[strongSwan] Unable to load the private key without openssl plugin
Kiran Joshi
kiran.joshi38 at yahoo.com
Wed Jan 23 22:19:21 CET 2013
Hi Martin,
Thanks for your quick feedback.
That is correct, tunnel is successfully established for the key with the enabled openssl plugin + workaround patch file.
But unable to load the key with enabled gmp plugin + disabled openssl plugin and no patch file for the gmp.
As requested, here's the charon log output of debugging the gmp check() api for
the entity server certificate/private key which is created with the openssl -engine cryptodev (OCF + h/w driver) option.
Note: FYI, this same cert/key which was created by the openssl + ocf + h/w cryptodev driver works fine for our SIP TLS
application but not able to make it work for IPsec public key authentication.
I had to bypass the RSA_check_key() with strongswan enabled openssl plugin to make it work for IPsec.
00[ASN] -----BEGIN RSA PRIVATE KEY-----
00[ASN] -----END RSA PRIVATE KEY-----
00[ASN] L0 - RSAPrivateKey:
00[ASN] L1 - version:
00[ASN] => 1 bytes @ 0x2430e
00[ASN] 0: 00 .
00[ASN] L1 - modulus:
00[ASN] => 257 bytes @ 0x24313
00[ASN] 0: 00 DE 3D 88 D7 D1 CE 68 53 D9 6A 21 27 CC FE 24 ..=....hS.j!'..$
00[ASN] 16: 69 57 7B 51 1F 85 B5 37 DE 05 C6 88 88 7D D8 78 iW{Q...7.....}.x
00[ASN] 32: 29 76 08 76 DE AB 77 D6 0E 79 FD E2 D6 06 9E 70 )v.v..w..y.....p
00[ASN] 48: A5 C9 1D 6D AB 73 12 FD 9F 9E C2 BB 89 83 42 4D ...m.s........BM
00[ASN] 64: B1 10 49 8B 9C A1 85 C4 2C 39 DC 1C FB 45 48 C9 ..I.....,9...EH.
00[ASN] 80: 62 28 00 5F C6 4C C4 C4 3C D4 6A 4C FD D1 03 18 b(._.L..<.jL....
00[ASN] 96: B7 72 4A EB 31 95 5F 81 B8 D5 F5 1D 63 AA 2D 84 .rJ.1._.....c.-.
00[ASN] 112: EF E4 2A 07 A4 EC 3A 44 77 2D 59 7D C6 4D 59 CC ..*...:Dw-Y}.MY.
00[ASN] 128: 96 2D 10 97 14 2D F7 5D 6D 13 47 FB 11 CF 4B DC .-...-.]m.G...K.
00[ASN] 144: BF B8 5A D4 DD 78 E2 47 3D B0 B2 16 25 B1 FC 0C ..Z..x.G=...%...
00[ASN] 160: D4 E8 BD 71 79 CB 9F 97 59 02 78 48 5C 79 D9 83 ...qy...Y.xH\y..
00[ASN] 176: 1A AC 79 16 1C EE F0 BF 09 1A 6D 84 4C DE 76 62 ..y.......m.L.vb
00[ASN] 192: 78 CB 5C 24 BE FE 11 72 E6 1C 74 7A F9 67 6E 6D x.\$...r..tz.gnm
00[ASN] 208: 3D 10 FB 1B 5F B4 19 F3 CD A5 D7 FA 6F D8 D2 EC =..._.......o...
00[ASN] 224: B0 44 41 AA 9C 29 E6 25 50 9A E4 00 AE 05 87 E8 .DA..).%P.......
00[ASN] 240: 1B 81 4A 1C 02 99 8E CD A6 FD 78 2E 9B 83 8B BA ..J.......x.....
00[ASN] 256: 25
00[ASN] L1 - publicExponent:
00[ASN] => 3 bytes @ 0x24416
00[ASN] 0: 01 00 01 ...
00[ASN] L1 - privateExponent:
00[ASN] => 257 bytes @ 0x2441d
00[ASN] 0: 00 D7 A0 B6 BC 47 F9 CF E9 C3 22 21 07 3F F3 39 .....G...."!.?.9
00[ASN] 16: 9A E7 E1 63 65 85 52 BD E0 F2 93 9D 77 69 3A F5 ...ce.R.....wi:.
00[ASN] 32: E3 AC 7D 2B F0 82 47 E4 6D E9 59 37 94 D7 99 34 ..}+..G.m.Y7...4
00[ASN] 48: CC F6 24 52 7B 2E 4C B7 BD FE C9 0C 32 B1 23 4C ..$R{.L.....2.#L
00[ASN] 64: C4 46 7C 45 34 74 D7 97 EE 1D 39 7E F9 21 51 2C .F|E4t....9~.!Q,
00[ASN] 80: EB CA CA 0A 23 19 EB 34 47 9D 05 82 AC 25 F6 AE ....#..4G....%..
00[ASN] 96: 2D 97 7C 2F 54 CD 8C 7C 0D BD B2 74 90 75 D6 72 -.|/T..|...t.u.r
00[ASN] 112: 8C 5B 41 98 67 21 38 AB A3 42 61 F9 11 C5 8D 22 .[A.g!8..Ba...."
00[ASN] 128: 5C A8 1B 41 98 6F 9A AD 34 09 05 D1 55 C7 CE B9 \..A.o..4...U...
00[ASN] 144: 14 5D 7D 5E 5C 78 E7 51 5F C0 70 90 A2 18 10 63 .]}^\x.Q_.p....c
00[ASN] 160: 01 D2 64 CA D2 9A 84 28 2D 52 BB 4F 0B 04 4C 88 ..d....(-R.O..L.
00[ASN] 176: 6E 96 46 52 75 3B B1 79 19 13 97 1B BA 79 AF 07 n.FRu;.y.....y..
00[ASN] 192: 6F 67 1F 86 40 3F BE E7 2A E1 B0 C4 E8 2F 6A 65 og..@?..*..../je
00[ASN] 208: 01 7D 58 43 21 01 99 09 E2 81 0F AC EE FD 2E 40 .}XC!..........@
00[ASN] 224: D8 27 25 B0 66 A6 5E B7 EA 8C 96 A7 A6 C9 53 52 .'%.f.^.......SR
00[ASN] 240: 2B 31 C5 E1 B2 94 E2 3D 42 36 63 6E BE 40 61 2C +1.....=B6cn. at a,
00[ASN] 256: C1
00[ASN] L1 - prime1:
00[ASN] => 129 bytes @ 0x24521
00[ASN] 0: 00 F8 B2 74 9A D2 8D 08 5A 97 F9 17 1D 4C 0B 0F ...t....Z....L..
00[ASN] 16: F6 48 C3 FF 10 F9 1C 98 EB FC 0E 55 D7 2C D9 0F .H.........U.,..
00[ASN] 32: 92 E6 54 4E 1F 28 2E DD 05 92 F3 2E 80 FB 3A 20 ..TN.(........:
00[ASN] 48: 9B BC 8F 1E 15 C7 CC 6D 2C 58 AD 4F 12 00 50 63 .......m,X.O..Pc
00[ASN] 64: 7D F7 02 BF DC 8B CF 3F 44 AC AA 5B FC 49 41 A0 }......?D..[.IA.
00[ASN] 80: 78 F0 71 AF 17 B5 F6 F3 5E 3D F2 03 F7 50 B4 C3 x.q.....^=...P..
00[ASN] 96: 17 2D 43 B9 67 0B 50 2F 35 DC A5 48 69 49 41 C3 .-C.g.P/5..HiIA.
00[ASN] 112: 59 81 EB 18 90 FF 33 92 EF A4 FA 48 92 46 B9 DF Y.....3....H.F..
00[ASN] 128: D1 .
00[ASN] L1 - prime2:
00[ASN] => 129 bytes @ 0x245a5
00[ASN] 0: 00 E4 C4 31 C8 35 89 DA 3C 96 A7 39 19 21 E8 2C ...1.5..<..9.!.,
00[ASN] 16: 27 67 6C F3 0F 6F 19 F8 C5 76 1B 5A CF 21 97 A6 'gl..o...v.Z.!..
00[ASN] 32: 5B 31 BF ED E7 4F 10 97 BA 8E B4 E7 02 09 B8 D6 [1...O..........
00[ASN] 48: 8C 5B 60 32 65 FC FF C4 CC 3E 57 92 48 BB 49 11 .[`2e....>W.H.I.
00[ASN] 64: E3 5A 0C 5A FE 5E DB 56 96 CC F4 C6 1E 93 95 13 .Z.Z.^.V........
00[ASN] 80: 38 A3 36 8B D8 04 EC A2 07 1C F1 1E 68 EF 42 28 8.6.........h.B(
00[ASN] 96: 9F 40 ED 5D 73 E1 A3 96 90 17 23 48 22 97 58 E7 . at .]s.....#H".X.
00[ASN] 112: 14 EC C7 63 9D 50 90 9D 00 29 35 44 F5 38 4B FE ...c.P...)5D.8K.
00[ASN] 128: 15 .
00[ASN] L1 - exponent1:
00[ASN] => 256 bytes @ 0x2462a
00[ASN] 0: 1E B8 CA 6B 32 03 AE D7 6F 14 89 BE 31 2C 9F 69 ...k2...o...1,.i
00[ASN] 16: 68 29 74 81 9A 7B 4F 37 C4 9C 7E 28 77 C2 80 1C h)t..{O7..~(w...
00[ASN] 32: E7 52 E5 9B 05 F5 C9 1E C4 7F 98 28 3F E0 8F 21 .R.........(?..!
00[ASN] 48: B6 8B 0D 98 EE 01 C9 7B 95 7B BE 36 25 7E 6B 0A .......{.{.6%~k.
00[ASN] 64: B8 83 6D 6D CC 0C A8 D8 E8 91 08 44 FD 91 CD 81 ..mm.......D....
00[ASN] 80: 7A 13 36 86 FE AF 10 F5 0A 0B 32 30 9D 04 5E 29 z.6.......20..^)
00[ASN] 96: 85 97 ED 06 40 5E AF 6F C8 22 F6 2B 75 58 5E 7D mailto:....@%5E.o.%22.+uX^}
00[ASN] 112: 49 0D CD 88 17 42 5A E4 77 E3 52 C8 E4 73 0F 85 I....BZ.w.R..s..
00[ASN] 128: 0E FB 64 47 8C A3 A8 F0 A8 83 B0 55 CD 69 B5 CA ..dG.......U.i..
00[ASN] 144: 31 80 CA C2 45 C6 22 14 B2 73 E0 28 B7 E5 93 9A 1...E."..s.(....
00[ASN] 160: 5B 21 F5 AE BE B9 6C 32 DF 3B 66 4F 31 59 84 EA [!....l2.;fO1Y..
00[ASN] 176: C8 F4 40 6F DF 1F 3D 13 D8 99 88 E1 C6 7B 67 2C mailto:.. at o..=......%7Bg,
00[ASN] 192: 04 E4 2F 1A 2C 28 14 D9 14 4B 87 14 C0 37 33 57 ../.,(...K...73W
00[ASN] 208: E6 30 37 6E 2F C3 D3 55 06 56 70 52 AF D1 BB 2C .07n/..U.VpR...,
00[ASN] 224: 3A C0 88 B3 E6 21 BF B1 10 7B 0E 04 8C EB 4F E4 :....!...{....O.
00[ASN] 240: DF 67 3C BD 39 AD B1 47 30 E0 57 C5 30 76 C1 10 .g<.9..G0.W.0v.
00[ASN] L1 - exponent2:
00[ASN] => 257 bytes @ 0x2472e
00[ASN] 0: 00 B8 CA 96 97 99 35 8C 06 AF 52 BC DA 63 59 04 ......5...R..cY.
00[ASN] 16: 97 05 D9 65 55 57 C5 21 18 00 3A B3 03 E4 3E CE ...eUW.!..:...>.
00[ASN] 32: 3E CF 9A C0 AC 4F A9 C8 E2 59 58 6B A4 0D 75 BA >....O...YXk..u.
00[ASN] 48: 36 9B 92 57 B6 17 49 7F 7B 54 44 C9 36 0E 7B D6 6..W..I.{TD.6.{.
00[ASN] 64: F5 F0 42 FA 3A 7B 93 03 32 72 F8 2C BC 9F E1 1F ..B.:{..2r.,....
00[ASN] 80: FA 4D 86 A7 CB 70 62 2B 2A 46 98 DD 0B C1 E3 02 .M...pb+*F......
00[ASN] 96: 8F F8 8A 62 96 3C 77 FD 78 74 FF B2 19 2B 7E 35 ...b.<w.xt...+~5
00[ASN] 112: BE BA 00 79 7A 9B EF F1 78 2A FC FF 03 47 31 19 ...yz...x*...G1.
00[ASN] 128: EE 18 F3 6F B3 E2 B0 DE B9 1E 17 52 E1 1D AD FD ...o.......R....
00[ASN] 144: 5A FB 54 22 26 AB 48 D3 CD 95 F7 48 7E F0 B3 09 Z.T"&.H....H~...
00[ASN] 160: EC C7 B8 12 F3 44 90 BB 17 52 3C BF 67 5F 8D 3E .....D...R<.g_.>
00[ASN] 176: 5C 29 D9 48 86 B4 4B 7D 5B 34 52 03 99 24 55 8C \).H..K}[4R..$U.
00[ASN] 192: AD B0 EF BB 7F 04 39 2A 33 0C A0 F3 EC 5F 4E 66 ......9*3...._Nf
00[ASN] 208: 04 C5 0E 39 37 8B F9 34 87 93 0B 66 B8 4E 9F 8B ...97..4...f.N..
00[ASN] 224: 14 D0 E6 DB 04 95 A6 5C FC 3E 0D EA 20 28 F1 CA .......\.>.. (..
00[ASN] 240: D4 27 76 06 1B E5 78 5F 37 B3 26 C1 95 3A 7E 5E .'v...x_7.&..:~^
00[ASN] 256: A7
00[ASN] L1 - coefficient:
00[ASN] => 128 bytes @ 0x24832
00[ASN] 0: 5C 1F EB 7F 73 E0 31 7F 94 52 F2 06 B2 46 0C 10 \...s.1..R...F..
00[ASN] 16: 14 C6 2F 7F 60 75 44 79 0B 07 E7 AF E6 22 E6 EB ../.`uDy....."..
00[ASN] 32: 8E 27 B1 E8 B9 3C 80 2F AB A4 1D B7 8D AA 16 E8 .'...<./........
00[ASN] 48: E7 78 AD 13 CA 16 6D F4 52 A5 81 B9 BB 4A 8E 8D .x....m.R....J..
00[ASN] 64: 87 16 88 D4 5E D3 3A F3 14 4D 0D 79 DD AC EA 2A ....^.:..M.y...*
00[ASN] 80: 0A 8E C9 FC F8 32 A0 7A AD A8 35 B0 D4 A1 1F 95 .....2.z..5.....
00[ASN] 96: 57 99 B5 6A 17 62 85 A0 F9 3A A1 96 95 34 13 DF W..j.b...:...4..
00[ASN] 112: 69 78 D1 95 EB 9E 80 D5 25 EC 24 2F B3 24 22 00 ix......%.$/.$".
00[LIB] key integrity tests failed: chect that exp1(150380) is d(150368) mod (p(150344)-1), t=-1097449556
00[LIB] key integrity tests failed: checkt that exp2(150392) is d(150368) mod (q(150356)-1), t=-1097449556
00[LIB] key integrity tests failed
Kiran
________________________________
From: Martin Willi <martin at strongswan.org>
To: Kiran Joshi <kiran.joshi38 at yahoo.com>
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
Sent: Wednesday, January 23, 2013 1:59 AM
Subject: Re: [strongSwan] Unable to load the private key without openssl plugin
Hi,
> 1) List of loaded plugins without the openssl for the failed test case.
> 00[LIB] key integrity tests failed
> 00[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 6 builders
> When openssl plugin was enabled, we created a patch file as workaround
> to bypass the RSA_check_key.
If I understand correctly, you had to patch the openssl plugin to get it
working with your key, and an unpatched gmp plugin is unable to load the
key, right?
> it is safe for to bypass the integrity check in gmp plugin as another
> workaround?
I don't think so. These checks are there for good reason and check the
sanity (and safety) of the RSA key. You can add some debug statements to
[1] to see why exactly the key is considered invalid.
I don't recommend to remove the check, but instead track down why the
check fails and why your key is invalid (and potentially unsafe).
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c;hb=HEAD#l525
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130123/5b3d80b8/attachment.html>
More information about the Users
mailing list