Hello, I have been testing StrongSwang with Ed25519 and Ed448 and found a roadblock: I got the sample "Roadwarrior with virtual IP" with "pubkey" authentication scenario in the tutorials with Ed25519 keys without much problem (using "pki" to generate the keys/certificates). Due to lack of support for Ed448 keys in the "pki" tool, I followed the document "Guide for building an EDDSA pki" [0] to first create a valid certificate chain using Ed25519 that strongswan had no problem working with (after minimal modifications to the DN and subjectAltName values).
The problem appeared when I repeated the same steps to create an Ed448 certificate chain: while the certificates and keys were created without problems, StrongSwan refuses to load the certificates or keys. StrongSwan 8.7.2 changelog [1] claims that the openssl plugin added support for both Ed25519 and Ed448 keys and certificates for signing. I am running Linux Ubuntu 18.04, with strongswan 8.4.2 compiled from sources and openssl plugin enabled against the system OpenSSL 1.1.1 Does working with Ed448 certificates require a special and inexistent module just like 25519 already has? Is there any special step to force strongswan to use the openssl plugin to manage these certificates that I should follow? Cheers, Rodrigo. [0]: https://tools.ietf.org/html/draft-moskowitz-eddsa-pki-02 [1]: https://www.strongswan.org/blog/2018/12/27/strongswan-5.7.2-released.html >swanctl --load-all no files found matching '/etc/swanctl/conf.d/*.conf' loading '/etc/swanctl/x509/moon.strongswan.org.cert.pem' failed: parsing X509 certificate failed loading '/etc/swanctl/x509ca/intermediate.cert.pem' failed: parsing X509 certificate failed loading '/etc/swanctl/x509ca/ca.cert.pem' failed: parsing X509 certificate failed building CRED_PRIVATE_KEY - ANY failed, tried 9 builders loaded private key from '/etc/swanctl/private/moon.strongswan.org.key.pem' no authorities found, 0 unloaded loaded pool 'rw_pool' successfully loaded 1 pools, 0 unloaded loaded connection 'rw' successfully loaded 1 connections, 0 unloaded >pki --print --in /etc/swanctl/x509ca/ca.cert.pem -v 4 file content is not binary ASN.1 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- L0 - x509: => 618 bytes @ 0x55ae96c8c880 0: 30 82 02 66 30 82 01 E6 A0 03 02 01 02 02 09 00 0..f0........... 16: B8 A2 8D 65 18 AC D4 F6 30 05 06 03 2B 65 71 30 ...e....0...+eq0 ... 608: CE 3C 48 DB 2F DF 64 DF 1B 00 .<H./.d... L1 - tbsCertificate: => 490 bytes @ 0x55ae96c8c884 0: 30 82 01 E6 A0 03 02 01 02 02 09 00 B8 A2 8D 65 0..............e 16: 18 AC D4 F6 30 05 06 03 2B 65 71 30 68 31 0B 30 ....0...+eq0h1.0 ... 480: 75 74 69 6F 6E 73 2E 63 6F 6D utions.com L2 - DEFAULT v1: L3 - version: => 1 bytes @ 0x55ae96c8c88c 0: 02 . X.509v3 L2 - serialNumber: => 9 bytes @ 0x55ae96c8c88f 0: 00 B8 A2 8D 65 18 AC D4 F6 ....e.... L2 - signature: L3 - algorithmIdentifier: L4 - algorithm: 'id-Ed448' L2 - issuer: => 106 bytes @ 0x55ae96c8c89f 0: 30 68 31 0B 30 09 06 03 55 04 06 13 02 49 45 31 0h1.0...U....IE1 ... 96: 03 0C 07 52 6F 6F 74 20 43 41 ...Root CA 'C=IE, ST=DU, L=Dun Laoghaire, O=Viavi, OU=protocols, CN=Root CA' L2 - validity: L3 - notBefore: L4 - utcTime: 'Jan 15 11:19:08 UTC 2020' L3 - notAfter: L4 - utcTime: 'Jan 10 11:19:08 UTC 2040' L2 - subject: => 106 bytes @ 0x55ae96c8c929 0: 30 68 31 0B 30 09 06 03 55 04 06 13 02 49 45 31 0h1.0...U....IE1 ... 96: 03 0C 07 52 6F 6F 74 20 43 41 ...Root CA 'C=IE, ST=DU, L=Dun Laoghaire, O=Viavi, OU=protocols, CN=Root CA' L2 - subjectPublicKeyInfo: -- > -- L0 - subjectPublicKeyInfo: L1 - algorithm: L2 - algorithmIdentifier: L3 - algorithm: 'id-Ed448' -- < -- unsupported public key algorithm OpenSSL X.509 parsing failed building CRED_CERTIFICATE - X509 failed, tried 4 builders parsing input failed
