[strongSwan] strongswan pki command error

anand rao anandrao_me at yahoo.co.in
Mon Nov 14 10:37:50 CET 2011


Hi Andreas,

>> Did you activate or insert any debug statements writing
>> to stdout either in the strongSwan or OpenSSL code?


Yes. It was my mistake, I added a debug message in openSSL rsa_gen.c in function RSA_generate_key_ex().
Now I removed the print statement, and command "openssl rsa -inform der -in caKey.der -noout -text" was successful.

But when I try to Generate a self-signed certificate for RSA public key I am getting below errors.

ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwanCA" > caCert.der
building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
parsing private key failed

I have attached caKey.der.
Please help.

Regards,
Anand


----- Original Message -----
From: Andreas Steffen <andreas.steffen at strongswan.org>
To: anand rao <anandrao_me at yahoo.co.in>
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
Sent: Friday, November 11, 2011 6:29 PM
Subject: Re: [strongSwan] strongswan pki command error

Hmmm, very strange. The first couple of characters as ASCII Text are

od -t a caKey.der

0000000   r   s   a   -   >   m   e   t   h   -   >   r   s   a   _   k
0000020   e   y   g   e   n  nl

rsa->meth->rsa_keygen\n

The ensuing characters are then the correct binary ASN.1 DER encoding
of the private key

od -t x1 caKey.der

0000000 72 73 61 2d 3e 6d 65 74 68 2d 3e 72 73 61 5f 6b
0000020 65 79 67 65 6e 0a
                          30 82 05 a7 02 01 00 02 82 01
0000040 01 00 ee 75 b8 c4 cc a1 97 b1 fa c6 2d 7a 24 f2
0000060 d3 0d 80 e2 a5 2b d6 f7 b1 e3 82 c1 e9 68 80 cb
0000100 8a a6 2c 02 ca 1c c2 7f c8 e5 a2 9d b2 2f 1c ab
0000120 7c 4d 40 ae 3a 88 8e 8e 95 cd 46 b6 36 4e 3f 6b
0000140 3a 86 d9 d3 f5 b0 21 d5 fb 23 d8 15 5a da 91 30

30 82 05 a7      # RSA Private key, length 1447 bytes
   02 01         # Version: 0
      00         #
   02 82 01 01   # Modulus n, length 257 bytes
      00 ee 75 ..

Size of caKey.der file                       1473 bytes.
Size of debug string                          -22 bytes
Size of ASN.1 sequence tag and length field    -4 bytes
                                             ----------
Encoded RSA private key length               1447 bytes

I grepped our whole source code for "rsa_keygen" but there was
no hit. Did you activate or insert any debug statements writing
to stdout either in the strongSwan or OpenSSL code?

Regards

Andreas

On 11/11/2011 01:13 PM, anand rao wrote:
> Hi Andreas,
> 
>    Please find the caKey.der attached. It was unreadable using cat command.
> 
> Regards
> Anand
> 
> 
> 
> ----- Original Message -----
> From: Andreas Steffen <andreas.steffen at strongswan.org>
> To: anand rao <anandrao_me at yahoo.co.in>
> Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
> Sent: Friday, November 11, 2011 5:39 PM
> Subject: Re: [strongSwan] strongswan pki command error
> 
> Could you send me that private key file?
> 
> Regards
> 
> Andreas
> 
> On 11/11/2011 12:00 PM, anand rao wrote:
>> Hi Andreas,
>>
>> when I execute openssl rsa -inform der -in caKey.der -noout -text
>> I am getting below errors.
>>
>>
>> root at OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text
>> unable to load Private Key
>> 8193:error:0D094065:lib(13):func(148):reason(101):NA:0:
>> 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0:
>> 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA
>> 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0:
>>
>>
>> BR's
>> Anand
>>
>>
>> ----- Original Message -----
>> From: Andreas Steffen <andreas.steffen at strongswan.org>
>> To: anand rao <anandrao_me at yahoo.co.in>
>> Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
>> Sent: Thursday, November 10, 2011 7:28 PM
>> Subject: Re: [strongSwan] strongswan pki command error
>>
>> Hi Anand,
>>
>> If I execute the same commands then the ca cert generation works.
>>
>> - Verify if openssl rsa -inform der -in caKey.der -noout -text works
>>
>> Regards
>>
>> Andreas
>>
>> On 10.11.2011 14:49, anand rao wrote:
>>> Hi,
>>>
>>>     I am using strongswan 4.3.6
>>>
>>> I have tried generate certificates using strongswan PKI gen tool to generate RSA certificate.
>>> I am getting below errors.
>>>
>>> root at evm1gw:/etc/cert# ipsec pki --gen>  caKey.der
>>> root at evm1gw:/etc/cert#
>>> root at evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn "C=IN,O=strongSwan, CN=strongSwan CA" --ca>  caCert.der
>>> file coded in unknown format, discarded
>>> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
>>> parsing private key failed
>>>
>>> I have used the default load so all the plugins are loaded. Please help.
>>>
>>> Thanks,
>>> Anand
> 
> ======================================================================
> Andreas Steffen                        andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==


-- 
======================================================================
Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: caKey.der
Type: application/x-x509-ca-cert
Size: 1450 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111114/8bb63f4f/attachment.crt>


More information about the Users mailing list