[strongSwan] Loading certificate fails

Andreas Steffen andreas.steffen at strongswan.org
Tue Jun 5 15:39:21 CEST 2018


Oops, wasn't aware that my pki setup was using the openssl plugin even
though I was loading the x509 plugin in front of the openssl plugin.

Returning to the actual question whether "organisationName" with
OID 2.5.4.10 is an "otherName" type we should support. Since the
value type is encoded explicitly we could handle any otherName
type we have a known OID for.

Regards

Andreas

On 05.06.2018 14:38, Tobias Brunner wrote:
> Hi Andreas,
>
>> L6 - generalNames:
>> L7 - generalName:
>> L8 - otherName:
>> => 80 bytes @ 0xd78923
>>      0: 06 03 55 04 0A A0 49 0C 47 67 65 6D 61 74 69 6B  ..U...I.Ggematik
>>     16: 20 47 65 73 65 6C 6C 73 63 68 61 66 74 20 66 C3   Gesellschaft f.
>>     32: BC 72 20 54 65 6C 65 6D 61 74 69 6B 61 6E 77 65  .r Telematikanwe
>>     48: 6E 64 75 6E 67 65 6E 20 64 65 72 20 47 65 73 75  ndungen der Gesu
>>     64: 6E 64 68 65 69 74 73 6B 61 72 74 65 20 6D 62 48  ndheitskarte mbH
>> L9 - type-id:
>>     'O'
>> L9 - value:
>> => 73 bytes @ 0xd7892a
>>      0: 0C 47 67 65 6D 61 74 69 6B 20 47 65 73 65 6C 6C  .Ggematik Gesell
>>     16: 73 63 68 61 66 74 20 66 C3 BC 72 20 54 65 6C 65  schaft f..r Tele
>>     32: 6D 61 74 69 6B 61 6E 77 65 6E 64 75 6E 67 65 6E  matikanwendungen
>>     48: 20 64 65 72 20 47 65 73 75 6E 64 68 65 69 74 73   der Gesundheits
>>     64: 6B 61 72 74 65 20 6D 62 48                       karte mbH
>>
>> which is just being ignored.
>
> It actually isn't.  pki --print only successfully parses the certificate
> if the openssl plugin is loaded, otherwise it fails right after the
> output you posted above.  The x509 plugin isn't happy about the unparsed
> generalName (while parse_otherName() returns TRUE, no id_type or
> encoding is returned, so parse_generalName() eventually returns NULL,
> which causes x509_parse_generalNames() to fail).
>
> Regards,
> Tobias
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4150 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180605/4d0df5e2/attachment-0001.bin>


More information about the Users mailing list