How to import raw RSA keys for use in libreswan

[sspreitzer]

Hi there

I am migrating from strongswan to libreswan. In strongswan i used to have RSA public keys from my peers and a RSA private key for myself. I fail on importing these RSA keys into the nss db or converting them into a usable libreswan configuration.

Can you please give some guidance on how to import raw RSA public/private keys?

Thanks a lot Sascha

[letoams]

On Sat, 27 May 2017, Sascha Spreitzer wrote:

I am migrating from strongswan to libreswan. In strongswan i used to have RSA public keys from my peers and a RSA private key for myself. I fail on importing these RSA keys into the nss db or converting them into a usable libreswan configuration.

Can you please give some guidance on how to import raw RSA public/private keys?

https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan#Importing_third-party_files_into_NSS

Paul

[sspreitzer]

$ openssl pkcs12 -export -inkey strongswan/ipsec.d/private/mykey.pem -out key.p12 -name mykey
unable to load certificates

This does not work, certificates are mandatory. There is a way to generate keys, but no way to import keys.

[letoams]

A PKCS#12 file consists of key + cert + CA cert. once you bundle all three into that, you can use "ipsec import"

Paul

Sent from my iPhone

On Jun 3, 2017, at 05:01, Sascha Spreitzer notifications@github.com wrote:

$ openssl pkcs12 -export -inkey strongswan/ipsec.d/private/mykey.pem -out key.p12 -name mykey unable to load certificates This does not work, certificates are mandatory. There is a way to generate keys, but no way to import keys.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[letoams]

Ohh, this is about raw keys, sorry I missed that. As far as I know, it is not possible to import/export raw keys easily from the nss db. Only PKCS#12 bundles can be imported/exported. Perhaps a tool could be written using libnss etc to make this happen?

[cagney]

Curl, built using NSS, seems to have similar issues. The module nss-pem seems to be part of the solution (it was part of a larger effort to only ship NSS in RHEL I suspect). However, it also seems that Red Hat gave up on curl with NSS and went back to libssl.

[cagney]

https://bugzilla.mozilla.org/show_bug.cgi?id=337799

[cagney]

And here's the thread where ReD HaTs plugin was rejected https://bugzilla.mozilla.org/show_bug.cgi?id=402712

[cagney]

And ... https://github.com/kdudka/nss-pem/issues/11

[cagney]

nss-pem doesn't support loading just the private key (bug)

[cagney]

The workaround is to use the raw PEM key to generate a self-signed cert and then feed that, as a PKCS#12 bundle, into NSS. Something like (presumably after a year the key is long gone):

key=east
# create a CSR and using that ...
openssl req -new -subj "/CN=${key}" -key OUTPUT/${key}.key -out OUTPUT/${key}.csr < /dev/null
openssl req -text -in OUTPUT/${key}.csr -noout | grep ${key}
# ... create a self signed cert
openssl x509 -req -days 365 -in OUTPUT/${key}.csr -signkey OUTPUT/${key}.key -out OUTPUT/${key}.crt
# turn that into a PKCS#12
openssl pkcs12 -export -password pass:foobar -in OUTPUT/${key}.crt -inkey OUTPUT/${key}.key -name ${key} -out OUTPUT/${key}.p12
# import it
pk12util -d /etc/ipsec.d/ -i OUTPUT/east.p12 -W foobar

The test ikev2-03-basic-rawrsa-nss-pem does this to both ends and then interops.

It doesn't solve exporting raw keys; different problem.