Re: [strongSwan] ECDSDA certificates / keys?

2019-03-14 Thread Kostya Vasilyev 
Thank you Tobias,

On Thu, Mar 14, 2019, at 3:41 PM, Tobias Brunner wrote:
> Hi Kostya,
> 
> > Does IPSec in general and strongSwan in particular support certificate 
> > authentication with ECDSA keys?
> 
> Sure.
> 
> > -BEGIN EC PARAMETERS-
> > Bgg.==
> > -END EC PARAMETERS-
> > -BEGIN EC PRIVATE KEY-
> > MHcCA...yDpwQ==
> > -END EC PRIVATE KEY-
> 
> Remove the parameters, the pem plugin only parses the first BEGIN/END
> section in a PEM file.

Yes this worked.

What also worked is to convert the key from PEM to DER format:

openssl pkcs8 -topk8 -inform PEM -outform DER \
-in ec_server.pem \
-out ec_server.der -nocrypt

I mention this if anyone else runs into this issue.

-- K

Re: [strongSwan] ECDSDA certificates / keys?

2019-03-14 Thread Tobias Brunner 
Hi Kostya,

> Does IPSec in general and strongSwan in particular support certificate 
> authentication with ECDSA keys?

Sure.

> -BEGIN EC PARAMETERS-
> Bgg.==
> -END EC PARAMETERS-
> -BEGIN EC PRIVATE KEY-
> MHcCA...yDpwQ==
> -END EC PRIVATE KEY-

Remove the parameters, the pem plugin only parses the first BEGIN/END
section in a PEM file.

> Is there a "secret" or "trick" to getting ECDSA certificates / keys to work?

You also need the openssl plugin if you don't have that loaded already.

Regards,
Tobias

[strongSwan] ECDSDA certificates / keys?

2019-03-14 Thread Kostya Vasilyev 
Hello,

Does IPSec in general and strongSwan in particular support certificate 
authentication with ECDSA keys?

I generated new CA / server / client certs using keys like this instead of 
"genrsa"

openssl ecparam -genkey -name prime256v1 -out key.pem

The rest of certificate generation is the same.

Now the client (also strongSwan) complains that

no private key found for '< its own certificate CN here >'

I did put the certificate's private key under /etc/swanctl/private/

The key looks like this:

-BEGIN EC PARAMETERS-
Bgg.==
-END EC PARAMETERS-
-BEGIN EC PRIVATE KEY-
MHcCA...yDpwQ==
-END EC PRIVATE KEY-

But I see in strongSwan logs that this key doesn't get auto-loaded (as the rsa 
key from same directory does).

Mar 14 14:12:09  swanctl[11380]: loaded private key from 
'/etc/swanctl/private/my_rsa_key.pem'
--> no similar line for the ecdsa key

I tried putting the ECDSA key under  /etc/swanctl/ecdsa/ - no change.

Also tried explicitly loading the ECDSA key from my swanctl config file like 
this - also no change:

secrets {
private_ecdsa_tunnel {
private_pki {
file = ecdsa_tunnel_server.pem
}
}
}

Is there a "secret" or "trick" to getting ECDSA certificates / keys to work?

Thanks,
-- 
Kostya Vasilyev
k...@fastmail.com