[strongSwan] CRL response with Strongswan 4

Fabrice Barconnière fabrice.barconniere at ac-dijon.fr
Mon Nov 26 16:00:21 CET 2012 

Le 26/11/2012 15:00, Andreas Steffen a écrit :
> Hi Fabrice,
>
> does the Authority Key Identifier contained in the CRL
> equal the Subject Key Identifier of the CA certificate?
>
> This means: Is the signer of the CRL the same authority
> which signed the end-entity certificates?
>
> On 26.11.2012 13:29, Fabrice Barconnière wrote:
>>           CRL extensions:
>>               X509v3 Authority Key Identifier:
>> keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
> Regards
>
> Andreas
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
keyid in crl:
keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03

keyid of CA certificate (with . dump extract):
INSERT INTO "certificates" VALUES(3,1,1,X'the CA certificate');
INSERT INTO "identities" 
VALUES(3111,11,X'7ABCB468F8B1A23244C9D0EBFD9E06C256012B03');
INSERT INTO "certificate_identity" VALUES(3,3111);
INSERT INTO "certificate_authorities" VALUES(39,3);
openssl x509 -in cacert.pem -text -noout returns:
.......
         X509v3 extensions:
             Netscape Cert Type:
                 SSL CA, S/MIME CA, Object Signing CA
             X509v3 Basic Constraints: critical
                 CA:TRUE
             X509v3 Subject Key Identifier:
7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
             X509v3 Key Usage: critical
                 Digital Signature, Certificate Sign, CRL Sign
             X509v3 Authority Key Identifier:
keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03
........

Note that there is no file in /etc/ipsec.d/crls/
I don't know if it is a normal behaviour in database mode.

End entity certificate:
         Serial Number:
             dd:9e:07:6b:bd:26:2d:62:6f:fa:b0:0b:6f:fb:74:05
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: C=fr, O=gouv, CN=RACINE AGRIATES
         Validity
             Not Before: Mar 22 09:32:39 2010 GMT
             Not After : Mar 22 09:32:39 2015 GMT
         Subject: C=fr, O=gouv, OU=education, OU=ac-dijon, CN=0210066H-15
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (2048 bit)
                 Modulus (2048 bit):
                     00:a0:09:32:b4:88:5e:8e:af:70:0c:ec:d2:10:a3:
                     .................
                     95:d5:1d:f9:12:f6:11:2f:af:c5:06:56:c3:ad:80:
                     f4:17
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Key Usage: critical
                 Digital Signature, Non Repudiation, Key Encipherment
             Netscape Cert Type:
                 Object Signing
             X509v3 Authority Key Identifier:
keyid:7A:BC:B4:68:F8:B1:A2:32:44:C9:D0:EB:FD:9E:06:C2:56:01:2B:03

keyid is the same everywhere :-/

Regards,
Fabrice

More information about the Users mailing list