Re: [strongSwan] strongswan pki command error
Hi Andreas, Did you activate or insert any debug statements writing to stdout either in the strongSwan or OpenSSL code? Yes. It was my mistake, I added a debug message in openSSL rsa_gen.c in function RSA_generate_key_ex(). Now I removed the print statement, and command openssl rsa -inform der -in caKey.der -noout -text was successful. But when I try to Generate a self-signed certificate for RSA public key I am getting below errors. ipsec pki --self --in caKey.der --dn C=IN, O=strongSwan, CN=strongSwanCA caCert.der building CRED_PRIVATE_KEY - RSA failed, tried 6 builders parsing private key failed I have attached caKey.der. Please help. Regards, Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Friday, November 11, 2011 6:29 PM Subject: Re: [strongSwan] strongswan pki command error Hmmm, very strange. The first couple of characters as ASCII Text are od -t a caKey.der 000 r s a - m e t h - r s a _ k 020 e y g e n nl rsa-meth-rsa_keygen\n The ensuing characters are then the correct binary ASN.1 DER encoding of the private key od -t x1 caKey.der 000 72 73 61 2d 3e 6d 65 74 68 2d 3e 72 73 61 5f 6b 020 65 79 67 65 6e 0a 30 82 05 a7 02 01 00 02 82 01 040 01 00 ee 75 b8 c4 cc a1 97 b1 fa c6 2d 7a 24 f2 060 d3 0d 80 e2 a5 2b d6 f7 b1 e3 82 c1 e9 68 80 cb 100 8a a6 2c 02 ca 1c c2 7f c8 e5 a2 9d b2 2f 1c ab 120 7c 4d 40 ae 3a 88 8e 8e 95 cd 46 b6 36 4e 3f 6b 140 3a 86 d9 d3 f5 b0 21 d5 fb 23 d8 15 5a da 91 30 30 82 05 a7 # RSA Private key, length 1447 bytes 02 01 # Version: 0 00 # 02 82 01 01 # Modulus n, length 257 bytes 00 ee 75 .. Size of caKey.der file 1473 bytes. Size of debug string -22 bytes Size of ASN.1 sequence tag and length field -4 bytes -- Encoded RSA private key length 1447 bytes I grepped our whole source code for rsa_keygen but there was no hit. Did you activate or insert any debug statements writing to stdout either in the strongSwan or OpenSSL code? Regards Andreas On 11/11/2011 01:13 PM, anand rao wrote: Hi Andreas, Please find the caKey.der attached. It was unreadable using cat command. Regards Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Friday, November 11, 2011 5:39 PM Subject: Re: [strongSwan] strongswan pki command error Could you send me that private key file? Regards Andreas On 11/11/2011 12:00 PM, anand rao wrote: Hi Andreas, when I execute openssl rsa -inform der -in caKey.der -noout -text I am getting below errors. root@OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text unable to load Private Key 8193:error:0D094065:lib(13):func(148):reason(101):NA:0: 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0: 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0: BR's Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Thursday, November 10, 2011 7:28 PM Subject: Re: [strongSwan] strongswan pki command error Hi Anand, If I execute the same commands then the ca cert generation works. - Verify if openssl rsa -inform der -in caKey.der -noout -text works Regards Andreas On 10.11.2011 14:49, anand rao wrote: Hi, I am using strongswan 4.3.6 I have tried generate certificates using strongswan PKI gen tool to generate RSA certificate. I am getting below errors. root@evm1gw:/etc/cert# ipsec pki --gen caKey.der root@evm1gw:/etc/cert# root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn C=IN,O=strongSwan, CN=strongSwan CA --ca caCert.der file coded in unknown format, discarded building CRED_PRIVATE_KEY - RSA failed, tried 6 builders parsing private key failed I have used the default load so all the plugins are loaded. Please help. Thanks, Anand == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan
Re: [strongSwan] strongswan pki command error
Hello Anand, your private key is not well formed. The OpenSSL command openssl rsa -inform der -in caKey.der -noout -check RSA key error: dmp1 not congruent to d RSA key error: dmq1 not congruent to d shows this. If I execute ipsec pki --gen caKey1.der on my system, my key is ok. You somehow modified your openssl library so that it generates corrupt keys. Regards Andreas On 11/14/2011 10:37 AM, anand rao wrote: Hi Andreas, Did you activate or insert any debug statements writing to stdout either in the strongSwan or OpenSSL code? Yes. It was my mistake, I added a debug message in openSSL rsa_gen.c in function RSA_generate_key_ex(). Now I removed the print statement, and command openssl rsa -inform der -in caKey.der -noout -text was successful. But when I try to Generate a self-signed certificate for RSA public key I am getting below errors. ipsec pki --self --in caKey.der --dn C=IN, O=strongSwan, CN=strongSwanCA caCert.der building CRED_PRIVATE_KEY - RSA failed, tried 6 builders parsing private key failed I have attached caKey.der. Please help. Regards, Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Friday, November 11, 2011 6:29 PM Subject: Re: [strongSwan] strongswan pki command error Hmmm, very strange. The first couple of characters as ASCII Text are od -t a caKey.der 000 r s a - m e t h - r s a _ k 020 e y g e n nl rsa-meth-rsa_keygen\n The ensuing characters are then the correct binary ASN.1 DER encoding of the private key od -t x1 caKey.der 000 72 73 61 2d 3e 6d 65 74 68 2d 3e 72 73 61 5f 6b 020 65 79 67 65 6e 0a 30 82 05 a7 02 01 00 02 82 01 040 01 00 ee 75 b8 c4 cc a1 97 b1 fa c6 2d 7a 24 f2 060 d3 0d 80 e2 a5 2b d6 f7 b1 e3 82 c1 e9 68 80 cb 100 8a a6 2c 02 ca 1c c2 7f c8 e5 a2 9d b2 2f 1c ab 120 7c 4d 40 ae 3a 88 8e 8e 95 cd 46 b6 36 4e 3f 6b 140 3a 86 d9 d3 f5 b0 21 d5 fb 23 d8 15 5a da 91 30 30 82 05 a7 # RSA Private key, length 1447 bytes 02 01 # Version: 0 00 # 02 82 01 01 # Modulus n, length 257 bytes 00 ee 75 .. Size of caKey.der file 1473 bytes. Size of debug string -22 bytes Size of ASN.1 sequence tag and length field-4 bytes -- Encoded RSA private key length 1447 bytes I grepped our whole source code for rsa_keygen but there was no hit. Did you activate or insert any debug statements writing to stdout either in the strongSwan or OpenSSL code? Regards Andreas On 11/11/2011 01:13 PM, anand rao wrote: Hi Andreas, Please find the caKey.der attached. It was unreadable using cat command. Regards Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Friday, November 11, 2011 5:39 PM Subject: Re: [strongSwan] strongswan pki command error Could you send me that private key file? Regards Andreas On 11/11/2011 12:00 PM, anand rao wrote: Hi Andreas, when I execute openssl rsa -inform der -in caKey.der -noout -text I am getting below errors. root@OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text unable to load Private Key 8193:error:0D094065:lib(13):func(148):reason(101):NA:0: 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0: 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0: BR's Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Thursday, November 10, 2011 7:28 PM Subject: Re: [strongSwan] strongswan pki command error Hi Anand, If I execute the same commands then the ca cert generation works. - Verify if openssl rsa -inform der -in caKey.der -noout -text works Regards Andreas On 10.11.2011 14:49, anand rao wrote: Hi, I am using strongswan 4.3.6 I have tried generate certificates using strongswan PKI gen tool to generate RSA certificate. I am getting below errors. root@evm1gw:/etc/cert# ipsec pki --gen caKey.der root@evm1gw:/etc/cert# root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn C=IN,O=strongSwan, CN=strongSwan CA --ca caCert.der file coded in unknown format, discarded building CRED_PRIVATE_KEY - RSA failed, tried 6 builders parsing private key failed I have used the default load so all the plugins are loaded. Please help. Thanks, Anand == Andreas Steffen
Re: [strongSwan] strongswan pki command error
Hi Andreas, when I execute openssl rsa -inform der -in caKey.der -noout -text I am getting below errors. root@OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text unable to load Private Key 8193:error:0D094065:lib(13):func(148):reason(101):NA:0: 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0: 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0: BR's Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Thursday, November 10, 2011 7:28 PM Subject: Re: [strongSwan] strongswan pki command error Hi Anand, If I execute the same commands then the ca cert generation works. - Verify if openssl rsa -inform der -in caKey.der -noout -text works Regards Andreas On 10.11.2011 14:49, anand rao wrote: Hi, I am using strongswan 4.3.6 I have tried generate certificates using strongswan PKI gen tool to generate RSA certificate. I am getting below errors. root@evm1gw:/etc/cert# ipsec pki --gen caKey.der root@evm1gw:/etc/cert# root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn C=IN,O=strongSwan, CN=strongSwan CA --ca caCert.der file coded in unknown format, discarded building CRED_PRIVATE_KEY - RSA failed, tried 6 builders parsing private key failed I have used the default load so all the plugins are loaded. Please help. Thanks, Anand == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan pki command error
Could you send me that private key file? Regards Andreas On 11/11/2011 12:00 PM, anand rao wrote: Hi Andreas, when I execute openssl rsa -inform der -in caKey.der -noout -text I am getting below errors. root@OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text unable to load Private Key 8193:error:0D094065:lib(13):func(148):reason(101):NA:0: 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0: 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0: BR's Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Thursday, November 10, 2011 7:28 PM Subject: Re: [strongSwan] strongswan pki command error Hi Anand, If I execute the same commands then the ca cert generation works. - Verify if openssl rsa -inform der -in caKey.der -noout -text works Regards Andreas On 10.11.2011 14:49, anand rao wrote: Hi, I am using strongswan 4.3.6 I have tried generate certificates using strongswan PKI gen tool to generate RSA certificate. I am getting below errors. root@evm1gw:/etc/cert# ipsec pki --gen caKey.der root@evm1gw:/etc/cert# root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn C=IN,O=strongSwan, CN=strongSwan CA --ca caCert.der file coded in unknown format, discarded building CRED_PRIVATE_KEY - RSA failed, tried 6 builders parsing private key failed I have used the default load so all the plugins are loaded. Please help. Thanks, Anand == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan pki command error
Hi Andreas, Please find the caKey.der attached. It was unreadable using cat command. Regards Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Friday, November 11, 2011 5:39 PM Subject: Re: [strongSwan] strongswan pki command error Could you send me that private key file? Regards Andreas On 11/11/2011 12:00 PM, anand rao wrote: Hi Andreas, when I execute openssl rsa -inform der -in caKey.der -noout -text I am getting below errors. root@OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text unable to load Private Key 8193:error:0D094065:lib(13):func(148):reason(101):NA:0: 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0: 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0: BR's Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Thursday, November 10, 2011 7:28 PM Subject: Re: [strongSwan] strongswan pki command error Hi Anand, If I execute the same commands then the ca cert generation works. - Verify if openssl rsa -inform der -in caKey.der -noout -text works Regards Andreas On 10.11.2011 14:49, anand rao wrote: Hi, I am using strongswan 4.3.6 I have tried generate certificates using strongswan PKI gen tool to generate RSA certificate. I am getting below errors. root@evm1gw:/etc/cert# ipsec pki --gen caKey.der root@evm1gw:/etc/cert# root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn C=IN,O=strongSwan, CN=strongSwan CA --ca caCert.der file coded in unknown format, discarded building CRED_PRIVATE_KEY - RSA failed, tried 6 builders parsing private key failed I have used the default load so all the plugins are loaded. Please help. Thanks, Anand == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== caKey.der Description: application/x509-ca-cert ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan pki command error
Hmmm, very strange. The first couple of characters as ASCII Text are od -t a caKey.der 000 r s a - m e t h - r s a _ k 020 e y g e n nl rsa-meth-rsa_keygen\n The ensuing characters are then the correct binary ASN.1 DER encoding of the private key od -t x1 caKey.der 000 72 73 61 2d 3e 6d 65 74 68 2d 3e 72 73 61 5f 6b 020 65 79 67 65 6e 0a 30 82 05 a7 02 01 00 02 82 01 040 01 00 ee 75 b8 c4 cc a1 97 b1 fa c6 2d 7a 24 f2 060 d3 0d 80 e2 a5 2b d6 f7 b1 e3 82 c1 e9 68 80 cb 100 8a a6 2c 02 ca 1c c2 7f c8 e5 a2 9d b2 2f 1c ab 120 7c 4d 40 ae 3a 88 8e 8e 95 cd 46 b6 36 4e 3f 6b 140 3a 86 d9 d3 f5 b0 21 d5 fb 23 d8 15 5a da 91 30 30 82 05 a7 # RSA Private key, length 1447 bytes 02 01 # Version: 0 00 # 02 82 01 01 # Modulus n, length 257 bytes 00 ee 75 .. Size of caKey.der file 1473 bytes. Size of debug string -22 bytes Size of ASN.1 sequence tag and length field-4 bytes -- Encoded RSA private key length 1447 bytes I grepped our whole source code for rsa_keygen but there was no hit. Did you activate or insert any debug statements writing to stdout either in the strongSwan or OpenSSL code? Regards Andreas On 11/11/2011 01:13 PM, anand rao wrote: Hi Andreas, Please find the caKey.der attached. It was unreadable using cat command. Regards Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Friday, November 11, 2011 5:39 PM Subject: Re: [strongSwan] strongswan pki command error Could you send me that private key file? Regards Andreas On 11/11/2011 12:00 PM, anand rao wrote: Hi Andreas, when I execute openssl rsa -inform der -in caKey.der -noout -text I am getting below errors. root@OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text unable to load Private Key 8193:error:0D094065:lib(13):func(148):reason(101):NA:0: 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0: 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0: BR's Anand - Original Message - From: Andreas Steffen andreas.stef...@strongswan.org To: anand rao anandrao...@yahoo.co.in Cc: users@lists.strongswan.org users@lists.strongswan.org Sent: Thursday, November 10, 2011 7:28 PM Subject: Re: [strongSwan] strongswan pki command error Hi Anand, If I execute the same commands then the ca cert generation works. - Verify if openssl rsa -inform der -in caKey.der -noout -text works Regards Andreas On 10.11.2011 14:49, anand rao wrote: Hi, I am using strongswan 4.3.6 I have tried generate certificates using strongswan PKI gen tool to generate RSA certificate. I am getting below errors. root@evm1gw:/etc/cert# ipsec pki --gen caKey.der root@evm1gw:/etc/cert# root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn C=IN,O=strongSwan, CN=strongSwan CA --ca caCert.der file coded in unknown format, discarded building CRED_PRIVATE_KEY - RSA failed, tried 6 builders parsing private key failed I have used the default load so all the plugins are loaded. Please help. Thanks, Anand == Andreas Steffenandreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] strongswan pki command error
Hi Anand, If I execute the same commands then the ca cert generation works. - Verify if openssl rsa -inform der -in caKey.der -noout -text works Regards Andreas On 10.11.2011 14:49, anand rao wrote: Hi, I am using strongswan 4.3.6 I have tried generate certificates using strongswan PKI gen tool to generate RSA certificate. I am getting below errors. root@evm1gw:/etc/cert# ipsec pki --gen caKey.der root@evm1gw:/etc/cert# root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn C=IN,O=strongSwan, CN=strongSwan CA --ca caCert.der file coded in unknown format, discarded building CRED_PRIVATE_KEY - RSA failed, tried 6 builders parsing private key failed I have used the default load so all the plugins are loaded. Please help. Thanks, Anand == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users