[strongSwan] charon-nm (5.5.3): building CRED_PRIVATE_KEY - RSA failed, tried 10 builders

[Noel Kuntze]

Hello Harald,

On 05.06.2017 12:51, Harald Dunkel wrote:
> Hi folks,
>
> charon-nm seems to reject a key, but its error message doesn't
> appear to be very useful:
>
> Jun 05 11:42:13 ppcl001 charon-nm[6609]: 05[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 10 builders
> Jun 05 11:42:13 ppcl001 charon-nm[6609]: 05[CFG] received initiate for NetworkManager connection IKEv2
> Jun 05 11:42:13 ppcl001 charon-nm[6609]: 05[CFG] using CA certificate, gateway identity 'gate.example.com'
> Jun 05 11:42:13 ppcl001 charon-nm[6609]: 05[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 10 builders
>
> To make it work I could assign another passphrase to the key
>
> 	openssl rsa -in oldkey.pem -aes256 -out newkey.pem
>
> The question is, though, why the oldkey.pem didn't work? Was it
> encrypted using a deprecated cipher? Bad passphrase?

Bad passphrase, invalid key format, inaccessible file, Linux security module, ...
What are the logs above
"Jun 05 11:42:13 ppcl001 charon-nm[6609]: 05[LIB] building CRED_PRIVATE_KEY - RSA failed, tried 10 builders"?

> I have to make sure that the passphrase wasn't corrupted by the
> Network Manager integration. What would you suggest?

There's no random corruption caused by the code (We would have heard of it by now from more
people than just you). It could be bad memory or flipping bits on your HDD, too. Unless you can
work out the exact failure case, it's not possible to determine the exact cause.

Kind regards

Noel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170606/e594c69a/attachment.sig>