<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span>Hi Martin,</span></div><div><span></span> </div><div><span>Thanks for your quick feedback.</span></div><div><span></span> </div><div><span>That is correct, tunnel is successfully established for the key with the enabled openssl plugin + workaround patch file.</span></div><div><span>But unable to load the key with enabled gmp plugin + disabled openssl plugin and no patch file for the gmp.</span></div><div><span></span> </div><div><span>As requested, here's the charon log output of debugging the gmp check() api for</span></div><div><span>the entity server certificate/private key which is created with the </span><span>openssl -engine cryptodev (OCF + h/w driver) option.</span></div><div><span></span> </div><div><span>Note: FYI, this same cert/key which was
created by the openssl + ocf + h/w cryptodev driver works fine for our SIP TLS </span></div><div><span>application </span><span>but not able to make it work for IPsec public key authentication.</span></div><div><span></span> </div><div><span>I had to bypass the RSA_check_key() with strongswan enabled openssl plugin to make it work for IPsec.</span></div><div><span></span> </div><div><span>00[ASN] -----BEGIN RSA PRIVATE KEY-----<br>00[ASN] -----END RSA PRIVATE KEY-----<br>00[ASN] L0 - RSAPrivateKey:<br>00[ASN] L1 - version:<br>00[ASN] => 1 bytes @ 0x2430e<br>00[ASN] 0: 00 .<br>00[ASN] L1 -
modulus:<br>00[ASN] => 257 bytes @ 0x24313<br>00[ASN] 0: 00 DE 3D 88 D7 D1 CE 68 53 D9 6A 21 27 CC FE 24 ..=....hS.j!'..$<br>00[ASN] 16: 69 57 7B 51 1F 85 B5 37 DE 05 C6 88 88 7D D8 78 iW{Q...7.....}.x<br>00[ASN] 32: 29 76 08 76 DE AB 77 D6 0E 79 FD E2 D6 06 9E 70 )v.v..w..y.....p<br>00[ASN] 48: A5 C9 1D 6D AB 73 12 FD 9F 9E C2 BB 89 83 42 4D ...m.s........BM<br>00[ASN] 64: B1 10 49 8B 9C A1 85 C4 2C 39 DC 1C FB 45 48 C9 ..I.....,9...EH.<br>00[ASN] 80: 62 28 00 5F C6 4C C4 C4 3C D4 6A 4C FD D1 03 18 b(._.L..<.jL....<br>00[ASN] 96: B7 72 4A EB 31 95 5F 81 B8 D5 F5 1D 63 AA 2D 84 .rJ.1._.....c.-.<br>00[ASN] 112: EF E4 2A 07 A4 EC 3A 44 77 2D 59 7D C6 4D 59 CC ..*...:Dw-Y}.MY.<br>00[ASN] 128: 96 2D 10 97 14 2D F7 5D 6D 13 47 FB 11 CF 4B DC .-...-.]m.G...K.<br>00[ASN] 144: BF B8 5A D4 DD 78
E2 47 3D B0 B2 16 25 B1 FC 0C ..Z..x.G=...%...<br>00[ASN] 160: D4 E8 BD 71 79 CB 9F 97 59 02 78 48 5C 79 D9 83 ...qy...Y.xH\y..<br>00[ASN] 176: 1A AC 79 16 1C EE F0 BF 09 1A 6D 84 4C DE 76 62 ..y.......m.L.vb<br>00[ASN] 192: 78 CB 5C 24 BE FE 11 72 E6 1C 74 7A F9 67 6E 6D x.\$...r..tz.gnm<br>00[ASN] 208: 3D 10 FB 1B 5F B4 19 F3 CD A5 D7 FA 6F D8 D2 EC =..._.......o...<br>00[ASN] 224: B0 44 41 AA 9C 29 E6 25 50 9A E4 00 AE 05 87 E8 .DA..).%P.......<br>00[ASN] 240: 1B 81 4A 1C 02 99 8E CD A6 FD 78 2E 9B 83 8B BA ..J.......x.....<br>00[ASN] 256: 25 <br>00[ASN] L1 - publicExponent:<br>00[ASN] => 3
bytes @ 0x24416<br>00[ASN] 0: 01 00 01 ...<br>00[ASN] L1 - privateExponent:<br>00[ASN] => 257 bytes @ 0x2441d<br>00[ASN] 0: 00 D7 A0 B6 BC 47 F9 CF E9 C3 22 21 07 3F F3 39 .....G...."!.?.9<br>00[ASN] 16: 9A E7 E1 63 65 85 52 BD E0 F2 93 9D 77 69 3A F5 ...ce.R.....wi:.<br>00[ASN] 32: E3 AC 7D 2B F0 82 47 E4 6D E9 59 37 94 D7 99 34 ..}+..G.m.Y7...4<br>00[ASN] 48: CC F6 24 52 7B 2E 4C B7 BD FE C9 0C 32 B1 23 4C ..$R{.L.....2.#L<br>00[ASN] 64: C4 46 7C 45 34 74 D7 97 EE 1D 39 7E F9 21 51 2C .F|E4t....9~.!Q,<br>00[ASN] 80: EB CA CA 0A 23 19 EB 34 47 9D 05 82 AC 25 F6 AE
....#..4G....%..<br>00[ASN] 96: 2D 97 7C 2F 54 CD 8C 7C 0D BD B2 74 90 75 D6 72 -.|/T..|...t.u.r<br>00[ASN] 112: 8C 5B 41 98 67 21 38 AB A3 42 61 F9 11 C5 8D 22 .[A.g!8..Ba...."<br>00[ASN] 128: 5C A8 1B 41 98 6F 9A AD 34 09 05 D1 55 C7 CE B9 \..A.o..4...U...<br>00[ASN] 144: 14 5D 7D 5E 5C 78 E7 51 5F C0 70 90 A2 18 10 63 .]}^\x.Q_.p....c<br>00[ASN] 160: 01 D2 64 CA D2 9A 84 28 2D 52 BB 4F 0B 04 4C 88 ..d....(-R.O..L.<br>00[ASN] 176: 6E 96 46 52 75 3B B1 79 19 13 97 1B BA 79 AF 07 n.FRu;.y.....y..<br>00[ASN] 192: 6F 67 1F 86 40 3F BE E7 2A E1 B0 C4 E8 2F 6A 65 <a href="mailto:og..@?..*..../je">og..@?..*..../je</a><br>00[ASN] 208: 01 7D 58 43 21 01 99 09 E2 81 0F AC EE FD 2E 40 .}XC!..........@<br>00[ASN] 224: D8 27 25 B0 66 A6 5E B7 EA 8C 96 A7 A6 C9 53 52 .'%.f.^.......SR<br>00[ASN] 240: 2B 31 C5 E1 B2 94 E2 3D 42 36 63 6E BE 40 61
2C <a href="mailto:+1.....=B6cn.@a">+1.....=B6cn.@a</a>,<br>00[ASN] 256: C1 <br>00[ASN] L1 - prime1:<br>00[ASN] => 129 bytes @ 0x24521<br>00[ASN] 0: 00 F8 B2 74 9A D2 8D 08 5A 97 F9 17 1D 4C 0B 0F ...t....Z....L..<br>00[ASN] 16: F6 48 C3 FF 10 F9 1C 98 EB FC 0E 55 D7 2C D9 0F .H.........U.,..<br>00[ASN] 32: 92 E6 54 4E 1F 28 2E DD 05 92 F3 2E 80 FB 3A 20 ..TN.(........: <br>00[ASN] 48: 9B BC 8F 1E 15 C7 CC 6D 2C 58 AD 4F 12 00 50 63 .......m,X.O..Pc<br>00[ASN] 64: 7D F7 02 BF DC 8B CF 3F 44 AC AA 5B FC 49 41 A0 }......?D..[.IA.<br>00[ASN] 80: 78 F0 71 AF 17 B5
F6 F3 5E 3D F2 03 F7 50 B4 C3 x.q.....^=...P..<br>00[ASN] 96: 17 2D 43 B9 67 0B 50 2F 35 DC A5 48 69 49 41 C3 .-C.g.P/5..HiIA.<br>00[ASN] 112: 59 81 EB 18 90 FF 33 92 EF A4 FA 48 92 46 B9 DF Y.....3....H.F..<br>00[ASN] 128: D1 .<br>00[ASN] L1 - prime2:<br>00[ASN] => 129 bytes @ 0x245a5<br>00[ASN] 0: 00 E4 C4 31 C8 35 89 DA 3C 96 A7 39 19 21 E8 2C ...1.5..<..9.!.,<br>00[ASN] 16: 27 67 6C F3 0F 6F 19 F8 C5 76 1B 5A CF 21 97 A6 'gl..o...v.Z.!..<br>00[ASN] 32: 5B 31 BF ED E7 4F 10 97 BA 8E B4 E7 02 09 B8 D6 [1...O..........<br>00[ASN] 48: 8C 5B 60 32 65 FC FF C4 CC 3E
57 92 48 BB 49 11 .[`2e....>W.H.I.<br>00[ASN] 64: E3 5A 0C 5A FE 5E DB 56 96 CC F4 C6 1E 93 95 13 .Z.Z.^.V........<br>00[ASN] 80: 38 A3 36 8B D8 04 EC A2 07 1C F1 1E 68 EF 42 28 8.6.........h.B(<br>00[ASN] 96: 9F 40 ED 5D 73 E1 A3 96 90 17 23 48 22 97 58 E7 <a href='mailto:.@.]s.....#H".X'>.@.]s.....#H".X</a>.<br>00[ASN] 112: 14 EC C7 63 9D 50 90 9D 00 29 35 44 F5 38 4B FE ...c.P...)5D.8K.<br>00[ASN] 128: 15 .<br>00[ASN] L1 - exponent1:<br>00[ASN] => 256 bytes @ 0x2462a<br>00[ASN] 0: 1E B8 CA 6B 32 03 AE D7 6F 14 89 BE 31 2C 9F 69 ...k2...o...1,.i<br>00[ASN] 16: 68
29 74 81 9A 7B 4F 37 C4 9C 7E 28 77 C2 80 1C h)t..{O7..~(w...<br>00[ASN] 32: E7 52 E5 9B 05 F5 C9 1E C4 7F 98 28 3F E0 8F 21 .R.........(?..!<br>00[ASN] 48: B6 8B 0D 98 EE 01 C9 7B 95 7B BE 36 25 7E 6B 0A .......{.{.6%~k.<br>00[ASN] 64: B8 83 6D 6D CC 0C A8 D8 E8 91 08 44 FD 91 CD 81 ..mm.......D....<br>00[ASN] 80: 7A 13 36 86 FE AF 10 F5 0A 0B 32 30 9D 04 5E 29 z.6.......20..^)<br>00[ASN] 96: 85 97 ED 06 40 5E AF 6F C8 22 F6 2B 75 58 5E 7D <a href="mailto:....@%5E.o.%22.+uX">mailto:....@%5E.o.%22.+uX</a>^}<br>00[ASN] 112: 49 0D CD 88 17 42 5A E4 77 E3 52 C8 E4 73 0F 85 I....BZ.w.R..s..<br>00[ASN] 128: 0E FB 64 47 8C A3 A8 F0 A8 83 B0 55 CD 69 B5 CA ..dG.......U.i..<br>00[ASN] 144: 31 80 CA C2 45 C6 22 14 B2 73 E0 28 B7 E5 93 9A 1...E."..s.(....<br>00[ASN] 160: 5B 21 F5 AE BE B9 6C 32 DF 3B 66 4F 31 59 84 EA
[!....l2.;fO1Y..<br>00[ASN] 176: C8 F4 40 6F DF 1F 3D 13 D8 99 88 E1 C6 7B 67 2C <a href="mailto:..@o..=......%7Bg">mailto:..@o..=......%7Bg</a>,<br>00[ASN] 192: 04 E4 2F 1A 2C 28 14 D9 14 4B 87 14 C0 37 33 57 ../.,(...K...73W<br>00[ASN] 208: E6 30 37 6E 2F C3 D3 55 06 56 70 52 AF D1 BB 2C .07n/..U.VpR...,<br>00[ASN] 224: 3A C0 88 B3 E6 21 BF B1 10 7B 0E 04 8C EB 4F E4 :....!...{....O.<br>00[ASN] 240: DF 67 3C BD 39 AD B1 47 30 E0 57 C5 30 76 C1 10 .g<.9..G0.W.0v.<br>00[ASN] L1 - exponent2:<br>00[ASN] => 257 bytes @ 0x2472e<br>00[ASN] 0: 00 B8 CA 96 97 99 35 8C 06 AF 52 BC DA 63 59 04 ......5...R..cY.<br>00[ASN] 16: 97 05 D9 65 55 57 C5 21 18 00 3A B3 03 E4 3E CE ...eUW.!..:...>.<br>00[ASN] 32: 3E CF 9A C0 AC 4F A9 C8 E2 59 58 6B A4 0D 75 BA >....O...YXk..u.<br>00[ASN] 48: 36 9B 92 57 B6 17 49 7F 7B 54 44 C9 36
0E 7B D6 6..W..I.{TD.6.{.<br>00[ASN] 64: F5 F0 42 FA 3A 7B 93 03 32 72 F8 2C BC 9F E1 1F ..B.:{..2r.,....<br>00[ASN] 80: FA 4D 86 A7 CB 70 62 2B 2A 46 98 DD 0B C1 E3 02 .M...pb+*F......<br>00[ASN] 96: 8F F8 8A 62 96 3C 77 FD 78 74 FF B2 19 2B 7E 35 ...b.<w.xt...+~5<br>00[ASN] 112: BE BA 00 79 7A 9B EF F1 78 2A FC FF 03 47 31 19 ...yz...x*...G1.<br>00[ASN] 128: EE 18 F3 6F B3 E2 B0 DE B9 1E 17 52 E1 1D AD FD ...o.......R....<br>00[ASN] 144: 5A FB 54 22 26 AB 48 D3 CD 95 F7 48 7E F0 B3 09 Z.T"&.H....H~...<br>00[ASN] 160: EC C7 B8 12 F3 44 90 BB 17 52 3C BF 67 5F 8D 3E .....D...R<.g_.><br>00[ASN] 176: 5C 29 D9 48 86 B4 4B 7D 5B 34 52 03 99 24 55 8C \).H..K}[4R..$U.<br>00[ASN] 192: AD B0 EF BB 7F 04 39 2A 33 0C A0 F3 EC 5F 4E 66 ......9*3...._Nf<br>00[ASN] 208: 04 C5 0E 39 37 8B F9 34 87 93 0B 66 B8 4E 9F
8B ...97..4...f.N..<br>00[ASN] 224: 14 D0 E6 DB 04 95 A6 5C FC 3E 0D EA 20 28 F1 CA .......\.>.. (..<br>00[ASN] 240: D4 27 76 06 1B E5 78 5F 37 B3 26 C1 95 3A 7E 5E .'v...x_7.&..:~^<br>00[ASN] 256: A7 <br>00[ASN] L1 - coefficient:<br>00[ASN] => 128 bytes @ 0x24832<br>00[ASN] 0: 5C 1F EB 7F 73 E0 31 7F 94 52 F2 06 B2 46 0C 10 \...s.1..R...F..<br>00[ASN] 16: 14 C6 2F 7F 60 75 44 79 0B 07 E7 AF E6 22 E6 EB ../.`uDy....."..<br>00[ASN] 32: 8E 27 B1 E8 B9 3C 80 2F AB A4 1D B7 8D AA 16 E8 .'...<./........<br>00[ASN] 48: E7 78 AD 13 CA 16 6D F4 52 A5 81 B9 BB 4A 8E
8D .x....m.R....J..<br>00[ASN] 64: 87 16 88 D4 5E D3 3A F3 14 4D 0D 79 DD AC EA 2A ....^.:..M.y...*<br>00[ASN] 80: 0A 8E C9 FC F8 32 A0 7A AD A8 35 B0 D4 A1 1F 95 .....2.z..5.....<br>00[ASN] 96: 57 99 B5 6A 17 62 85 A0 F9 3A A1 96 95 34 13 DF W..j.b...:...4..<br>00[ASN] 112: 69 78 D1 95 EB 9E 80 D5 25 EC 24 2F B3 24 22 00 ix......%.$/.$".<br>00[LIB] key integrity tests failed: chect that exp1(150380) is d(150368) mod (p(150344)-1), t=-1097449556<br>00[LIB] key integrity tests failed: checkt that exp2(150392) is d(150368) mod (q(150356)-1), t=-1097449556<br>00[LIB] key integrity tests failed</span></div><div><span></span> </div><div><span>Kiran</span></div><div><br></div> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <font size="2"
face="Arial"> <div style="margin: 5px 0px; padding: 0px; border: 1px solid rgb(204, 204, 204); height: 0px; line-height: 0; font-size: 0px;" class="hr" contentEditable="false" readonly="true"></div> <b><span style="font-weight: bold;">From:</span></b> Martin Willi <martin@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> Kiran Joshi <kiran.joshi38@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Wednesday, January 23, 2013 1:59 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] Unable to load the private key without openssl plugin<br> </font> </div> <br>
Hi,<br><br>> 1) List of loaded plugins without the openssl for the failed test case.<br><br>> 00[LIB] key integrity tests failed<br>> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders <br><br>> When openssl plugin was enabled, we created a patch file as workaround<br>> to bypass the RSA_check_key.<br><br>If I understand correctly, you had to patch the openssl plugin to get it<br>working with your key, and an unpatched gmp plugin is unable to load the<br>key, right?<br><br>> it is safe for to bypass the integrity check in gmp plugin as another<br>> workaround? <br><br>I don't think so. These checks are there for good reason and check the<br>sanity (and safety) of the RSA key. You can add some debug statements to<br>[1] to see why exactly the key is considered invalid.<br><br>I don't recommend to remove the check, but instead track down why the<br>check fails and why your key is invalid (and potentially
unsafe).<br><br>Regards<br>Martin<br><br>[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c;hb=HEAD#l525<br><br><br><br><br> </div> </div> </div></body></html>