From: Tobias Brunner Date: Fri, 30 Sep 2016 13:16:42 +0000 (+0200) Subject: swanctl: Add 'private' directory/section to load any type of private key X-Git-Tag: 5.5.1rc1~11^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7caba2eb5524be6b51943bcc3d2cb0e4c5ecc09a;p=thirdparty%2Fstrongswan.git swanctl: Add 'private' directory/section to load any type of private key --- diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am index 409387849a..9ca759ea3f 100644 --- a/src/swanctl/Makefile.am +++ b/src/swanctl/Makefile.am @@ -70,6 +70,7 @@ install-data-local: swanctl.conf test -e "$(DESTDIR)$(swanctldir)/x509crl" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509crl" || true test -e "$(DESTDIR)$(swanctldir)/x509ac" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/x509ac" || true test -e "$(DESTDIR)$(swanctldir)/pubkey" || $(INSTALL) -d "$(DESTDIR)$(swanctldir)/pubkey" || true + test -e "$(DESTDIR)$(swanctldir)/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/private" || true test -e "$(DESTDIR)$(swanctldir)/rsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/rsa" || true test -e "$(DESTDIR)$(swanctldir)/ecdsa" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/ecdsa" || true test -e "$(DESTDIR)$(swanctldir)/bliss" || $(INSTALL) -d -m 750 "$(DESTDIR)$(swanctldir)/bliss" || true diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c index 4647934f78..6278f66b4c 100644 --- a/src/swanctl/commands/load_creds.c +++ b/src/swanctl/commands/load_creds.c @@ -2,6 +2,7 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2016 Tobias Brunner * Copyright (C) 2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -128,7 +129,8 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format, req = vici_begin("load-key"); - if (streq(type, "pkcs8")) + if (streq(type, "private") || + streq(type, "pkcs8")) { /* as used by vici */ vici_add_key_valuef(req, "type", "any"); } @@ -251,6 +253,7 @@ static bool determine_credtype(char *type, credential_type_t *credtype, credential_type_t credtype; int subtype; } map[] = { + { "private", CRED_PRIVATE_KEY, KEY_ANY, }, { "pkcs8", CRED_PRIVATE_KEY, KEY_ANY, }, { "rsa", CRED_PRIVATE_KEY, KEY_RSA, }, { "ecdsa", CRED_PRIVATE_KEY, KEY_ECDSA, }, @@ -565,6 +568,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg, "eap", "xauth", "ike", + "private", "rsa", "ecdsa", "bliss", @@ -700,10 +704,11 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format, load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR); load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR); - load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); - load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR); - load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR); - load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR); + load_keys(conn, format, noprompt, cfg, "private", SWANCTL_PRIVATEDIR); + load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR); + load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR); + load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR); + load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR); load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR); diff --git a/src/swanctl/swanctl.h b/src/swanctl/swanctl.h index 560e895132..eac1fc6d03 100644 --- a/src/swanctl/swanctl.h +++ b/src/swanctl/swanctl.h @@ -2,6 +2,7 @@ * Copyright (C) 2014 Martin Willi * Copyright (C) 2014 revosec AG * + * Copyright (C) 2016 Tobias Brunner * Copyright (C) 2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -64,6 +65,11 @@ */ #define SWANCTL_PUBKEYDIR SWANCTLDIR "/pubkey" +/** + * Directory for private keys + */ +#define SWANCTL_PRIVATEDIR SWANCTLDIR "/private" + /** * Directory for RSA private keys */ diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt index c4d9f86d68..a7d6d9fc3c 100644 --- a/src/swanctl/swanctl.opt +++ b/src/swanctl/swanctl.opt @@ -835,6 +835,15 @@ secrets.ike.id = may be specified, each having an _id_ prefix, if a secret is shared between multiple peers. +secrets.private { # } + Private key decryption passphrase for a key in the _private_ folder. + +secrets.private.file = + File name in the _private_ folder for which this passphrase should be used. + +secrets.private.secret + Value of decryption passphrase for private key. + secrets.rsa { # } Private key decryption passphrase for a key in the _rsa_ folder.