[strongSwan] strongswan how to check certreq and how to build certreq field

Jun Yin hansyin at gmail.com
Fri Nov 23 20:55:02 CET 2012 

Thank you very much! It works.

Writing note now......

On Thu, Nov 22, 2012 at 11:38 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hi,
>
> sorry I confounded the CERTREQ hash which is computed over the
> public key info record with the HASH-and-URL hash which goes over
> the whole DER-encoded certificate.
>
> Use our ipsec pki command to extract the keyid from the CA Certificate:
>
> ipsec pki --print --in etc/ipsec.d/cacerts/strongswanCert.pem
> cert:      X509
> subject:  "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
> issuer:   "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
> validity:  not before Sep 10 12:01:18 2004, ok
>            not after  Sep 07 12:01:18 2019, ok (expires in 2479 days)
> serial:    00
> flags:     CA CRLSign self-signed
> pathlen:   1
> authkeyId: 5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
> subjkeyId: 5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
> pubkey:    RSA 2048 bits
> keyid:     ae:09:6b:87:b4:48:86:d3:b8:20:97:86:23:da:bd:0e:ae:22:eb:bc
> subjkey:   5d:a7:dd:70:06:51:32:7e:e7:b6:6d:b3:b5:e5:e0:60:ea:2e:4d:ef
>
> The value to use in the CERTREQ is keyid: ae:09:...:eb:bc
>
> Regards
>
> Andreas
>
>
> On 11/22/2012 02:21 AM, Jun Yin wrote:
>>
>> hi,
>>
>> Thanks you very much, you helped me a lot.
>>
>> now the problem 1&2 are resolved, I could specify which CA to be sent
>> in certreq now.
>> For question 3, still something wrong.
>>
>>  From my decrypted packet, I can see strongswan send out:
>>
>> Certificate Authority Data: 2b6d55461e944f4e1eb197fedaf1bbeba2011c90
>>
>>
>> I calculated the value by myself with your command:
>>
>> root at pc161:~# openssl x509 -in
>> /etc/ipsec.d/cacerts/cacert_hans_216_sub3_ca.pem -outform der -out
>> cert.der
>> root at pc161:~# hash=`sha1sum cert.der | awk '{ print $1 }'`
>> root at pc161:~# echo $hash
>> 5cf9759c64f7fd5cd28b47a3d1ac7f2ef4ee76c1
>> root at pc161:~# sha1sum cert.der
>> 5cf9759c64f7fd5cd28b47a3d1ac7f2ef4ee76c1  cert.der
>>
>>
>> The value does not match!   I must did something wrong. Could you help
>> me to figure out?  I attached my cacert in this email.  Thanks again.
>>
>>
>>
>>
>> On Wed, Nov 21, 2012 at 12:09 PM, Andreas Steffen
>> <andreas.steffen at strongswan.org> wrote:
>>>
>>> On 11/21/2012 08:47 PM, Jun Yin wrote:
>>>>
>>>>
>>>> Hi,
>>>>
>>>> I know certreq should be filled by part of hash of certificate
>>>> authority, but I don't know an easy way to calculate it by myself.
>>>>
>>>>>  From my debug:
>>>>
>>>>
>>>>
>>>> Nov 20 18:09:15 pc161 charon: 16[IKE] local host is behind NAT,
>>>> sending keep alives
>>>> Nov 20 18:09:15 pc161 charon: 16[IKE] received 1 cert requests for an
>>>> unknown ca
>>>> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
>>>> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216,
>>>> E=hans_216 at stress.com"
>>>> Nov 20 18:09:15 pc161 charon: 16[IKE] sending cert request for "C=CA,
>>>> ST=bc, L=vancouver, O=fortinet, OU=qa, CN=hans_216_sub2,
>>>> E=hans_216_sub2 at stress.com"
>>>> Nov 20 18:09:16 pc161 charon: 16[IKE] authentication of 'C=CA, ST=bc,
>>>> L=vancouver, O=fortinet, OU=qa, CN=dut2_sub3_alt,
>>>> E=dut2_sub3 at stress.com' (myself) with RSA signature successful
>>>>
>>>>
>>>> 1. The second line said "requests for an unknown ca".     I don't know
>>>> why, I suppose I have all relevant cacert in directory
>>>> /etc/ipsec.d/cacert.  So, is that means my peer sending a wrong value
>>>> in certreq field?
>>>>
>>> Probably yes, since all CA certificates from /etc/ipsec.d/cacerts/
>>> or loaded via ca sections in /etc/ipsec.conf are checked.
>>>
>>>
>>>> 2. The third and fourth line said we're building our certreq field and
>>>> sending it. My questions is how do strongswan choose cacert to send? I
>>>> actually have 4 cacert in my directory /etc/ipsec.d/cacert. Why do
>>>> strongswan choose two of them? which kind of rule?
>>>>
>>> By default the SHA1 hashes of all CA certificates in
>>> /etc/ipsec.d/cacerts/ and optionally loaded via ca sections in
>>> /etc/ipsec.conf are sent in the CERTREQ but if you define
>>>
>>> rightca = "<Subject Distinguished Name of CA>
>>>
>>> in the connection definition then only the given CA will be requested.
>>>
>>>
>>>> 3. To confirm if strongswan are sending correct certreq, is there a
>>>> way to calculate certreq field value by ourself? like an openssl
>>>> command?
>>>>
>>> Use these commands:
>>>
>>>    openssl x509 -in cert.pem -outform der -out cert.der
>>>
>>>    hash=`sha1sum cert.der | awk '{ print $1 }'`
>>>
>>>>
>>>> Thanks!
>>>>
>>>
>>> Regards
>>>
>>> Andreas
>
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==



-- 
Rgds,

Hans Yin
Web:   http://sourceforge.net/projects/autotestnet/
Email:  hansyin at gmail.com
MSN:   hansyin at hotmail.com
Skype: hans_yin_vancouver

More information about the Users mailing list