HOWTO: Using NSS with libreswan: Difference between revisions
Tuomo Soini (talk | contribs) No edit summary |
Paul Wouters (talk | contribs) No edit summary |
||
(2 intermediate revisions by one other user not shown) | |||
Line 12: | Line 12: | ||
While PreShared Key (PSK) calculations are done using NSS, the actual preshared key ("secret") is still stored in /etc/ipsec.secrets. | While PreShared Key (PSK) calculations are done using NSS, the actual preshared key ("secret") is still stored in /etc/ipsec.secrets. | ||
NSS | Libreswan no longer needs its own FIPS certification, as all code "within the crypto boundary" has been added to the NSS library. So if the NSS librart is FIPS certified, and the Linux kernel is fips certified, then using libreswan for IKE and IPsec is FIPS certified too. Note that from time to time, the exact requirements change (for example with respect to ICV handling in AES_GCM) and it might be that patches or tweaks are neccessary. This partially depends on the certification lab involved with the testing as well. | ||
{{ ambox | nocat=true | type=speedy | text = If you are migrating from openswan with NSS or libreswan 3.13 or older to libreswan 3.14 or higher, then you will be converted to the new NSS SQL database format. See '''[[3.14_X509]]''' }} | |||
{{ ambox | nocat=true | type=speedy | text = If you are migrating from openswan with NSS or libreswan 3.13 or older to libreswan 3.14, then you will be converted to the new NSS SQL database format. See '''[[3.14_X509]]''' }} | |||
Line 200: | Line 199: | ||
=== Importing CRLs === | === Importing CRLs === | ||
For | For PEM files use: | ||
<pre> | <pre> | ||
crlutil -I -i /path/yourcrl.der -d sql:/var/lib/ipsec/nss -a -B | crlutil -I -i /path/yourcrl.der -d sql:/var/lib/ipsec/nss -a -B | ||
Line 210: | Line 209: | ||
{{ ambox | type = alert | text = CRLs signed by a root CA are only processed if the root CA is marked as Trusted in NSS - See previous section }} | {{ ambox | type = alert | text = CRLs signed by a root CA are only processed if the root CA is marked as Trusted in NSS - See previous section }} | ||
=== Importing Raw Private Keys === | |||
NSS does not allow the direct import of a PEM containing a private key. However, it does allow the import of that same key when paired with a self-signed certificate and bundled into a PKCS#12 file. | |||
Starting with the raw key: | |||
$ head -1 OUTPUT/*.key # see nothing hidden | |||
==> OUTPUT/east.key <== | |||
-----BEGIN PRIVATE KEY----- | |||
Generate a certificate request (this uses 365 days, could be unlimited), self-sign it and then bundle it into a PKCS#12 file: | |||
$ openssl req -new -subj "/CN=east" \ | |||
-key OUTPUT/east.key \ | |||
-out OUTPUT/east.csr | |||
$ openssl req -text -in OUTPUT/east.csr -noout | grep east | |||
Subject: CN = east | |||
$ openssl x509 -req -days 365 \ | |||
-in OUTPUT/east.csr \ | |||
-signkey OUTPUT/east.key \ | |||
-out OUTPUT/east.crt | |||
$ openssl pkcs12 -export -password pass:foobar \ | |||
-in OUTPUT/east.crt \ | |||
-inkey OUTPUT/east.key \ | |||
-name east \ | |||
-out OUTPUT/east.p12 | |||
And then import it: | |||
$ pk12util -d /etc/ipsec.d/ -i OUTPUT/east.p12 -W foobar | |||
$ certutil -K -d /etc/ipsec.d/ | |||
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" | |||
< 0> rsa 42ce27ac8668ab0e1f20894f1f73f95de4aa6c72 east | |||
Once the key has been imported. It can be identified using something like either of: | |||
rightid=@east | |||
rightckaid=42ce27ac8668ab0e1f20894f1f73f95de4aa6c72 | |||
See the test ikev2-03-rawrsa-pem. | |||
== Exporting a CA(?) certificate to load on another libreswan machine == | == Exporting a CA(?) certificate to load on another libreswan machine == |
Latest revision as of 01:48, 10 June 2024
The libreswan IKE daemon uses the Mozilla Network Security Services ("NSS") crypto library for all cryptographic functions during the IKE negotiation.
Introduction
NSS is a userspace library utilized by the libreswan IKE daemon 'pluto' for cryptographic operations. NSS does not handle the IPsec crypto operations inside of the kernel; these are handled seperately by NETKEY or the KLIPS kernel module.
The NSS library exports a PKCS#11 API for the application to communicate to a cryptographic device. The cryptographic device is usually the "soft token" but can also be a Hardware Security Module (HSM).
The advantage of using NSS is that pluto does not need to know in detail how the cryptographic device works. Pluto does not access any private keys or data itself. Instead, it uses the PK11 wrapper API of NSS irrespective of the cryptographic device used. Pluto hands over work using the PK11 interface to NSS and never has direct access to the private key material itself. Both IKEv1 and IKEv2 operations are performed using NSS. Private RSA keys (raw RSA as well as X.509 based private RSA keys) are stored inside NSS and those are not referenced in /etc/ipsec.secrets. X.509 keys and certificates are referenced using their "nickname" instead of their filename in /etc/ipsec.conf.
While PreShared Key (PSK) calculations are done using NSS, the actual preshared key ("secret") is still stored in /etc/ipsec.secrets.
Libreswan no longer needs its own FIPS certification, as all code "within the crypto boundary" has been added to the NSS library. So if the NSS librart is FIPS certified, and the Linux kernel is fips certified, then using libreswan for IKE and IPsec is FIPS certified too. Note that from time to time, the exact requirements change (for example with respect to ICV handling in AES_GCM) and it might be that patches or tweaks are neccessary. This partially depends on the certification lab involved with the testing as well.
If you are migrating from openswan with NSS or libreswan 3.13 or older to libreswan 3.14 or higher, then you will be converted to the new NSS SQL database format. See 3.14_X509 |
NSS command line tools
- certutil: Look and modify the NSS db. "ipsec initnss" and "ipsec look" use certutil under the hood.
- pk12util: import and export certificates and keys from and to the NSS db. The "ipsec import" command is a simple wrapper around this utility.
- modutil: Put NSS into FIPS mode
- crlutil: import CRLs into the NSS db.
Creating the NSS db for use with libreswan
If you are not using a packaged libreswan version, you might need to create a new NSS db before you can start libreswan. This can be done using:
ipsec initnss
By default the NSS db is created in /var/lib/ipsec/nss/
When creating a database, you are prompted for a password. The default libreswan package install for RHEL/Fedora/CentOS uses an empty password. It is up to the administrator to decide on whether to use a password or not. However, a non-empty database password must be provided when running in FIPS mode.
To change the empty password, run:
certutil -W -d sql:/var/lib/ipsec/nss
Enter return for the "old password", then enter your new password twice.
If you create the database with a password, and want to run NSS in FIPS mode, you must create a password file with the name "nsspassword" in the /etc/ipsec.d direcotry before starting libreswan. The "nsspassword" file must contain the password you provided when creating NSS database.
If the NSS db is protected with a non-empty password, the "nsspassword" file must exist for pluto to start. The syntax of the "nsspassword" file is:
token_1_name:the_password token_2_name:the_password
The name of NSS softtoken (the default software NSS db) when NOT running in FIPS mode is "NSS Certificate DB". If you wish to use software NSS db with password "secret", you would have the following entry in the nsspassword file:
NSS Certificate DB:secret
If running NSS in FIPS mode, the name of NSS softtoken is "NSS FIPS 140-2 Certificate DB". If there are smartcards in the system, the entries for passwords should be entered in this file as well.
Do not enter any spaces before or after the token name or password |
Using raw RSA keys with NSS
The "ipsec newhostkey" and "ipsec rsasigkey" utilities are used for creating raw RSA keys. If a non-default NSS directory is used, this can be specified using the -d option.
ipsec newhostkey --nssdir /var/lib/ipsec/nss [--password password] \ --output /etc/ipsec.secrets
As of libreswan 3.21 you no longer need to use the --output command, as ipsec.secrets entries are no longer required |
The password is only required if the NSS database is protected with a non-empty password. All "private" compontents of the raw RSA key in /etc/ipsec.secrets such as the exponents and primes are filled in with the CKA ID, which serves as an identifier for NSS to look up the proper information in the NSS db during the IKE negotiation.
Public key information is directly available in /etc/ipsec.secrets and the "ipsec showhostkey" command can be used to generate left/rightrsasigkey= entries for /etc/ipsec.conf.
# ipsec showhostkey --list < 1> RSA keyid: AwEAAbScF ckaid: 2ad438fc7f3b65706f0381520f9f106a9eba7a96 # ipsec showhostkey --left --ckaid 2ad438fc7f3b65706f0381520f9f106a9eba7a96 # rsakey AwEAAbScF leftrsasigkey=0sAwEAAbScFcIsVh6ee/nd7n4VEBRWnpuxefzzDFktmikoUcO76/gql0f67ySeugs8B/N7u/Jcn7NoOJmDZrcD4p5t2Qddzw5yl1sd2na6vN/eQvCFPrjHz6qX67qx+jExe8Jd6UxvwQC3bzGkJr8vt3sWpsUyfNsNdoxO7tE5uzumHv2Cm9Cwts80k4+I+qF1bKALY5jn/xAR1UGhZDxymfYfNJm0+dSmzMp8J9yw9fN5tt6eUKB/cuRHn7wfKEAd2E9PYcLeXaDnMJHyslIIxK5GXRK0nNGxMqPdJIzp4t1jBOJhd6HMEiaW9K08hVdwiz9pMTIM+DDhPvtMueR2WZ7KUSM=
The leftrsasigkey= can now be used in a connection configuration in ipsec.conf.
Using certificates with NSS
Any X.509 certificate management system can be used to generate Certificate Agencies, certificates, pkcs12 files and CRLs. Common tools people use are the openssl command, the GTK utility tinyca2, or the NSS certutil command.
An example using openssl can be found as part of the libreswan test suite at
Below, we will be using the nss tools to generate certificates
To create a certificate authority (CA certficate)
certutil -S -k rsa -n "ExampleCA" -s "CN=Example CA Inc" -v 12 \ -t "CT,C,C" -x -d sql:/var/lib/ipsec/nss
It creates a certificate with RSA keys (-k rsa) with the nick name "ExampleCA", and with common name "Example CA Inc". The option "-v" specifies the certificates validity period. "-t" specifies the attributes of the certificate. "C" is required for creating a CA certificate. "-x" means self signed. "-d" specifies the path of the database directory.
It is not a requirement to create the CA in NSS database. The CA certificate can be obtained from third parties
To create a user certificate signed by the above CA
certutil -S -k rsa -c "ExampleCA" -n "user1" -s "CN=User Common Name" \ -v 12 -t "u,u,u" -d sql:/var/lib/ipsec/nss
This creates a user cert with nick name "user1" with attributes "u,u,u" signed by the CA cert "ExampleCA".
You must provide a nick name when creating a user certificate, because pluto reads the user certificate from the NSS database based on the user certificate's nickname |
Configuring certificates in ipsec.conf and ipsec.secrets
In ipsec.conf, the leftcert= option takes a certificate nickname as argument. For example if the nickname of the user cert is "hugh", then it can be "leftcert=hugh".
If you are migrating from openswan without NSS, you were used to specify the filename for the certificate in the leftcert= option. Filenames are not valid in libreswan - only the nickname can be used.
leftcert=nickname
On Libreswan version 3.15 and older it is required to add entry in ipsec.secrets. We need to list the certificate nickname to inform pluto there is a certificate within the NSS db. This is specified using:
: RSA nickname
In openswan and freeswan without NSS it was required to specify a file name or password. With libreswan, this is not required. Private keys were stored in /etc/ipsec.d/private/ This directory is also not used with libreswan.
The directories /etc/ipsec.d/cacerts/ and /etc/ipsec.d/crls/ are not used with libreswan.
The freeswan and openswan directories /etc/ipsec.d/aacerts/ and /etc/ipsec.d/acerts/ are not used with libreswan.
If you use an external CA certificate, you must import it into the NSS db.
Importing third-party files into NSS
Importing user credentials (.crt, .key and .p12 files)
If you do not have the third-party certificate in the PKCS#12 format, use openssl to create a PKCS#12 file:
openssl pkcs12 -export -in cert.pem -inkey key.pem \ -certfile cacert.pem -out YourName.p12 [-name YourName]
Now you can import the file into the NSS db:
ipsec import YourName.p12
NOTE: the ipsec import command uses "pk12util -i YourName.p12 -d sql:/var/lib/ipsec/nss"
If you did not pick a name using the -name option, you can use certutil -L -d sql:/var/lib/ipsec/nss to figure out the name NSS picked durnig the import.
To specify the certificate in ipsec.conf, use a line like:
leftcert=YourName
If you use libreswan 3.15 or older then add following to /etc/ipsec.secrets file to load private key. This is not necessary on later versions:
: RSA "YourName"
Importing CAcerts
The CAname is a friendly_name to refer to the CA certificate inside NSS. If your NSS db is procted by a password, specify it as the last item on the command line. For DER formatted certificates use:
certutil -A -i /path/YourCA.der -d sql:/var/lib/ipsec/nss -n "CAname" -t 'CT,,'
For PEM formatted CA certificates use:
certutil -A -a -i /path/YourCA.pem -d sql:/var/lib/ipsec/nss -n "CAname" -t 'CT,,'
Importing CRLs
For PEM files use:
crlutil -I -i /path/yourcrl.der -d sql:/var/lib/ipsec/nss -a -B
For dir files use:
crlutil -I -i /path/yourcrl.der -d sql:/var/lib/ipsec/nss -B
CRLs signed by a root CA are only processed if the root CA is marked as Trusted in NSS - See previous section |
Importing Raw Private Keys
NSS does not allow the direct import of a PEM containing a private key. However, it does allow the import of that same key when paired with a self-signed certificate and bundled into a PKCS#12 file.
Starting with the raw key:
$ head -1 OUTPUT/*.key # see nothing hidden ==> OUTPUT/east.key <== -----BEGIN PRIVATE KEY-----
Generate a certificate request (this uses 365 days, could be unlimited), self-sign it and then bundle it into a PKCS#12 file:
$ openssl req -new -subj "/CN=east" \ -key OUTPUT/east.key \ -out OUTPUT/east.csr $ openssl req -text -in OUTPUT/east.csr -noout | grep east Subject: CN = east $ openssl x509 -req -days 365 \ -in OUTPUT/east.csr \ -signkey OUTPUT/east.key \ -out OUTPUT/east.crt $ openssl pkcs12 -export -password pass:foobar \ -in OUTPUT/east.crt \ -inkey OUTPUT/east.key \ -name east \ -out OUTPUT/east.p12
And then import it:
$ pk12util -d /etc/ipsec.d/ -i OUTPUT/east.p12 -W foobar $ certutil -K -d /etc/ipsec.d/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 42ce27ac8668ab0e1f20894f1f73f95de4aa6c72 east
Once the key has been imported. It can be identified using something like either of:
rightid=@east rightckaid=42ce27ac8668ab0e1f20894f1f73f95de4aa6c72
See the test ikev2-03-rawrsa-pem.
Exporting a CA(?) certificate to load on another libreswan machine
Paul: wouldn't this also include the private key which we don't want? Paul: add "ipsec export"?
To export the CA certificate, including the private key:
pk12util -o cacert1.p12 -n cacert1 -d sql:/var/lib/ipsec/nss
Normally you would just want the CA cert. To extract just the CA cert without the private key:
certutil -L -n "CA nickname" -d sql:/var/lib/ipsec/nss -a > theca.crt
You can also use -x instead of -a for binary DER encoding.
Copy the .p12 or .crt file to the new machine.
To import the .crt file:
certutil -A -i theca.crt -n "CA nickname" -t "CT,," -d sql:/var/lib/ipsec/nss
To import the .p12 file:
ipsec import cacert1.p12 certutil -M -n cacert1 -t "CT,," -d sql:/var/lib/ipsec/nss
An example connection for ipsec.conf would look like:
conn pluto-1-2 left=1.2.3.4 leftid="CN=usercert1" leftrsasigkey=%cert leftcert=usercert1 right=5.6.7.8 rightid="CN=usercert2" rightrsasigkey=%cert auto=add
Configuring a smartcard with NSS
Required library: libcoolkey or other PKCS#11 compatible library
To make smartcard tokens visible through NSS
modutil -add <module_name> -libfile libcoolkeypk11.so \ -dbdir sql:/var/lib/ipsec/nss \ -mechanisms <mechanisms_separted_by_colons>
An example of mechanisms can be: RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES:CAMELLIA.
To check whether the token is visible or not, run
modutil -list -dbdir sql:/var/lib/ipsec/nss
Using NSS in FIPS mode
If the system is running in FIPS mode, the NSS library and libreswan will automatically also run in FIPS mode. To check if libreswan is running in FIPS mode, run:
ipsec whack --fipsstatus
To see more detailed information about the FIPS status of the operating system and libreswan, the selfcheck command can be run:
# ipsec pluto --selftest Pluto initialized FIPS Product: NO FIPS Kernel: NO FIPS Mode: NO [...] FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test passed [...] Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Hash algorithms: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Integrity algorithms: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key
Note various non-FIPS allowed algorithms are missing from the selftest, such as MD5, CHACHA20POLY1305, MODP1536, etc etc.
For example using RHEL8/CentOS8, placing the system in FIPS mode using the following commands is enough for libreswan to run in FIPS mode:
fips-mode-setup --enable reboot
If the Linux distribution offers no easy way to place the system in FIPS mode, this can be done manually. For the Operating System to be considered in FIPS mode, the Linux kernel (compiled with FIPS support) must have been booted with the kernel command option fips=1 and the file /etc/system-fips needs to exist (but can be 0 bytes in size). The system-fips file is often created by dracut-fips. Additionally, the NSS database has to be (re)configured to be in FIPS mode. This can be done using:
modutil -dbdir sql:/var/lib/ipsec/nss -fips true -force
To check if the NSS database is in FIPS mode, use:
modutil -dbdir sql:/var/lib/ipsec/nss -chkfips true