Difference between revisions of "Extend RFC-7427 Signature Authentication support to IKEv2 with ECDSA"

From Libreswan
Jump to navigation Jump to search
Line 10: Line 10:
 
1.  Fixing the RSA only public key code
 
1.  Fixing the RSA only public key code
  
Major code changes were done in ikev2_keys.c and secrets.c. New structures are defined for Private and public ECDSA key parameters.
+
Major code changes were done in ikev2_keys.c , x509.c and secrets.c. New structures are defined for Private and public ECDSA key parameters.
Most functions that had a specific check for rsa are now able to also handle ecdsa as public key algorithm.
+
Most functions that had a specific check for rsa are now able to also handle ecdsa as public key algorithm. This involves checking if a certificate is of type ecdsa and extracting the public key from it and storing in the NSS Database. Code changes are made to obtain the ckaid and keyid of the ECDSA public keys. These IDs are used to retrieve the public key from pluto secrets and extract the private key from the certificate.
  
 
2. Support for configuring  authby=ecdsa
 
2. Support for configuring  authby=ecdsa
Line 19: Line 19:
  
 
4. Signature generation through NSS APIs
 
4. Signature generation through NSS APIs
 +
 +
This part is not yet implemented fully as private key retrieval from certificates fails due
  
 
4. Test Suite changes
 
4. Test Suite changes
Line 31: Line 33:
  
 
== Future work ==
 
== Future work ==
+
Successful generation of ECDSA signature and verification of it through interoperability tests.
 
 
  
 
== Source code ==
 
== Source code ==
 
  
 
This project work was sponsored by Google as part of the Google Summer of Code 2018 Program.
 
This project work was sponsored by Google as part of the Google Summer of Code 2018 Program.
The implementation for this project is done by Sahana Prasad (sahana.prasad07@gmail.com) under the tutelage of Paul Wouters.
+
The implementation for this project is done by Sahana Prasad (sahana.prasad07@gmail.com) under the tutelage of Paul Wouters and Andrew Cagney
  
 
[[ Use Cases and Requirements document for ECC/ECDSA support ]]
 
[[ Use Cases and Requirements document for ECC/ECDSA support ]]

Revision as of 02:28, 14 August 2018

Introduction

As part of Google summer of Code work in 2017 described in , RFC-7427 Digital Signature Authentication was implemented with support for RSA. This work is an extension to support ECDSA. Implementation of ECDSA requires the modification of the existing Libreswan public key code to fix the RSA only parts so that it is able to accept different new types of keys in the future ( not just limited to ECDSA ). This will ensure compliance to RFC-7427 and RFC-8247.

Implementation

To make Libreswan RFC 7427 and RFC 8247 compliant, the following items have been implemented :

1. Fixing the RSA only public key code

Major code changes were done in ikev2_keys.c , x509.c and secrets.c. New structures are defined for Private and public ECDSA key parameters. Most functions that had a specific check for rsa are now able to also handle ecdsa as public key algorithm. This involves checking if a certificate is of type ecdsa and extracting the public key from it and storing in the NSS Database. Code changes are made to obtain the ckaid and keyid of the ECDSA public keys. These IDs are used to retrieve the public key from pluto secrets and extract the private key from the certificate.

2. Support for configuring authby=ecdsa


3. Signature Verification through NSS APIs

4. Signature generation through NSS APIs

This part is not yet implemented fully as private key retrieval from certificates fails due

4. Test Suite changes

The Test Suite was extended by adding test cases to verify feature functionality and perform interoperability tests with strongswan.

Issues encountered

NSS looks for specific x509v3 certificate extensions in the end certificates and It is unclear which one is exactly missing in the certificates being used. This error has be be debugged further (as there is little information from the nss logs):

SECERR: 35 (0x23): Certificate extension not found.

Due to this, the private key cannot be obtained through these APIs : PK11_FindKeyByKeyID and PK11_FindKeyByAnyCert

Future work

Successful generation of ECDSA signature and verification of it through interoperability tests.

Source code

This project work was sponsored by Google as part of the Google Summer of Code 2018 Program. The implementation for this project is done by Sahana Prasad (sahana.prasad07@gmail.com) under the tutelage of Paul Wouters and Andrew Cagney

Use Cases and Requirements document for ECC/ECDSA support