[strongSwan] certificate format in sqlite database

Andreas Steffen andreas.steffen at strongswan.org
Wed Oct 13 16:31:50 CEST 2010 

bin2sql can also be used with private keys. For identities the function
id2sql, see

   http://wiki.strongswan.org/projects/strongswan/wiki/SqlLite

is better suited.

Regards

Andreas

On 10/13/2010 03:24 PM, samuel morin wrote:
> Great. It works better like that.
> Thank you very much for your help.
> Are private keys and identites must be convert in the same format ?
>
> Regards
>
> samuel
>
>
> Le 13/10/2010 14:57, Andreas Steffen a écrit :
>> Hi Samuel,
>>
>> in the scripts directory of the strongSwan distribution there
>> is a bin2sql function which converts binary DER files into a
>> HEX-encoded string suitable for the SQLite entry:
>>
>> cat andiCert.der | ./bin2sql
>> X'308201c53082016aa003020102020400aa0001300a06082a8648ce3d0403023041310b300906035504061302434831193017060355040a13104e65772056656e7475726520496e632e311730150603550403130e4e65772056656e74757265204341301e170d3039303930383138323031355a170d3134303930373138323031355a3043310b3009060355040613024348311a3018060355040a13114e65772056656e747572657320496e632e311830160603550403130f416e6472656173205374656666656e3059301306072a8648ce3d020106082a8648ce3d0301070342000457c6f657f02a17ff6b5da5279e6cfd97f1454062fc4f670f188e780e636d64d093c6817e748217089c815dc14b7d135a843a88d281b5df202b3bbcd992865d18a34e304c301f0603551d23041830168014a9d706058f40c22f230bb3f582c8189c4a16ac6630290603551d1104223020811e616e64726561732e7374656666656e406e657776656e74757265732e6368300a06082a8648ce3d0403020349003046022100a614fc409fdeae2a6b341c79ed4e69a353a296c3a7fc431f23a1c871f26c6e1d022100831ba9b1a7f52140919307ccaed612f40902d9430d0e7fe1aab4b03482d6b599'
>>
>> Regards
>>
>> Andreas
>>
>> On 10/13/2010 02:39 PM, samuel morin wrote:
>>> Hi,
>>>
>>>
>>> I try to run strongswan with using sqlite database and i'm facing a
>>> problem of certificate format.
>>> I put certificates and private key in pem format in my database, which
>>> give something like that :
>>> -----BEGIN CERTIFICATE-----
>>> MIIEJjCCAw6gAwIBAgIJAIcBdJN/qHy9MA0GCSqGSIb3DQEBBQUAMF0xCzAJBgNV
>>> BAYTAmZyMQ0wCwYDVQQKEwRnb3V2MRIwEAYDVQQLEwllZHVjYXRpb24xETAPBgNV
>>> BAsTCGFjLWRpam9uMRgwFgYDVQQDEw9DQS1zcGh5bnhuZy1SVlAwHhcNMTAxMDEy
>>> MTQ0NDA0WhcNMjUxMDA4MTQ0NDA0WjBdMQswCQYDVQQGEwJmcjENMAsGA1UEChME
>>> Z291djESMBAGA1UECxMJZWR1Y2F0aW9uMREwDwYDVQQLEwhhYy1kaWpvbjEYMBYG
>>> A1UEAxMPQ0Etc3BoeW54bmctUlZQMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
>>> CgKCAQEAqbwOLz3+3L5EMoDKx1Udg+B65oztY7EVCGDx1bxIS+7vglJzd3zijNPQ
>>> nIdxRr5BFHscF58aNppq4yIz2GDDe0PZiufKBVaKCajYtfL1oK/LIYHYfPxVtFub
>>> 7aFb/kx9WH+yYdcUwXI4Fo17bqRuWQXY+rDLSwqtI9a0kZEXnwtXPy+hZTJBuBoh
>>> DOB/Vk1RKmNudDjQA6SKGF8ag1Y2ckgp06cB2xM5F3WTAGreyE9YPj5cLCczCPSE
>>> bYXL82qhddBjsl5ihNzfi3sZBh4/vxqW41y36Q0OQ0riX5IzsjT6+bAsYLOa9UuH
>>> VdSee+fb1Q7jdjVlLhO4FpfP0jCAeQIDAQABo4HoMIHlMB0GA1UdDgQWBBRVsFec
>>> 8Nd+GmAuOBgPFTU4zCwCCTCBjwYDVR0jBIGHMIGEgBRVsFec8Nd+GmAuOBgPFTU4
>>> zCwCCaFhpF8wXTELMAkGA1UEBhMCZnIxDTALBgNVBAoTBGdvdXYxEjAQBgNVBAsT
>>> CWVkdWNhdGlvbjERMA8GA1UECxMIYWMtZGlqb24xGDAWBgNVBAMTD0NBLXNwaHlu
>>> eG5nLVJWUIIJAIcBdJN/qHy9MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
>>> AgGGMBEGCWCGSAGG+EIBAQQEAwIAATANBgkqhkiG9w0BAQUFAAOCAQEAHKG/BBzY
>>> df0ptXcpUALEhT3REXPOzzFdqv2ZiNa1nob7N0iprqWC/s+ZISuxJ8lMxwffV7Hu
>>> NvkcOwTGPR2imG6AUv8lheeMrJj0z4QGBiHgAkr2ri8Ds3mrf3VUMLvoQVSdLnHP
>>> LlGrKZh6InnaPmTR/YnPEcA9fNiTiLU7nJ/fObtXBjKzvWRtilafwWgH6AZAeLar
>>> g02NRx4tZ29fwxC0df7z2DeNve3JDUXDlt4JVQxW2+0ignbu4fYgoXdVv21XvzDN
>>> V2krC23ycvdEBUcl3kjZiuBm92YsXT00A0uAIMOAgxlVpo16W1DJhps+Rhsu5sOC
>>> 8VEU7QEZJ33WhA==
>>> -----END CERTIFICATE-----
>>>
>>> In this case, strongswan send this error into logs :
>>>
>>> charon: 04[LIB] L0 - x509: ASN1 tag 0x30 expected, but is 0x2d
>>> charon: 04[LIB] =>   47 bytes @ 0x22616af8
>>> charon: 04[LIB]    0: 2D 2D 2D 2D 2D 42 45 47 49 4E 20 43 45 52 54 49
>>> -----BEGIN CERTI
>>> charon: 04[LIB]   16: 46 49 43 41 54 45 2D 2D 2D 2D 2D 0A 4D 49 49 45
>>> FICATE-----.MIIE
>>> charon: 04[LIB]   32: 4A 6A 43 43 41 77 36 67 41 77 49 42 41 67 49
>>> JjCCAw6gAwIBAgI
>>> charon: 04[LIB] building CRED_CERTIFICATE - X509 failed, tried 3 builders
>>>
>>>
>>> So, i try to convert my .pem file into .der (openssl ... -inform pem
>>> -outform der) and putting the contents of the file into my database.
>>> In this case strongswan send this error :
>>>     charon: 04[LIB] number of length octets invalid
>>> charon: 04[LIB] L0 - x509:  length of ASN.1 object invalid or too large
>>> charon: 04[LIB] L0 - x509:
>>> charon: 04[LIB] =>   1 bytes @ 0x228c88b0
>>> charon: 04[LIB]    0: 30                                               0
>>>
>>> In certificates table, i put 1 (CERT_X509) in type value.
>>>
>>> My certificates works when i use them in file config mode (config
>>> parameters in ipsec.conf, ipsec.secrets...)
>>>
>>> I don't really understand what format strongswan is waiting for...
>>>
>>> If someone could help me...
>>>
>>> Thank you
>>>
>>> Best regards
>>>
>>> samuel MORIN
>>>
>>>
>>>
>>
>>
>
>


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list