[strongSwan-dev] more SQL and key IDs

Andreas Steffen andreas.steffen at strongswan.org
Sat May 15 11:59:22 CEST 2010 

Hi,

It seems that the *subjectPublicKeyInfo hash* of the CA certificate
is required in order to resolve received certificate requests:

May  3 00:22:33 moon charon:
    11[IKE] received cert request for unknown ca with keyid
            ae:09:6b:87:b4:48:86:d3:b8:20:97:86:23:da:bd:0e:ae:22:eb:bc

which does not work the sql/rw-cert scenario but which works in the
sql/ip-pool-db scenario:

May  3 00:18:19 moon charon:
    11[IKE] received cert request for
            "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"

On the other hand the lookup of certificates in a chain and of matching
private keys is based on the *subjectKeyIdentifier* (in earlier
strongSwan versions it was based on the subjectPublicKeyInfo hash but
Martin Willi switched the identifier type at some point in time).

Thus I recommend to use the *subjectKeyIdentifier* as an identity for
all end entity certificates and private keys and additionally the
*subjectPublicKeyInfo hash* for root CA and intermediate CA
certificates.

Best regards

Andreas

On 05/14/2010 01:31 AM, J. Tang wrote:
> I was able to inspect the strongswanCert.pem like so:
>
> ipsec pki --keyid --type x509 --in strongswanCert.pem
> subjectKeyIdentifier:      5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
> subjectPublicKeyInfo hash: ae:09:6b:87:b4:48:86:d3:b8:20:97:86:23:da:bd:0e:ae:22:eb:bc
>
> In tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql, the second
> INSERT statement is:
>
>    INSERT INTO identities (
>      type, data
>    ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
>      11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
>    );
>
> which is the subjectKeyIdentifier.
>
>
> However, in tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql, the
> second INSERT statement is:
>
>    INSERT INTO identities (
>      type, data
>    ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
>      11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
>    );
>
> which is the subjectPublicKeyInfo hash.
>
> Why does one SQL file use one value, while the other uses the other?
> If I were writing my own SQL statements, how would I know which one I
> should insert?
>


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Dev mailing list