[strongSwan] strongswan how to check certreq and how to build certreq field

Andreas Steffen andreas.steffen at strongswan.org
Fri Nov 23 08:38:22 CET 2012 

Hi,

sorry I confounded the CERTREQ hash which is computed over the
public key info record with the HASH-and-URL hash which goes over
the whole DER-encoded certificate.

Use our ipsec pki command to extract the keyid from the CA Certificate:

ipsec pki --print --in etc/ipsec.d/cacerts/strongswanCert.pem
cert:      X509
subject:  "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
issuer:   "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
validity:  not before Sep 10 12:01:18 2004, ok
            not after  Sep 07 12:01:18 2019, ok (expires in 2479 days)
serial:    00
flags:     CA CRLSign self-signed
pathlen:   1
authkeyId: 5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
subjkeyId: 5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
pubkey:    RSA 2048 bits
keyid:     ae:09:6b:87:b4:48:86:d3:b8:20:97:86:23:da:bd:0e:ae:22:eb:bc
subjkey:   5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef

The value to use in the CERTREQ is keyid: ae:09:...:eb:bc

Regards

Andreas

On 11/22/2012 02:21 AM, Jun Yin wrote:
> hi,
>
> Thanks you very much, you helped me a lot.
>
> now the problem 1&2 are resolved, I could specify which CA to be sent
> in certreq now.
> For question 3, still something wrong.
>
>  From my decrypted packet, I can see strongswan send out:
>
> Certificate Authority Data: 2b6d55461e944f4e1eb197fedaf1bbeba2011c90
>
>
> I calculated the value by myself with your command:
>
> root at pc161:~# openssl x509 -in
> /etc/ipsec.d/cacerts/cacert_hans_216_sub3_ca.pem -outform der -out
> cert.der
> root at pc161:~# hash=`sha1sum cert.der | awk '{ print $1 }'`
> root at pc161:~# echo $hash
> 5cf9759c64f7fd5cd28b47a3d1ac7f2ef4ee76c1
> root at pc161:~# sha1sum cert.der
> 5cf9759c64f7fd5cd28b47a3d1ac7f2ef4ee76c1  cert.der
>
>
> The value does not match!   I must did something wrong. Could you help
> me to figure out?  I attached my cacert in this email.  Thanks again.
>
>
>
>
> On Wed, Nov 21, 2012 at 12:09 PM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>> On 11/21/2012 08:47 PM, Jun Yin wrote:
>>>
>>> Hi,
>>>
>>> I know certreq should be filled by part of hash of certificate
>>> authority, but I don't know an easy way to calculate it by myself.
>>>
>>>>  From my debug:
>>>
>>>
>>> Nov 20 18:09:15 pc161 charon: 16[IKE] local host is behind NAT,
>>> sending keep alives
>>> Nov 20 18:09:15 pc161 charon: 16[IKE] received 1 cert requests for an
>>> unknown ca
>>> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
>>> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216,
>>> E=hans_216 at stress.com"
>>> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
>>> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2,
>>> E=hans_216_sub2 at stress.com"
>>> Nov 20 18:09:16 pc161 charon: 16[IKE] authentication of 'C=CA, ST=bc,
>>> L=vancouver, O=fortinet, OU=qa, CN=dut2_sub3_alt,
>>> E=dut2_sub3 at stress.com' (myself) with RSA signature successful
>>>
>>>
>>> 1. The second line said "requests for an unknown ca".     I don't know
>>> why, I suppose I have all relevant cacert in directory
>>> /etc/ipsec.d/cacert.  So, is that means my peer sending a wrong value
>>> in certreq field?
>>>
>> Probably yes, since all CA certificates from /etc/ipsec.d/cacerts/
>> or loaded via ca sections in /etc/ipsec.conf are checked.
>>
>>
>>> 2. The third and fourth line said we're building our certreq field and
>>> sending it. My questions is how do strongswan choose cacert to send? I
>>> actually have 4 cacert in my directory /etc/ipsec.d/cacert. Why do
>>> strongswan choose two of them? which kind of rule?
>>>
>> By default the SHA1 hashes of all CA certificates in
>> /etc/ipsec.d/cacerts/ and optionally loaded via ca sections in
>> /etc/ipsec.conf are sent in the CERTREQ but if you define
>>
>> rightca = "<Subject Distinguished Name of CA>
>>
>> in the connection definition then only the given CA will be requested.
>>
>>
>>> 3. To confirm if strongswan are sending correct certreq, is there a
>>> way to calculate certreq field value by ourself? like an openssl
>>> command?
>>>
>> Use these commands:
>>
>>    openssl x509 -in cert.pem -outform der -out cert.der
>>
>>    hash=`sha1sum cert.der | awk '{ print $1 }'`
>>
>>>
>>> Thanks!
>>>
>>
>> Regards
>>
>> Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list