Difference between revisions of "Extend RFC-7427 Signature Authentication support to IKEv2 with ECDSA"

Revision as of 02:29, 11 August 2018

Introduction

As part of Google summer of Code work in 2017 described in , RFC-7427 Digital Signature Authentication was implemented with support for RSA. This work is an extension to support ECDSA. Implementation of ECDSA requires the modification of the existing Libreswan public key code to fix the RSA only parts so that it is able to accept different new types of keys in the future ( not just limited to ECDSA ). This will ensure compliance to RFC-7427 and RFC-8247.

Implementation

To make Libreswan RFC 7427 and RFC 8247 compliant, the following items have been implemented :

1. Fixing the RSA only public key code

2. Support for configuring authby=ecdsa

3. Signature generation and Verification through NSS APIs

4. Test Suite changes

The Test Suite was extended by adding test cases to verify feature functionality and perform interoperability tests with strongswan.

Issues encountered

Future work

Source code

This project work was sponsored by Google as part of the Google Summer of Code 2018 Program. The implementation for this project is done by Sahana Prasad (sahana.prasad07@gmail.com) under the tutelage of Paul Wouters.

Use Cases and Requirements document for ECC/ECDSA support

@@ Line 20: / Line 20: @@
 == Issues encountered ==
-[https://datatracker.ietf.org/doc/draft-ietf-ipsecme-rfc4307bis/ The RFC 4307bis] mandates the usage of RSASSA-PSS along with Digital Signature Authentication. However the older flavour PKCS v1.5 may still be supported. But a way to indicate to the peer, which flavour of RSA should be used is not yet described. Since no other client supports RSASSA-PSS, interoperability tests cannot be performed.
 == Future work ==
-* Support for Signature algorithms ECDSA and RSASSA-PSS
-Implementation of ECDSA requires the extension of the Libreswan's public key code to remove the hardwiring for RSA. Implementation of RSASSA-PSS would have to use different NSS library method call. The implementation is waiting for [https://datatracker.ietf.org/doc/draft-ietf-ipsecme-rfc4307bis/ RFC 4307bis] to clarify the usage of PSS.
-* Support for Hash algorithm SHA-2.
-SHA2 needs an extended parser for the authby = keyword, in ipsec.conf.
 == Source code ==
-[https://github.com/libreswan/libreswan/commit/14c76638612226ab87f8fe14cb8b94282f729651 Feature implementation]
-[https://github.com/libreswan/libreswan/commit/272301a82178ea1a2c8afd39f26e2e024ef21853 Addition and modification of test cases]
-This project work was sponsored by Google as part of the Google Summer of Code 2017 Program.
+This project work was sponsored by Google as part of the Google Summer of Code 2018 Program.
 The implementation for this project is done by Sahana Prasad (sahana.prasad07@gmail.com) under the tutelage of Paul Wouters.
 [[ Use Cases and Requirements document for ECC/ECDSA support ]]