[strongSwan] strongswan pki command error
Andreas Steffen
andreas.steffen at strongswan.org
Tue Nov 15 05:37:42 CET 2011
Hello Anand,
your private key is not well formed. The OpenSSL command
openssl rsa -inform der -in caKey.der -noout -check
RSA key error: dmp1 not congruent to d
RSA key error: dmq1 not congruent to d
shows this. If I execute
ipsec pki --gen > caKey1.der
on my system, my key is ok. You somehow modified your openssl library
so that it generates corrupt keys.
Regards
Andreas
On 11/14/2011 10:37 AM, anand rao wrote:
> Hi Andreas,
>
>>> Did you activate or insert any debug statements writing
>>> to stdout either in the strongSwan or OpenSSL code?
>
>
> Yes. It was my mistake, I added a debug message in openSSL rsa_gen.c in function RSA_generate_key_ex().
> Now I removed the print statement, and command "openssl rsa -inform der -in caKey.der -noout -text" was successful.
>
> But when I try to Generate a self-signed certificate for RSA public key I am getting below errors.
>
> ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwanCA" > caCert.der
> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
> parsing private key failed
>
> I have attached caKey.der.
> Please help.
>
> Regards,
> Anand
>
>
> ----- Original Message -----
> From: Andreas Steffen <andreas.steffen at strongswan.org>
> To: anand rao <anandrao_me at yahoo.co.in>
> Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
> Sent: Friday, November 11, 2011 6:29 PM
> Subject: Re: [strongSwan] strongswan pki command error
>
> Hmmm, very strange. The first couple of characters as ASCII Text are
>
> od -t a caKey.der
>
> 0000000 r s a - > m e t h - > r s a _ k
> 0000020 e y g e n nl
>
> rsa->meth->rsa_keygen\n
>
> The ensuing characters are then the correct binary ASN.1 DER encoding
> of the private key
>
> od -t x1 caKey.der
>
> 0000000 72 73 61 2d 3e 6d 65 74 68 2d 3e 72 73 61 5f 6b
> 0000020 65 79 67 65 6e 0a
> 30 82 05 a7 02 01 00 02 82 01
> 0000040 01 00 ee 75 b8 c4 cc a1 97 b1 fa c6 2d 7a 24 f2
> 0000060 d3 0d 80 e2 a5 2b d6 f7 b1 e3 82 c1 e9 68 80 cb
> 0000100 8a a6 2c 02 ca 1c c2 7f c8 e5 a2 9d b2 2f 1c ab
> 0000120 7c 4d 40 ae 3a 88 8e 8e 95 cd 46 b6 36 4e 3f 6b
> 0000140 3a 86 d9 d3 f5 b0 21 d5 fb 23 d8 15 5a da 91 30
>
> 30 82 05 a7 # RSA Private key, length 1447 bytes
> 02 01 # Version: 0
> 00 #
> 02 82 01 01 # Modulus n, length 257 bytes
> 00 ee 75 ..
>
> Size of caKey.der file 1473 bytes.
> Size of debug string -22 bytes
> Size of ASN.1 sequence tag and length field -4 bytes
> ----------
> Encoded RSA private key length 1447 bytes
>
> I grepped our whole source code for "rsa_keygen" but there was
> no hit. Did you activate or insert any debug statements writing
> to stdout either in the strongSwan or OpenSSL code?
>
> Regards
>
> Andreas
>
> On 11/11/2011 01:13 PM, anand rao wrote:
>> Hi Andreas,
>>
>> Please find the caKey.der attached. It was unreadable using cat command.
>>
>> Regards
>> Anand
>>
>>
>>
>> ----- Original Message -----
>> From: Andreas Steffen <andreas.steffen at strongswan.org>
>> To: anand rao <anandrao_me at yahoo.co.in>
>> Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
>> Sent: Friday, November 11, 2011 5:39 PM
>> Subject: Re: [strongSwan] strongswan pki command error
>>
>> Could you send me that private key file?
>>
>> Regards
>>
>> Andreas
>>
>> On 11/11/2011 12:00 PM, anand rao wrote:
>>> Hi Andreas,
>>>
>>> when I execute openssl rsa -inform der -in caKey.der -noout -text
>>> I am getting below errors.
>>>
>>>
>>> root at OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text
>>> unable to load Private Key
>>> 8193:error:0D094065:lib(13):func(148):reason(101):NA:0:
>>> 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0:
>>> 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA
>>> 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0:
>>>
>>>
>>> BR's
>>> Anand
>>>
>>>
>>> ----- Original Message -----
>>> From: Andreas Steffen <andreas.steffen at strongswan.org>
>>> To: anand rao <anandrao_me at yahoo.co.in>
>>> Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
>>> Sent: Thursday, November 10, 2011 7:28 PM
>>> Subject: Re: [strongSwan] strongswan pki command error
>>>
>>> Hi Anand,
>>>
>>> If I execute the same commands then the ca cert generation works.
>>>
>>> - Verify if openssl rsa -inform der -in caKey.der -noout -text works
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> On 10.11.2011 14:49, anand rao wrote:
>>>> Hi,
>>>>
>>>> I am using strongswan 4.3.6
>>>>
>>>> I have tried generate certificates using strongswan PKI gen tool to generate RSA certificate.
>>>> I am getting below errors.
>>>>
>>>> root at evm1gw:/etc/cert# ipsec pki --gen> caKey.der
>>>> root at evm1gw:/etc/cert#
>>>> root at evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn "C=IN,O=strongSwan, CN=strongSwan CA" --ca> caCert.der
>>>> file coded in unknown format, discarded
>>>> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
>>>> parsing private key failed
>>>>
>>>> I have used the default load so all the plugins are loaded. Please help.
>>>>
>>>> Thanks,
>>>> Anand
>>
>> ======================================================================
>> Andreas Steffen andreas.steffen at strongswan.org
>> strongSwan - the Linux VPN Solution! www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
>> ===========================================================[ITA-HSR]==
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list