1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
rm -rf OUTPUT/nss
west #
mkdir OUTPUT/nss
west #
ipsec initnss -d OUTPUT/nss
Initializing NSS database
west #
# generate first key
west #
ipsec newhostkey --bits 2192 --seeddev /dev/urandom --nssdir OUTPUT/nss
Generated RSA key pair with CKAID <<CKAID#1>> was stored in the NSS database
The public key can be displayed using: ipsec showhostkey --left --ckaid <<CKAID#1>>
west #
# generate second key
west #
ipsec newhostkey --bits 2192 --seeddev /dev/urandom --nssdir OUTPUT/nss
Generated RSA key pair with CKAID <<CKAID#2>> was stored in the NSS database
The public key can be displayed using: ipsec showhostkey --left --ckaid <<CKAID#2>>
west #
# empty the database
west #
rm -rf OUTPUT/nss
west #
mkdir OUTPUT/nss
west #
ipsec initnss -d OUTPUT/nss > /dev/null 2> /dev/null
west #
# confirm reject too small keysizes and non-multiples of 16 for RSA
west #
# min size is 2192 (lost to history why not 2048)
west #
ipsec newhostkey --bits 512 --seeddev /dev/urandom --nssdir OUTPUT/nss
ipsec rsasigkey: requested RSA key size (512) is too small - use 2192 or more
west #
ipsec newhostkey --bits 1024 --seeddev /dev/urandom --nssdir OUTPUT/nss
ipsec rsasigkey: requested RSA key size (1024) is too small - use 2192 or more
west #
ipsec newhostkey --bits 2048 --seeddev /dev/urandom --nssdir OUTPUT/nss
ipsec rsasigkey: requested RSA key size (2048) is too small - use 2192 or more
west #
ipsec newhostkey --bits 2051 --seeddev /dev/urandom --nssdir OUTPUT/nss
ipsec rsasigkey: requested RSA key size (2051) is too small - use 2192 or more
west #
ipsec newhostkey --bits 3192 --seeddev /dev/urandom --nssdir OUTPUT/nss
ipsec rsasigkey: requested RSA key size (3192) is not a multiple of 16
west #
# there should be no keys
west #
ipsec showhostkey --list --nssdir OUTPUT/nss
west #
rm -rf OUTPUT/nss
west #
|
