Support type7 encoded CAK key for macsec in config_db #2892

judyjoseph · 2023-08-31T07:11:14Z

What I did
Support type7 encoded CAK key for macsec in config_db

MSFT ADO : 25046448

Why I did it
The external store has the macsec CAK keys stored in type7 format. Hence the automation tools retrieve these keys and stores in config_db in type7 format.

This need to be decoded to text format for wpa_supplicant to consume.

How I verified it
Verified with type7 encoded CAK keys, macsec sessions should come up

MACSEC_PROFILE (earlier format where CAK is in text)

    },
    "MACSEC_PROFILE": {
        "macsec-profile": {
            "cipher_suite": "GCM-AES-XPN-256",
            "primary_cak": "0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "priority": "4",
            "rekey_period": "1800"
        },
        "macsec-profile2": {
            "cipher_suite": "GCM-AES-XPN-256",
            "primary_cak": "ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789",
            "primary_ckn": "707172737475767778797A3031323334356162636465666768696A6B6C6D6E6F",
            "priority": "4",
            "rekey_period": "1800"
        }
    },

MACSEC_PROFILE (NEW format: where CAK is in type 7 encoded)

    "MACSEC_PROFILE": {
        "macsec-profile": {
            "cipher_suite": "GCM-AES-XPN-256",
            "primary_cak": "3848470b0b030604020c527a24247c7222435756085f5359761417283b2633372d5c557878707d65627a4a26342025737f0802065d574d400e000e727076702e7d",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "priority": "4",
            "rekey_period": "1800"
        },
        "macsec-profile-two": {
            "cipher_suite": "GCM-AES-XPN-256"
            "primary_cak": "543224277f2e205f701e1d5d4c53404a522d26090f010e63647040534355560e007971772a263e46080a0407070303530227257b73213556550958525a771b1650",
            "primary_ckn": "707172737475767778797A3031323334356162636465666768696A6B6C6D6E6F",
            "priority": "4",
            "rekey_period": "1800"
        }
    },

Even with CLI, we need to enter the CAK in type 7 encoded format

    sudo config macsec -n asic0 profile add macsec_profile --cipher_suite GCM-AES-XPN-256 --primary_cak **<type_7_encoded_string>**  --primary_ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435"  --priority 0

Testing with CLI

sudo config macsec -n asic0 profile add macsec_profile --cipher_suite GCM-AES-XPN-256 --primary_cak "207b757a60617745504e5a20747a7c76725e524a450d0d01040a0c75297822227e07554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c033124322627" --primary_ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435"  --priority 0
sudo config macsec -n asic1 profile add macsec_profile --cipher_suite GCM-AES-XPN-256 --primary_cak "207b757a60617745504e5a20747a7c76725e524a450d0d01040a0c75297822227e07554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c033124322627" --primary_ckn "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435"  --priority 0

sudo config macsec -n asic0 port add Ethernet32 macsec_profile
sudo config macsec -n asic0 port add Ethernet40 macsec_profile
sudo config macsec -n asic0 port add Ethernet128 macsec_profile
sudo config save -y

In the config DB we have 

    "MACSEC_PROFILE": {
        "macsec_profile": {
            "cipher_suite": "GCM-AES-XPN-256",
            "policy": "security",
            "primary_cak": "207b757a60617745504e5a20747a7c76725e524a450d0d01040a0c75297822227e07554155500e5d5157786d6c2a3d2031425a5e577e7e727f6b6c033124322627",
            "primary_ckn": "6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435",
            "priority": "0",
            "send_sci": "true"
        }
    },


admin@str2-xxxx-lc1-1:~$ show macsec 
MACsec port(Ethernet32)
---------------------  ---------------
cipher_suite           GCM-AES-XPN-256
enable                 true
enable_encrypt         true
enable_protect         true
enable_replay_protect  false
profile                macsec_profile
replay_window          0
send_sci               true
---------------------  ---------------
        MACsec Egress SC (407c7dbb260b0001)
        -----------  -
        encoding_an  0
        -----------  -
                MACsec Egress SA (0)
                -------------------------------------  ----------------------------------------------------------------
                auth_key                               2CDCB20F72BDE084B6AD14CA4A03D59C
                next_pn                                1
                sak                                    742B4A43E26DD61B1706D8EC0D2C054B7C0913F9F3A187DB091CBD3D5AEBD60B
                salt                                   2856BA84178D0E3DA1C5A82C
                ssci                                   2
                SAI_MACSEC_SA_ATTR_CURRENT_XPN         35
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED    4798
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED    0
                SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED  34
                SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED  0
                -------------------------------------  ----------------------------------------------------------------
        MACsec Ingress SC (de40441302b10001)
                MACsec Ingress SA (0)
                ---------------------------------------  ----------------------------------------------------------------
                active                                   true
                auth_key                                 2CDCB20F72BDE084B6AD14CA4A03D59C
                lowest_acceptable_pn                     1
                sak                                      742B4A43E26DD61B1706D8EC0D2C054B7C0913F9F3A187DB091CBD3D5AEBD60B
                salt                                     2856BA84178D0E3DA1C5A82C
                ssci                                     1
                SAI_MACSEC_SA_ATTR_CURRENT_XPN           499
                SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED       0
                SAI_MACSEC_SA_STAT_IN_PKTS_INVALID       0
                SAI_MACSEC_SA_STAT_IN_PKTS_LATE          0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA  0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID     0
                SAI_MACSEC_SA_STAT_IN_PKTS_OK            23
                SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED     0
                SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA     0
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED      2312
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED      0
                ---------------------------------------  ----------------------------------------------------------------
MACsec port(Ethernet40)
---------------------  ---------------
cipher_suite           GCM-AES-XPN-256
enable                 true
enable_encrypt         true
enable_protect         true
enable_replay_protect  false
profile                macsec_profile
replay_window          0
send_sci               true
---------------------  ---------------
        MACsec Egress SC (407c7dbb260b0001)
        -----------  -
        encoding_an  0
        -----------  -
                MACsec Egress SA (0)
                -------------------------------------  ----------------------------------------------------------------
                auth_key                               2400F83757B0C270283F183CDD9AF14D
                next_pn                                1
                sak                                    7737F1D322F7DCBE54677519B1E34FC71EAF069250D27E913854CD0D57075478
                salt                                   9133F41248073FCD7156BB28
                ssci                                   2
                SAI_MACSEC_SA_ATTR_CURRENT_XPN         146
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED    34627
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED    0
                SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED  145
                SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED  0
                -------------------------------------  ----------------------------------------------------------------
        MACsec Ingress SC (be6d4c83f3190002)
                MACsec Ingress SA (0)
                ---------------------------------------  ----------------------------------------------------------------
                active                                   true
                auth_key                                 2400F83757B0C270283F183CDD9AF14D
                lowest_acceptable_pn                     1
                sak                                      7737F1D322F7DCBE54677519B1E34FC71EAF069250D27E913854CD0D57075478
                salt                                     9133F41248073FCD7156BB28
                ssci                                     1
                SAI_MACSEC_SA_ATTR_CURRENT_XPN           6508
                SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED       0
                SAI_MACSEC_SA_STAT_IN_PKTS_INVALID       0
                SAI_MACSEC_SA_STAT_IN_PKTS_LATE          0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA  0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID     0
                SAI_MACSEC_SA_STAT_IN_PKTS_OK            147
                SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED     0
                SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA     0
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED      286640
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED      0
                ---------------------------------------  ----------------------------------------------------------------
MACsec port(Ethernet128)
---------------------  ---------------
cipher_suite           GCM-AES-XPN-256
enable                 true
enable_encrypt         true
enable_protect         true
enable_replay_protect  false
profile                macsec_profile
replay_window          0
send_sci               true
---------------------  ---------------
        MACsec Egress SC (407c7dbb260b0001)
        -----------  -
        encoding_an  0
        -----------  -
                MACsec Egress SA (0)
                -------------------------------------  ----------------------------------------------------------------
                auth_key                               D176D49FED2CCF26F1A04DC89E93672B
                next_pn                                1
                sak                                    01AFA5483DDEA4EF669129C7FC869B36CF349AA4B1D310F522DB2AEA79545EFE
                salt                                   9FCB0225DEF5A3F39F8A6808
                ssci                                   2
                SAI_MACSEC_SA_ATTR_CURRENT_XPN         53
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED    15661
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED    0
                SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED  52
                SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED  0
                -------------------------------------  ----------------------------------------------------------------
        MACsec Ingress SC (f669c302dc3f0001)
                MACsec Ingress SA (0)
                ---------------------------------------  ----------------------------------------------------------------
                active                                   true
                auth_key                                 D176D49FED2CCF26F1A04DC89E93672B
                lowest_acceptable_pn                     1
                sak                                      01AFA5483DDEA4EF669129C7FC869B36CF349AA4B1D310F522DB2AEA79545EFE
                salt                                     9FCB0225DEF5A3F39F8A6808
                ssci                                     1
                SAI_MACSEC_SA_ATTR_CURRENT_XPN           98
                SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED       0
                SAI_MACSEC_SA_STAT_IN_PKTS_INVALID       0
                SAI_MACSEC_SA_STAT_IN_PKTS_LATE          0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA  0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID     0
                SAI_MACSEC_SA_STAT_IN_PKTS_OK            68
                SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED     0
                SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA     0
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED      65929
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED      0
                ---------------------------------------  ----------------------------------------------------------------

…om config_db

gechiang · 2023-09-01T06:56:23Z

@judyjoseph , please attached the needed MSFT ADO number to this PR

cfgmgr/macsecmgr.cpp

gechiang · 2023-09-05T18:32:44Z

@judyjoseph , Is there any dependency in the order of the PRs you mentioned where one needs to go in first before other?
Can this PR 2892 be merged safely without causing test issue or build issue?

judyjoseph · 2023-09-05T20:20:23Z

@prsunny @lguohan Could you review this PR, this is a change to get macsec wpa_supplicant to accept type7 encoded strings and prevent keys to be stored in plain text in config_db. I have added the test results and the MACSEC_PROFILE in config_db in PR comments.

We have a PR in sonic-buildimage also sonic-net/sonic-buildimage#16388, to accept this format and length.

prsunny · 2023-09-06T01:09:39Z

Can you please plan to add a unit test for this?

gechiang · 2023-09-06T01:58:58Z

@prsunny @rlhui @lguohan , can you help merge this PR?
Thanks!

judyjoseph · 2023-09-06T02:16:15Z

Can you please plan to add a unit test for this?

Sure Prince, is it ok I add this in a follow on PR

gechiang · 2023-09-06T02:22:15Z

@yxieca , @StormLiangMS , Please help approve this for the requested branches.
Thanks!

* Add decode type 7 alogorithm and use it to decode the encoded key from config_db * Remove the Error log added earlier for debugging * Add check for 66 bytes or 130 bytes encoded string based on cipher suite

cfgmgr/macsecmgr.cpp

…d format (#16388) * Change the CAK key length check in config plugin, macsec test profile changes * Fix the format in add_profile api The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier.

…d format (sonic-net#16388) * Change the CAK key length check in config plugin, macsec test profile changes * Fix the format in add_profile api The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier.

* Add decode type 7 alogorithm and use it to decode the encoded key from config_db * Remove the Error log added earlier for debugging * Add check for 66 bytes or 130 bytes encoded string based on cipher suite

…d format (#16388) (#16626) * Change the CAK key length check in config plugin, macsec test profile changes * Fix the format in add_profile api The changes needed in various macsec unit tests and config plugin when we move to accept the type 7 encoded key format for macsec. This goes along with PR : sonic-net/sonic-swss#2892 raised earlier. Co-authored-by: judyjoseph <[email protected]>

judyjoseph · 2023-09-22T20:45:29Z

@shyam77git @mlok-nokia @kenneth-arista f.y.i

With this PR (along with sonic-net/sonic-buildimage#16388) -- please note that there will be a change in the way we input the macsec CAK keys either via configuration command, or via the config_db

Currently the CAK key is given in plain text as input, it will change to type7 encoded format. Please refer to sonic-mgmt PR (sonic-net/sonic-mgmt#9873) for various macsec_profiles.

This is currently merged in 202205 branch, we plan to merge this in master as well- thanks.

This reverts commit a0eb0d0.

StormLiangMS · 2023-09-25T15:47:30Z

@judyjoseph this PR will cause PR test failure when do the submodule advance, could you help to fix the PR test failure?

* Add decode type 7 alogorithm and use it to decode the encoded key from config_db * Remove the Error log added earlier for debugging * Add check for 66 bytes or 130 bytes encoded string based on cipher suite

Add decode type 7 alogorithm and use it to decode the encoded key fr…

4d078cf

…om config_db

judyjoseph requested a review from Pterosaur August 31, 2023 07:11

Remove the Error log added earlier for debugging

8e8d8ed

judyjoseph requested a review from lguohan September 1, 2023 03:58

judyjoseph marked this pull request as ready for review September 1, 2023 03:58

judyjoseph requested a review from prsunny as a code owner September 1, 2023 03:58

gechiang added Request for 202205 Branch Request for 202211 Branch Request for 202305 Branch labels Sep 1, 2023

Pterosaur reviewed Sep 1, 2023

View reviewed changes

cfgmgr/macsecmgr.cpp Outdated Show resolved Hide resolved

This was referenced Sep 2, 2023

Macsec type7 support for CAK keys sonic-net/sonic-mgmt#9812

Merged

Update macsec CAK keys in profile for tests to change to type7 encoded format sonic-net/sonic-buildimage#16388

Merged

Add check for 66 bytes or 130 bytes encoded string based on cipher suite

44dd6b2

judyjoseph requested a review from Pterosaur September 4, 2023 07:33

Pterosaur reviewed Sep 4, 2023

View reviewed changes

cfgmgr/macsecmgr.cpp Outdated Show resolved Hide resolved

Again Remove the Error log added earlier for debugging

bc8edfb

Pterosaur approved these changes Sep 5, 2023

View reviewed changes

prsunny approved these changes Sep 6, 2023

View reviewed changes

gechiang requested a review from rlhui September 6, 2023 01:59

prsunny merged commit ae010bf into sonic-net:master Sep 6, 2023

judyjoseph mentioned this pull request Sep 6, 2023

New unit test to validate the type7 macsec keys #2897

Open

yxieca added the Included in 202205 Branch label Sep 6, 2023

qiluo-msft requested review from ganglyu and removed request for ganglyu September 6, 2023 21:48

abdosi reviewed Sep 6, 2023

View reviewed changes

cfgmgr/macsecmgr.cpp Show resolved Hide resolved

mssonicbld mentioned this pull request Sep 21, 2023

[action] [PR:16388] Update macsec CAK keys in profile for tests to change to type7 encoded format sonic-net/sonic-buildimage#16626

Merged

11 tasks

StormLiangMS added the Included in 202305 Branch label Sep 21, 2023

judyjoseph deleted the macsec_type_7 branch September 22, 2023 20:45

StormLiangMS mentioned this pull request Sep 25, 2023

[submodule][202305] Update submodule sonic-swss to the latest HEAD automatically sonic-net/sonic-buildimage#16642

Merged

StormLiangMS added a commit that referenced this pull request Sep 25, 2023

Revert "Support type7 encoded CAK key for macsec in config_db (#2892)"

0584d35

This reverts commit a0eb0d0.

StormLiangMS removed the Included in 202305 Branch label Sep 25, 2023

yejianquan added Approved for 202211 Branch and removed Approved for 202211 Branch labels Oct 9, 2023

StormLiangMS added the Included in 202305 Branch label Oct 24, 2023

mssonicbld mentioned this pull request Nov 18, 2023

[action] [PR:9812] Macsec type7 support for CAK keys sonic-net/sonic-mgmt#10775

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support type7 encoded CAK key for macsec in config_db #2892

Support type7 encoded CAK key for macsec in config_db #2892

judyjoseph commented Aug 31, 2023 •

edited

Loading

gechiang commented Sep 1, 2023

gechiang commented Sep 5, 2023

judyjoseph commented Sep 5, 2023

prsunny commented Sep 6, 2023

gechiang commented Sep 6, 2023

judyjoseph commented Sep 6, 2023

gechiang commented Sep 6, 2023

judyjoseph commented Sep 22, 2023

StormLiangMS commented Sep 25, 2023

Support type7 encoded CAK key for macsec in config_db #2892

Support type7 encoded CAK key for macsec in config_db #2892

Conversation

judyjoseph commented Aug 31, 2023 • edited Loading

gechiang commented Sep 1, 2023

gechiang commented Sep 5, 2023

judyjoseph commented Sep 5, 2023

prsunny commented Sep 6, 2023

gechiang commented Sep 6, 2023

judyjoseph commented Sep 6, 2023

gechiang commented Sep 6, 2023

judyjoseph commented Sep 22, 2023

StormLiangMS commented Sep 25, 2023

judyjoseph commented Aug 31, 2023 •

edited

Loading