Re: [strongSwan] Loading certificate fails
Oops, wasn't aware that my pki setup was using the openssl plugin even though I was loading the x509 plugin in front of the openssl plugin. Returning to the actual question whether "organisationName" with OID 2.5.4.10 is an "otherName" type we should support. Since the value type is encoded explicitly we could handle any otherName type we have a known OID for. Regards Andreas On 05.06.2018 14:38, Tobias Brunner wrote: Hi Andreas, L6 - generalNames: L7 - generalName: L8 - otherName: => 80 bytes @ 0xd78923 0: 06 03 55 04 0A A0 49 0C 47 67 65 6D 61 74 69 6B ..U...I.Ggematik 16: 20 47 65 73 65 6C 6C 73 63 68 61 66 74 20 66 C3 Gesellschaft f. 32: BC 72 20 54 65 6C 65 6D 61 74 69 6B 61 6E 77 65 .r Telematikanwe 48: 6E 64 75 6E 67 65 6E 20 64 65 72 20 47 65 73 75 ndungen der Gesu 64: 6E 64 68 65 69 74 73 6B 61 72 74 65 20 6D 62 48 ndheitskarte mbH L9 - type-id: 'O' L9 - value: => 73 bytes @ 0xd7892a 0: 0C 47 67 65 6D 61 74 69 6B 20 47 65 73 65 6C 6C .Ggematik Gesell 16: 73 63 68 61 66 74 20 66 C3 BC 72 20 54 65 6C 65 schaft f..r Tele 32: 6D 61 74 69 6B 61 6E 77 65 6E 64 75 6E 67 65 6E matikanwendungen 48: 20 64 65 72 20 47 65 73 75 6E 64 68 65 69 74 73 der Gesundheits 64: 6B 61 72 74 65 20 6D 62 48 karte mbH which is just being ignored. It actually isn't. pki --print only successfully parses the certificate if the openssl plugin is loaded, otherwise it fails right after the output you posted above. The x509 plugin isn't happy about the unparsed generalName (while parse_otherName() returns TRUE, no id_type or encoding is returned, so parse_generalName() eventually returns NULL, which causes x509_parse_generalNames() to fail). Regards, Tobias -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[INS-HSR]== smime.p7s Description: S/MIME Cryptographic Signature
Re: [strongSwan] Loading certificate fails
Hi Andreas, > L6 - generalNames: > L7 - generalName: > L8 - otherName: > => 80 bytes @ 0xd78923 > 0: 06 03 55 04 0A A0 49 0C 47 67 65 6D 61 74 69 6B ..U...I.Ggematik >16: 20 47 65 73 65 6C 6C 73 63 68 61 66 74 20 66 C3 Gesellschaft f. >32: BC 72 20 54 65 6C 65 6D 61 74 69 6B 61 6E 77 65 .r Telematikanwe >48: 6E 64 75 6E 67 65 6E 20 64 65 72 20 47 65 73 75 ndungen der Gesu >64: 6E 64 68 65 69 74 73 6B 61 72 74 65 20 6D 62 48 ndheitskarte mbH > L9 - type-id: >'O' > L9 - value: > => 73 bytes @ 0xd7892a > 0: 0C 47 67 65 6D 61 74 69 6B 20 47 65 73 65 6C 6C .Ggematik Gesell >16: 73 63 68 61 66 74 20 66 C3 BC 72 20 54 65 6C 65 schaft f..r Tele >32: 6D 61 74 69 6B 61 6E 77 65 6E 64 75 6E 67 65 6E matikanwendungen >48: 20 64 65 72 20 47 65 73 75 6E 64 68 65 69 74 73 der Gesundheits >64: 6B 61 72 74 65 20 6D 62 48 karte mbH > > which is just being ignored. It actually isn't. pki --print only successfully parses the certificate if the openssl plugin is loaded, otherwise it fails right after the output you posted above. The x509 plugin isn't happy about the unparsed generalName (while parse_otherName() returns TRUE, no id_type or encoding is returned, so parse_generalName() eventually returns NULL, which causes x509_parse_generalNames() to fail). Regards, Tobias
Re: [strongSwan] Loading certificate fails
Hi Mike, with strongSwan 5.7.0dr, pki --print returns the following information: subject: "C=DE, ST=Berlin, L=Berlin, O=gematik GmbH TEST-ONLY - NOT-VALID, CN=80276883130047021254-20170828, postalCode=10117, STREET=Friedrichstra??e 136" issuer: "C=DE, O=gematik GmbH NOT-VALID, OU=Komponenten-CA der Telematikinfrastruktur, CN=GEM.KOMP-CA27 TEST-ONLY" validity: not before Aug 28 14:23:52 2017, ok not after Aug 27 14:23:51 2022, ok (expires in 1544 days) serial:49 flags: serverAuth clientAuth OCSP URIs: http://ocsp-testref.komp-ca.telematik-test/ocsp authkeyId: 7d:6d:64:43:c5:89:f0:04:a7:62:d9:00:6a:eb:64:cc:5e:ed:77:74 subjkeyId: b8:df:ef:87:8e:a7:1b:13:66:90:2a:9f:81:00:46:96:96:93:70:72 pubkey:RSA 2048 bits keyid: ef:5d:7e:46:2c:56:c9:87:33:70:f4:ba:8f:b1:ad:74:54:00:5e:a1 subjkey: b8:df:ef:87:8e:a7:1b:13:66:90:2a:9f:81:00:46:96:96:93:70:72 There is an otherName defined in the subjectAltName extension of type-id "organisation" L6 - generalNames: L7 - generalName: L8 - otherName: => 80 bytes @ 0xd78923 0: 06 03 55 04 0A A0 49 0C 47 67 65 6D 61 74 69 6B ..U...I.Ggematik 16: 20 47 65 73 65 6C 6C 73 63 68 61 66 74 20 66 C3 Gesellschaft f. 32: BC 72 20 54 65 6C 65 6D 61 74 69 6B 61 6E 77 65 .r Telematikanwe 48: 6E 64 75 6E 67 65 6E 20 64 65 72 20 47 65 73 75 ndungen der Gesu 64: 6E 64 68 65 69 74 73 6B 61 72 74 65 20 6D 62 48 ndheitskarte mbH L9 - type-id: 'O' L9 - value: => 73 bytes @ 0xd7892a 0: 0C 47 67 65 6D 61 74 69 6B 20 47 65 73 65 6C 6C .Ggematik Gesell 16: 73 63 68 61 66 74 20 66 C3 BC 72 20 54 65 6C 65 schaft f..r Tele 32: 6D 61 74 69 6B 61 6E 77 65 6E 64 75 6E 67 65 6E matikanwendungen 48: 20 64 65 72 20 47 65 73 75 6E 64 68 65 69 74 73 der Gesundheits 64: 6B 61 72 74 65 20 6D 62 48 karte mbH which is just being ignored. Best regards Andreas On 05.06.2018 11:49, Ettrich, Mike, NMU-DSJ wrote: Hi! Because the strongswan log doesn’t tell a lot about the reasons I have to call for help solving the problem “building CRED_CERTIFICATE - ANY failed, tried 1 builders”. We do use a symlink to the certificate but it seems to be a structural problem. We have problems to load the certificate (80276883130047021254.cert.pem): -BEGIN CERTIFICATE- MIIFNDCCBBygAwIBAgIBSTANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCREUx HzAdBgNVBAoMFmdlbWF0aWsgR21iSCBOT1QtVkFMSUQxMjAwBgNVBAsMKUtvbXBv bmVudGVuLUNBIGRlciBUZWxlbWF0aWtpbmZyYXN0cnVrdHVyMSAwHgYDVQQDDBdH RU0uS09NUC1DQTI3IFRFU1QtT05MWTAeFw0xNzA4MjgxMjIzNTJaFw0yMjA4Mjcx MjIzNTFaMIGzMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQH DAZCZXJsaW4xKzApBgNVBAoMImdlbWF0aWsgR21iSCBURVNULU9OTFkgLSBOT1Qt VkFMSUQxJjAkBgNVBAMMHTgwMjc2ODgzMTMwMDQ3MDIxMjU0LTIwMTcwODI4MQ4w DAYDVQQRDAUxMDExNzEdMBsGA1UECQwURnJpZWRyaWNoc3RyYcOfZSAxMzYwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCehPry2MyAIkDwS3+DYdTQbCr0 FM1W5OqceoP2jK14yFk9iDFOeE0kVld+U3QZyxhVlRX+D4BcRih9tiHt+Smunlln wglltDWLmt1huPZ38cLPRMYk5enZ+OMpj3YgqIUPNne8dYIYld7s4e5+w5xQ0akM 2houp3JK7uxjRRs40nYVo2QdaC+PkfcdBPHaJR9hk26/fD0UO5sLR2lLdRnCuXqh n1JsjcAbyw2Uwd5Uh3eSuklg+fWGpU/AsbqMSY6+LoI7Oaepiu5FAFumaRtC4owX rbNcf3YLy4l2c62Ay/QE00nB0Pv0ZVKS8OasmuTT3ArJiERljwAsfDd/WI1PAgMB AAGjggF+MIIBejAdBgNVHQ4EFgQUuN/vh46nGxNmkCqfgQBGlpaTcHIwHwYDVR0j BBgwFoAUfW1kQ8WJ8ASnYtkAautkzF7td3QwSwYIKwYBBQUHAQEEPzA9MDsGCCsG AQUFBzABhi9odHRwOi8vb2NzcC10ZXN0cmVmLmtvbXAtY2EudGVsZW1hdGlrLXRl c3Qvb2NzcDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0gBBkwFzAKBggqghQATASBIzAJBgcq ghQATARQMFsGA1UdEQRUMFKgUAYDVQQKoEkMR2dlbWF0aWsgR2VzZWxsc2NoYWZ0 IGbDvHIgVGVsZW1hdGlrYW53ZW5kdW5nZW4gZGVyIEdlc3VuZGhlaXRza2FydGUg bWJIMC8GBSskCAMDBCYwJDAiMCAwHjAcMA8MDU5ldHprb25uZWt0b3IwCQYHKoIU AEwEaDANBgkqhkiG9w0BAQsFAAOCAQEAIC2ftr1046BhsVdi92EIefD/23aDDgFA 86ChWepmEfZ+n56QCYsLdw3ugVgUVBmBF6CnwrmKN91tglS3EN0IV2G2UdzitdFB xAcIfRB2rcVAfQu8wcegQSVPYtOk0N8v/QOayLg8gYdEdxpRihYOyHBtbURE3Dyt UFxuqxleE32sVZlYnf0m7SmXt9XtkO7eN+synlJBR8JUogyxQfMOqwfZPK7Rf7em chKs4WFQtcPsPGzU4Q1yRzG3PxAiDVUgdCj2zuNl0epRkjmE7ZPRI/umtyorJmx5 lWA6ti+ZxtUZUImLbtKZy3CeNhohFUNQ5oveQ42ADyyp3SHnGssBQg== -END CERTIFICATE- PKI – Call: ipsec pki --print --in 80276883130047021254.cert.pem building CRED_CERTIFICATE - X509 failed, tried 3 builders parsing input failed OpenSsl – Call: openssl x509 -in 80276883130047021254.cert.pem -text –noout X509v3 Subject Alternative Name: othername: 1.3.36.8.3.3: Netzkonnektor0...*...L.h0.0.. Signature Algorithm: sha256WithRSAEncryption 20:2d:9f:b6:bd:74:e3:a0:61:b1:57:62:f7:61:08:79:f0:ff: db:76:83:0e:01:40:f3:a0:a1:59:ea:66:11:f6:7e:9f:9e:90: 09:8b:0b:77:0d:ee:81:58:14:54:19:81:17:a0:a7:c2:b9:8a: 37:dd:6d:82:54:b7:10:dd:08:57:61:b6:51:dc:e2:b5:d1:41: c4:07:08:7d:10:76:ad:c5:40:7d:0b:bc:c1:c7:a0:41:25:4f: 62:d3:a4:d0:df:2f:fd:03:9a:c8:b8:3c:81:87:44:77:1a:51: 8a:16:0e:c8:70:6d:6d:44:44:dc:3c:ad:50:5c:6e:ab:19:5e:
[strongSwan] Loading certificate fails
Hi! Because the strongswan log doesn't tell a lot about the reasons I have to call for help solving the problem "building CRED_CERTIFICATE - ANY failed, tried 1 builders". We do use a symlink to the certificate but it seems to be a structural problem. We have problems to load the certificate (80276883130047021254.cert.pem): -BEGIN CERTIFICATE- MIIFNDCCBBygAwIBAgIBSTANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCREUx HzAdBgNVBAoMFmdlbWF0aWsgR21iSCBOT1QtVkFMSUQxMjAwBgNVBAsMKUtvbXBv bmVudGVuLUNBIGRlciBUZWxlbWF0aWtpbmZyYXN0cnVrdHVyMSAwHgYDVQQDDBdH RU0uS09NUC1DQTI3IFRFU1QtT05MWTAeFw0xNzA4MjgxMjIzNTJaFw0yMjA4Mjcx MjIzNTFaMIGzMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQH DAZCZXJsaW4xKzApBgNVBAoMImdlbWF0aWsgR21iSCBURVNULU9OTFkgLSBOT1Qt VkFMSUQxJjAkBgNVBAMMHTgwMjc2ODgzMTMwMDQ3MDIxMjU0LTIwMTcwODI4MQ4w DAYDVQQRDAUxMDExNzEdMBsGA1UECQwURnJpZWRyaWNoc3RyYcOfZSAxMzYwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCehPry2MyAIkDwS3+DYdTQbCr0 FM1W5OqceoP2jK14yFk9iDFOeE0kVld+U3QZyxhVlRX+D4BcRih9tiHt+Smunlln wglltDWLmt1huPZ38cLPRMYk5enZ+OMpj3YgqIUPNne8dYIYld7s4e5+w5xQ0akM 2houp3JK7uxjRRs40nYVo2QdaC+PkfcdBPHaJR9hk26/fD0UO5sLR2lLdRnCuXqh n1JsjcAbyw2Uwd5Uh3eSuklg+fWGpU/AsbqMSY6+LoI7Oaepiu5FAFumaRtC4owX rbNcf3YLy4l2c62Ay/QE00nB0Pv0ZVKS8OasmuTT3ArJiERljwAsfDd/WI1PAgMB AAGjggF+MIIBejAdBgNVHQ4EFgQUuN/vh46nGxNmkCqfgQBGlpaTcHIwHwYDVR0j BBgwFoAUfW1kQ8WJ8ASnYtkAautkzF7td3QwSwYIKwYBBQUHAQEEPzA9MDsGCCsG AQUFBzABhi9odHRwOi8vb2NzcC10ZXN0cmVmLmtvbXAtY2EudGVsZW1hdGlrLXRl c3Qvb2NzcDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0gBBkwFzAKBggqghQATASBIzAJBgcq ghQATARQMFsGA1UdEQRUMFKgUAYDVQQKoEkMR2dlbWF0aWsgR2VzZWxsc2NoYWZ0 IGbDvHIgVGVsZW1hdGlrYW53ZW5kdW5nZW4gZGVyIEdlc3VuZGhlaXRza2FydGUg bWJIMC8GBSskCAMDBCYwJDAiMCAwHjAcMA8MDU5ldHprb25uZWt0b3IwCQYHKoIU AEwEaDANBgkqhkiG9w0BAQsFAAOCAQEAIC2ftr1046BhsVdi92EIefD/23aDDgFA 86ChWepmEfZ+n56QCYsLdw3ugVgUVBmBF6CnwrmKN91tglS3EN0IV2G2UdzitdFB xAcIfRB2rcVAfQu8wcegQSVPYtOk0N8v/QOayLg8gYdEdxpRihYOyHBtbURE3Dyt UFxuqxleE32sVZlYnf0m7SmXt9XtkO7eN+synlJBR8JUogyxQfMOqwfZPK7Rf7em chKs4WFQtcPsPGzU4Q1yRzG3PxAiDVUgdCj2zuNl0epRkjmE7ZPRI/umtyorJmx5 lWA6ti+ZxtUZUImLbtKZy3CeNhohFUNQ5oveQ42ADyyp3SHnGssBQg== -END CERTIFICATE- PKI - Call: ipsec pki --print --in 80276883130047021254.cert.pem building CRED_CERTIFICATE - X509 failed, tried 3 builders parsing input failed OpenSsl - Call: openssl x509 -in 80276883130047021254.cert.pem -text -noout X509v3 Subject Alternative Name: othername: 1.3.36.8.3.3: Netzkonnektor0...*...L.h0.0.. Signature Algorithm: sha256WithRSAEncryption 20:2d:9f:b6:bd:74:e3:a0:61:b1:57:62:f7:61:08:79:f0:ff: db:76:83:0e:01:40:f3:a0:a1:59:ea:66:11:f6:7e:9f:9e:90: 09:8b:0b:77:0d:ee:81:58:14:54:19:81:17:a0:a7:c2:b9:8a: 37:dd:6d:82:54:b7:10:dd:08:57:61:b6:51:dc:e2:b5:d1:41: c4:07:08:7d:10:76:ad:c5:40:7d:0b:bc:c1:c7:a0:41:25:4f: 62:d3:a4:d0:df:2f:fd:03:9a:c8:b8:3c:81:87:44:77:1a:51: 8a:16:0e:c8:70:6d:6d:44:44:dc:3c:ad:50:5c:6e:ab:19:5e: 13:7d:ac:55:99:58:9d:fd:26:ed:29:97:b7:d5:ed:90:ee:de: 37:eb:32:9e:52:41:47:c2:54:a2:0c:b1:41:f3:0e:ab:07:d9: 3c:ae:d1:7f:b7:a6:72:12:ac:e1:61:50:b5:c3:ec:3c:6c:d4: e1:0d:72:47:31:b7:3f:10:22:0d:55:20:74:28:f6:ce:e3:65: d1:ea:51:92:39:84:ed:93:d1:23:fb:a6:b7:2a:2b:26:6c:79: 95:60:3a:b6:2f:99:c6:d5:19:50:89:8b:6e:d2:99:cb:70:9e: 36:1a:21:15:43:50:e6:8b:de:43:8d:80:0f:2c:a9:dd:21:e7: 1a:cb:01:42 If this certificate is used by our Test-Roadwarrior Charon.log contains: Jun 5 09:20:56 14[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders Jun 5 09:20:56 14[CFG] loading certificate from 'my.C_NK_VPN.pem' failed Kind regards, Mike.