Skip to content

Support type7 encoded CAK key for macsec in config_db#2892

Merged
prsunny merged 4 commits intosonic-net:masterfrom
judyjoseph:macsec_type_7
Sep 6, 2023
Merged

Support type7 encoded CAK key for macsec in config_db#2892
prsunny merged 4 commits intosonic-net:masterfrom
judyjoseph:macsec_type_7

Conversation

@judyjoseph
Copy link
Copy Markdown
Contributor

@judyjoseph judyjoseph commented Aug 31, 2023
edited
Loading

What I did
Support type7 encoded CAK key for macsec in config_db

MSFT ADO : 25046448

Why I did it
The external store has the macsec CAK keys stored in type7 format. Hence the automation tools retrieve these keys and stores in config_db in type7 format.

This need to be decoded to text format for wpa_supplicant to consume.

How I verified it
Verified with type7 encoded CAK keys, macsec sessions should come up

MACSEC_PROFILE (earlier format where CAK is in text)

    },
    "MACSEC_PROFILE": {
        "macsec-profile": {
            "cipher_suite": "GCM-AES-XPN-256",
            "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "priority": "4",
            "rekey_period": "1800"
        },
        "macsec-profile2": {
            "cipher_suite": "GCM-AES-XPN-256",
            "primary_cak": "ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789",
            "primary_ckn": "707172737475767778797A3031323334356162636465666768696A6B6C6D6E6F",
            "priority": "4",
            "rekey_period": "1800"
        }
    },

MACSEC_PROFILE (NEW format: where CAK is in type 7 encoded)

    "MACSEC_PROFILE": {
        "macsec-profile": {
            "cipher_suite": "GCM-AES-XPN-256",
            "primary_cak": "3848470b0b030604020c527a24247c7222435756085f5359761417283b2633372d5c557878707d65627a4a26342025737f0802065d574d400e000e727076702e7d",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "priority": "4",
            "rekey_period": "1800"
        },
        "macsec-profile-two": {
            "cipher_suite": "GCM-AES-XPN-256"
            "primary_cak": "543224277f2e205f701e1d5d4c53404a522d26090f010e63647040534355560e007971772a263e46080a0407070303530227257b73213556550958525a771b1650",
            "primary_ckn": "707172737475767778797A3031323334356162636465666768696A6B6C6D6E6F",
            "priority": "4",
            "rekey_period": "1800"
        }
    },

Even with CLI, we need to enter the CAK in type 7 encoded format

    sudo config macsec -n asic0 profile add macsec_profile --cipher_suite GCM-AES-XPN-256 --primary_cak **<type_7_encoded_string>**  --primary_ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435"  --priority 0

Testing with CLI

sudo config macsec -n asic0 profile add macsec_profile --cipher_suite GCM-AES-XPN-256 --primary_cak "207b757a60617745504e5a20747a7c76725e524a450d0d01040a0c75297822227e07554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c033124322627" --primary_ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435"  --priority 0
sudo config macsec -n asic1 profile add macsec_profile --cipher_suite GCM-AES-XPN-256 --primary_cak "207b757a60617745504e5a20747a7c76725e524a450d0d01040a0c75297822227e07554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c033124322627" --primary_ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435"  --priority 0

sudo config macsec -n asic0 port add Ethernet32 macsec_profile
sudo config macsec -n asic0 port add Ethernet40 macsec_profile
sudo config macsec -n asic0 port add Ethernet128 macsec_profile
sudo config save -y

In the config DB we have 

    "MACSEC_PROFILE": {
        "macsec_profile": {
            "cipher_suite": "GCM-AES-XPN-256",
            "policy": "security",
            "primary_cak": "207b757a60617745504e5a20747a7c76725e524a450d0d01040a0c75297822227e07554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c033124322627",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "priority": "0",
            "send_sci": "true"
        }
    },


admin@str2-xxxx-lc1-1:~$ show macsec 
MACsec port(Ethernet32)
---------------------  ---------------
cipher_suite           GCM-AES-XPN-256
enable                 true
enable_encrypt         true
enable_protect         true
enable_replay_protect  false
profile                macsec_profile
replay_window          0
send_sci               true
---------------------  ---------------
        MACsec Egress SC (407c7dbb260b0001)
        -----------  -
        encoding_an  0
        -----------  -
                MACsec Egress SA (0)
                -------------------------------------  ----------------------------------------------------------------
                auth_key                               2CDCB20F72BDE084B6AD14CA4A03D59C
                next_pn                                1
                sak                                    742B4A43E26DD61B1706D8EC0D2C054B7C0913F9F3A187DB091CBD3D5AEBD60B
                salt                                   2856BA84178D0E3DA1C5A82C
                ssci                                   2
                SAI_MACSEC_SA_ATTR_CURRENT_XPN         35
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED    4798
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED    0
                SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED  34
                SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED  0
                -------------------------------------  ----------------------------------------------------------------
        MACsec Ingress SC (de40441302b10001)
                MACsec Ingress SA (0)
                ---------------------------------------  ----------------------------------------------------------------
                active                                   true
                auth_key                                 2CDCB20F72BDE084B6AD14CA4A03D59C
                lowest_acceptable_pn                     1
                sak                                      742B4A43E26DD61B1706D8EC0D2C054B7C0913F9F3A187DB091CBD3D5AEBD60B
                salt                                     2856BA84178D0E3DA1C5A82C
                ssci                                     1
                SAI_MACSEC_SA_ATTR_CURRENT_XPN           499
                SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED       0
                SAI_MACSEC_SA_STAT_IN_PKTS_INVALID       0
                SAI_MACSEC_SA_STAT_IN_PKTS_LATE          0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA  0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID     0
                SAI_MACSEC_SA_STAT_IN_PKTS_OK            23
                SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED     0
                SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA     0
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED      2312
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED      0
                ---------------------------------------  ----------------------------------------------------------------
MACsec port(Ethernet40)
---------------------  ---------------
cipher_suite           GCM-AES-XPN-256
enable                 true
enable_encrypt         true
enable_protect         true
enable_replay_protect  false
profile                macsec_profile
replay_window          0
send_sci               true
---------------------  ---------------
        MACsec Egress SC (407c7dbb260b0001)
        -----------  -
        encoding_an  0
        -----------  -
                MACsec Egress SA (0)
                -------------------------------------  ----------------------------------------------------------------
                auth_key                               2400F83757B0C270283F183CDD9AF14D
                next_pn                                1
                sak                                    7737F1D322F7DCBE54677519B1E34FC71EAF069250D27E913854CD0D57075478
                salt                                   9133F41248073FCD7156BB28
                ssci                                   2
                SAI_MACSEC_SA_ATTR_CURRENT_XPN         146
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED    34627
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED    0
                SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED  145
                SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED  0
                -------------------------------------  ----------------------------------------------------------------
        MACsec Ingress SC (be6d4c83f3190002)
                MACsec Ingress SA (0)
                ---------------------------------------  ----------------------------------------------------------------
                active                                   true
                auth_key                                 2400F83757B0C270283F183CDD9AF14D
                lowest_acceptable_pn                     1
                sak                                      7737F1D322F7DCBE54677519B1E34FC71EAF069250D27E913854CD0D57075478
                salt                                     9133F41248073FCD7156BB28
                ssci                                     1
                SAI_MACSEC_SA_ATTR_CURRENT_XPN           6508
                SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED       0
                SAI_MACSEC_SA_STAT_IN_PKTS_INVALID       0
                SAI_MACSEC_SA_STAT_IN_PKTS_LATE          0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA  0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID     0
                SAI_MACSEC_SA_STAT_IN_PKTS_OK            147
                SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED     0
                SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA     0
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED      286640
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED      0
                ---------------------------------------  ----------------------------------------------------------------
MACsec port(Ethernet128)
---------------------  ---------------
cipher_suite           GCM-AES-XPN-256
enable                 true
enable_encrypt         true
enable_protect         true
enable_replay_protect  false
profile                macsec_profile
replay_window          0
send_sci               true
---------------------  ---------------
        MACsec Egress SC (407c7dbb260b0001)
        -----------  -
        encoding_an  0
        -----------  -
                MACsec Egress SA (0)
                -------------------------------------  ----------------------------------------------------------------
                auth_key                               D176D49FED2CCF26F1A04DC89E93672B
                next_pn                                1
                sak                                    01AFA5483DDEA4EF669129C7FC869B36CF349AA4B1D310F522DB2AEA79545EFE
                salt                                   9FCB0225DEF5A3F39F8A6808
                ssci                                   2
                SAI_MACSEC_SA_ATTR_CURRENT_XPN         53
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED    15661
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED    0
                SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED  52
                SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED  0
                -------------------------------------  ----------------------------------------------------------------
        MACsec Ingress SC (f669c302dc3f0001)
                MACsec Ingress SA (0)
                ---------------------------------------  ----------------------------------------------------------------
                active                                   true
                auth_key                                 D176D49FED2CCF26F1A04DC89E93672B
                lowest_acceptable_pn                     1
                sak                                      01AFA5483DDEA4EF669129C7FC869B36CF349AA4B1D310F522DB2AEA79545EFE
                salt                                     9FCB0225DEF5A3F39F8A6808
                ssci                                     1
                SAI_MACSEC_SA_ATTR_CURRENT_XPN           98
                SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED       0
                SAI_MACSEC_SA_STAT_IN_PKTS_INVALID       0
                SAI_MACSEC_SA_STAT_IN_PKTS_LATE          0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA  0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID     0
                SAI_MACSEC_SA_STAT_IN_PKTS_OK            68
                SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED     0
                SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA     0
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED      65929
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED      0
                ---------------------------------------  ----------------------------------------------------------------

@judyjoseph judyjoseph requested a review from Pterosaur August 31, 2023 07:11
@judyjoseph judyjoseph requested a review from lguohan September 1, 2023 03:58
@judyjoseph judyjoseph marked this pull request as ready for review September 1, 2023 03:58
@judyjoseph judyjoseph requested a review from prsunny as a code owner September 1, 2023 03:58
@gechiang
Copy link
Copy Markdown
Contributor

gechiang commented Sep 1, 2023

@judyjoseph , please attached the needed MSFT ADO number to this PR

Pterosaur
Pterosaur reviewed Sep 1, 2023
View reviewed changes
Comment thread cfgmgr/macsecmgr.cpp Outdated
This was referenced Sep 2, 2023
Merged
Merged
@judyjoseph judyjoseph requested a review from Pterosaur September 4, 2023 07:33
Pterosaur
Pterosaur reviewed Sep 4, 2023
View reviewed changes
Comment thread cfgmgr/macsecmgr.cpp Outdated
@gechiang
Copy link
Copy Markdown
Contributor

gechiang commented Sep 5, 2023

@judyjoseph , Is there any dependency in the order of the PRs you mentioned where one needs to go in first before other?
Can this PR 2892 be merged safely without causing test issue or build issue?

@judyjoseph
Copy link
Copy Markdown
Contributor Author

judyjoseph commented Sep 5, 2023

@prsunny @lguohan Could you review this PR, this is a change to get macsec wpa_supplicant to accept type7 encoded strings and prevent keys to be stored in plain text in config_db. I have added the test results and the MACSEC_PROFILE in config_db in PR comments.

We have a PR in sonic-buildimage also sonic-net/sonic-buildimage#16388, to accept this format and length.

@prsunny
Copy link
Copy Markdown
Collaborator

prsunny commented Sep 6, 2023

Can you please plan to add a unit test for this?

@gechiang
Copy link
Copy Markdown
Contributor

gechiang commented Sep 6, 2023

@prsunny @rlhui @lguohan , can you help merge this PR?
Thanks!

@gechiang gechiang requested a review from rlhui September 6, 2023 01:59
@judyjoseph
Copy link
Copy Markdown
Contributor Author

judyjoseph commented Sep 6, 2023

Can you please plan to add a unit test for this?

Sure Prince, is it ok I add this in a follow on PR

@prsunny prsunny merged commit ae010bf into sonic-net:master Sep 6, 2023
@judyjoseph judyjoseph mentioned this pull request Sep 6, 2023
Open
@gechiang
Copy link
Copy Markdown
Contributor

gechiang commented Sep 6, 2023

@yxieca , @StormLiangMS , Please help approve this for the requested branches.
Thanks!

yxieca pushed a commit that referenced this pull request Sep 6, 2023
@judyjoseph @yxieca
Support type7 encoded CAK key for macsec in config_db (#2892)
33d81e7 
* Add decode type 7 alogorithm and use it to decode the encoded key from config_db
* Remove the Error log added earlier for debugging
* Add check for 66 bytes or 130 bytes encoded string based on cipher suite
@qiluo-msft qiluo-msft requested review from ganglyu and removed request for ganglyu September 6, 2023 21:48
abdosi
abdosi reviewed Sep 6, 2023
View reviewed changes
Comment thread cfgmgr/macsecmgr.cpp
rlhui pushed a commit to sonic-net/sonic-buildimage that referenced this pull request Sep 7, 2023
@judyjoseph
Update macsec CAK keys in profile for tests to change to type7 encode…
7d2e3cb 
…d format (#16388)

* Change the CAK key length check in config plugin, macsec test profile changes

* Fix the format in add_profile api

The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier.
This was referenced Sep 8, 2023
Merged
Merged
mssonicbld pushed a commit to mssonicbld/sonic-buildimage that referenced this pull request Sep 8, 2023
@judyjoseph @mssonicbld
Update macsec CAK keys in profile for tests to change to type7 encode…
527a412 
…d format (sonic-net#16388)

* Change the CAK key length check in config plugin, macsec test profile changes

* Fix the format in add_profile api

The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier.
mssonicbld pushed a commit to mssonicbld/sonic-buildimage that referenced this pull request Sep 8, 2023
@judyjoseph @mssonicbld
Update macsec CAK keys in profile for tests to change to type7 encode…
2aa2b62 
…d format (sonic-net#16388)

* Change the CAK key length check in config plugin, macsec test profile changes

* Fix the format in add_profile api

The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier.
sonic-otn pushed a commit to sonic-otn/sonic-buildimage that referenced this pull request Sep 20, 2023
@judyjoseph @sonic-otn
Update macsec CAK keys in profile for tests to change to type7 encode…
301d26f 
…d format (sonic-net#16388)

* Change the CAK key length check in config plugin, macsec test profile changes

* Fix the format in add_profile api

The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier.
mssonicbld pushed a commit to mssonicbld/sonic-buildimage that referenced this pull request Sep 21, 2023
@judyjoseph @mssonicbld
Update macsec CAK keys in profile for tests to change to type7 encode…
199a855 
…d format (sonic-net#16388)

* Change the CAK key length check in config plugin, macsec test profile changes

* Fix the format in add_profile api

The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier.
@mssonicbld mssonicbld mentioned this pull request Sep 21, 2023
Merged
11 tasks
StormLiangMS pushed a commit that referenced this pull request Sep 21, 2023
@judyjoseph @StormLiangMS
Support type7 encoded CAK key for macsec in config_db (#2892)
a0eb0d0 
* Add decode type 7 alogorithm and use it to decode the encoded key from config_db
* Remove the Error log added earlier for debugging
* Add check for 66 bytes or 130 bytes encoded string based on cipher suite
StormLiangMS pushed a commit to sonic-net/sonic-buildimage that referenced this pull request Sep 21, 2023
@mssonicbld @judyjoseph
Update macsec CAK keys in profile for tests to change to type7 encode…
1726eb3 
…d format (#16388) (#16626)

* Change the CAK key length check in config plugin, macsec test profile changes

* Fix the format in add_profile api

The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier.

Co-authored-by: judyjoseph <53951155+judyjoseph@users.noreply.github.com>
@judyjoseph
Copy link
Copy Markdown
Contributor Author

judyjoseph commented Sep 22, 2023

@shyam77git @mlok-nokia @kenneth-arista f.y.i

With this PR (along with sonic-net/sonic-buildimage#16388) -- please note that there will be a change in the way we input the macsec CAK keys either via configuration command, or via the config_db

Currently the CAK key is given in plain text as input, it will change to type7 encoded format. Please refer to sonic-mgmt PR (sonic-net/sonic-mgmt#9873) for various macsec_profiles.

This is currently merged in 202205 branch, we plan to merge this in master as well- thanks.

@judyjoseph judyjoseph deleted the macsec_type_7 branch September 22, 2023 20:45
@StormLiangMS StormLiangMS mentioned this pull request Sep 25, 2023
Merged
StormLiangMS added a commit that referenced this pull request Sep 25, 2023
@StormLiangMS
Revert "Support type7 encoded CAK key for macsec in config_db (#2892)"
0584d35 
This reverts commit a0eb0d0.
@StormLiangMS
Copy link
Copy Markdown
Contributor

StormLiangMS commented Sep 25, 2023

@judyjoseph this PR will cause PR test failure when do the submodule advance, could you help to fix the PR test failure?

yxieca pushed a commit that referenced this pull request Oct 12, 2023
@judyjoseph @yxieca
Support type7 encoded CAK key for macsec in config_db (#2892)
30cea96 
* Add decode type 7 alogorithm and use it to decode the encoded key from config_db
* Remove the Error log added earlier for debugging
* Add check for 66 bytes or 130 bytes encoded string based on cipher suite
StormLiangMS pushed a commit that referenced this pull request Oct 24, 2023
@judyjoseph @StormLiangMS
Support type7 encoded CAK key for macsec in config_db (#2892)
325d6d2 
* Add decode type 7 alogorithm and use it to decode the encoded key from config_db
* Remove the Error log added earlier for debugging
* Add check for 66 bytes or 130 bytes encoded string based on cipher suite
@mssonicbld mssonicbld mentioned this pull request Nov 18, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abdosi abdosi abdosi left review comments

@prsunny prsunny prsunny approved these changes

@Pterosaur Pterosaur Pterosaur approved these changes

@lguohan lguohan Awaiting requested review from lguohan

@rlhui rlhui Awaiting requested review from rlhui

Assignees

No one assigned

Labels

Included in 202205 Branch Included in 202305 Branch Request for 202205 Branch Request for 202211 Branch Request for 202305 Branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@judyjoseph @gechiang @prsunny @StormLiangMS @Pterosaur @abdosi @yejianquan @yxieca