5d 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -89,17 +89,25 @@ static int print()
type = CRED_CERTIFICATE;
subtype = CERT_TRUSTED_PUBKEY;
}
- else if (streq(arg, "rsa-priv"))
+ else if (streq(arg, "priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_ANY;
+ }
+ else if (streq(arg, "rsa") ||
+ streq(arg, "rsa-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_RSA;
}
- else if (streq(arg, "ecdsa-priv"))
+ else if (streq(arg, "ecdsa") ||
+ streq(arg, "ecdsa-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_ECDSA;
}
- else if (streq(arg, "bliss-priv"))
+ else if (streq(arg, "bliss") ||
+ streq(arg, "bliss-priv"))
{
type = CRED_PRIVATE_KEY;
subtype = KEY_BLISS;
@@ -173,7 +181,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t)
{ print, 'a', "print",
"print a credential in a human readable form",
- {"[--in file] [--type rsa-priv|ecdsa-priv|bliss-priv|pub|x509|crl|ac]"},
+ {"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index ccc3c4251..1d876f6f7 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -28,7 +28,7 @@ static int pub()
{
cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER;
credential_type_t type = CRED_PRIVATE_KEY;
- int subtype = KEY_RSA;
+ int subtype = KEY_ANY;
certificate_t *cert;
private_key_t *private;
public_key_t *public;
@@ -59,6 +59,11 @@ static int pub()
type = CRED_PRIVATE_KEY;
subtype = KEY_BLISS;
}
+ else if (streq(arg, "priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_ANY;
+ }
else if (streq(arg, "pub"))
{
type = CRED_PUBLIC_KEY;
@@ -189,13 +194,13 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
pub, 'p', "pub",
"extract the public key from a private key/certificate",
- {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|pub|pkcs10|x509]",
+ {"[--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv|pub|pkcs10|x509]",
"[--outform der|pem|dnskey|sshkey]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
{"keyid", 'x', 1, "keyid on smartcard of private key"},
- {"type", 't', 1, "type of credential, default: rsa"},
+ {"type", 't', 1, "type of credential, default: priv"},
{"outform", 'f', 1, "encoding of extracted public key, default: der"},
}
});
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 68d611250..23d07a28d 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -30,7 +30,7 @@
static int req()
{
cred_encoding_type_t form = CERT_ASN1_DER;
- key_type_t type = KEY_RSA;
+ key_type_t type = KEY_ANY;
hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *cert = NULL;
private_key_t *private = NULL;
@@ -62,6 +62,10 @@ static int req()
{
type = KEY_BLISS;
}
+ else if (streq(arg, "priv"))
+ {
+ type = KEY_ANY;
+ }
else
{
error = "invalid input type";
@@ -194,14 +198,14 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
req, 'r', "req",
"create a PKCS#10 certificate request",
- {" [--in file] [--type rsa|ecdsa|bliss] --dn distinguished-name",
+ {" [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
"[--san subjectAltName]+ [--password challengePassword]",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "private key input file, default: stdin"},
- {"type", 't', 1, "type of input key, default: rsa"},
+ {"type", 't', 1, "type of input key, default: priv"},
{"dn", 'd', 1, "subject distinguished name"},
{"san", 'a', 1, "subjectAltName to include in cert request"},
{"password",'p', 1, "challengePassword to include in cert request"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index f4e83c76c..6fb7b75ae 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -94,6 +94,10 @@ static int self()
{
type = KEY_BLISS;
}
+ else if (streq(arg, "priv"))
+ {
+ type = KEY_ANY;
+ }
else
{
error = "invalid input type";
@@ -417,7 +421,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
self, 's', "self",
"create a self signed certificate",
- {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss]",
+ {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]",
" --dn distinguished-name [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -431,7 +435,7 @@ static void __attribute__ ((constructor))reg()
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "private key input file, default: stdin"},
{"keyid", 'x', 1, "keyid on smartcard of private key"},
- {"type", 't', 1, "type of input key, default: rsa"},
+ {"type", 't', 1, "type of input key, default: priv"},
{"dn", 'd', 1, "subject and issuer distinguished name"},
{"san", 'a', 1, "subjectAltName to include in certificate"},
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index 20238b73d..bfc7bb1a5 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -67,9 +67,10 @@ Public key or PKCS#10 certificate request file to issue. If not given the
key/request is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
-Type of the input. One of \fIpub\fR (public key), \fIrsa\fR (RSA private key),
-\fIecdsa\fR (ECDSA private key), or \fIpkcs10\fR (PKCS#10 certificate request),
-defaults to \fIpub\fR.
+Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
+\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS
+private key) or \fIpkcs10\fR (PKCS#10 certificate request), defaults to
+\fIpub\fR.
.TP
.BI "\-k, \-\-cakey " file
CA private key file. Either this or
diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in
index 490f7afea..c69f7cbc7 100644
--- a/src/pki/man/pki---keyid.1.in
+++ b/src/pki/man/pki---keyid.1.in
@@ -44,9 +44,10 @@ Read command line options from \fIfile\fR.
Input file. If not given the input is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
-Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
-private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate
-request), \fIx509\fR (X.509 certificate), defaults to \fIrsa-priv\fR.
+Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
+\fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS private key),
+\fIpub\fR (public key), \fIpkcs10\fR (PKCS#10 certificate request),
+\fIx509\fR (X.509 certificate), defaults to \fIpriv\fR.
.
.SH "EXAMPLES"
.
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
index 434d4ea16..09f81cdaa 100644
--- a/src/pki/man/pki---print.1.in
+++ b/src/pki/man/pki---print.1.in
@@ -44,10 +44,11 @@ Read command line options from \fIfile\fR.
Input file. If not given the input is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
-Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
-private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
-(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate),
-defaults to \fIx509\fR.
+Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate
+Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key),
+\fpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private
+key), \fIbliss\fR (BLISS private key), \fIpriv\fR (private key), defaults to
+\fIx509\fR.
.
.SH "SEE ALSO"
.
diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in
index c57e03a40..fe6c520f4 100644
--- a/src/pki/man/pki---pub.1.in
+++ b/src/pki/man/pki---pub.1.in
@@ -47,10 +47,9 @@ Read command line options from \fIfile\fR.
Input file. If not given the input is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
-Type of input. One of \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA
-private key), \fIpub\fR (public key),
-\fIpkcs10\fR (PKCS#10 certificate request), or \fIx509\fR (X.509 certificate),
-defaults to \fIrsa\fR.
+Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
+\fIecdsa\fR (ECDSA private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10
+certificate request), or \fIx509\fR (X.509 certificate), defaults to \fIpriv\fR.
.TP
.BI "\-f, \-\-outform " encoding
Encoding of the extracted public key. One of \fIder\fR (ASN.1 DER), \fIpem\fR
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
index a6f6a480a..4a39c5c94 100644
--- a/src/pki/man/pki---req.1.in
+++ b/src/pki/man/pki---req.1.in
@@ -49,7 +49,8 @@ Read command line options from \fIfile\fR.
Private key input file. If not given the key is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
-Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
+defaults to \fIpriv\fR.
.TP
.BI "\-d, \-\-dn " distinguished-name
Subject distinguished name (DN). Required.
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index 53f53f816..9461e3eff 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -68,7 +68,8 @@ Private key input file. If not given the key is read from \fISTDIN\fR.
Key ID of a private key on a smartcard.
.TP
.BI "\-t, \-\-type " type
-Type of the input key. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
+defaults to \fIpriv\fR.
.TP
.BI "\-d, \-\-dn " distinguished-name
Subject and issuer distinguished name (DN). Required.
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index 409387849..9ca759ea3 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -70,6 +70,7 @@ install-data-local: swanctl.conf
test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true
test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true
test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true
+ test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true
test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true
test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true
test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 4647934f7..6278f66b4 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -2,6 +2,7 @@
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
+ * Copyright (C) 2016 Tobias Brunner
* Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -128,7 +129,8 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
req = vici_begin("load-key");
- if (streq(type, "pkcs8"))
+ if (streq(type, "private") ||
+ streq(type, "pkcs8"))
{ /* as used by vici */
vici_add_key_valuef(req, "type", "any");
}
@@ -251,6 +253,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype,
credential_type_t credtype;
int subtype;
} map[] = {
+ { "private", CRED_PRIVATE_KEY, KEY_ANY, },
{ "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, },
{ "rsa", CRED_PRIVATE_KEY, KEY_RSA, },
{ "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, },
@@ -565,6 +568,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
"eap",
"xauth",
"ike",
+ "private",
"rsa",
"ecdsa",
"bliss",
@@ -700,10 +704,11 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR);
- load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
- load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
- load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
- load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
+ load_keys(conn, format, noprompt, cfg, "private", SWANCTL_PRIVATEDIR);
+ load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
+ load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
+ load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
+ load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h
index 560e89513..eac1fc6d0 100644
--- a/src/swanctl/swanctl.h
+++ b/src/swanctl/swanctl.h
@@ -2,6 +2,7 @@
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
+ * Copyright (C) 2016 Tobias Brunner
* Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -65,6 +66,11 @@
#define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey"
/**
+ * Directory for private keys
+ */
+#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private"
+
+/**
* Directory for RSA private keys
*/
#define SWANCTL_RSADIR SWANCTLDIR "/rsa"
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index c4d9f86d6..a7d6d9fc3 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -835,6 +835,15 @@ secrets.ike<suffix>.id<suffix> =
may be specified, each having an _id_ prefix, if a secret is shared between
multiple peers.
+secrets.private<suffix> { # }
+ Private key decryption passphrase for a key in the _private_ folder.
+
+secrets.private<suffix>.file =
+ File name in the _private_ folder for which this passphrase should be used.
+
+secrets.private<suffix>.secret
+ Value of decryption passphrase for private key.
+
secrets.rsa<suffix> { # }
Private key decryption passphrase for a key in the _rsa_ folder.