Re: [strongSwan] Loading certificate fails

2018-06-05 Thread Andreas Steffen 

Oops, wasn't aware that my pki setup was using the openssl plugin even
though I was loading the x509 plugin in front of the openssl plugin.

Returning to the actual question whether "organisationName" with
OID 2.5.4.10 is an "otherName" type we should support. Since the
value type is encoded explicitly we could handle any otherName
type we have a known OID for.

Regards

Andreas

On 05.06.2018 14:38, Tobias Brunner wrote:

Hi Andreas,


L6 - generalNames:
L7 - generalName:
L8 - otherName:
=> 80 bytes @ 0xd78923
 0: 06 03 55 04 0A A0 49 0C 47 67 65 6D 61 74 69 6B  ..U...I.Ggematik
16: 20 47 65 73 65 6C 6C 73 63 68 61 66 74 20 66 C3   Gesellschaft f.
32: BC 72 20 54 65 6C 65 6D 61 74 69 6B 61 6E 77 65  .r Telematikanwe
48: 6E 64 75 6E 67 65 6E 20 64 65 72 20 47 65 73 75  ndungen der Gesu
64: 6E 64 68 65 69 74 73 6B 61 72 74 65 20 6D 62 48  ndheitskarte mbH
L9 - type-id:
'O'
L9 - value:
=> 73 bytes @ 0xd7892a
 0: 0C 47 67 65 6D 61 74 69 6B 20 47 65 73 65 6C 6C  .Ggematik Gesell
16: 73 63 68 61 66 74 20 66 C3 BC 72 20 54 65 6C 65  schaft f..r Tele
32: 6D 61 74 69 6B 61 6E 77 65 6E 64 75 6E 67 65 6E  matikanwendungen
48: 20 64 65 72 20 47 65 73 75 6E 64 68 65 69 74 73   der Gesundheits
64: 6B 61 72 74 65 20 6D 62 48   karte mbH

which is just being ignored.


It actually isn't.  pki --print only successfully parses the certificate
if the openssl plugin is loaded, otherwise it fails right after the
output you posted above.  The x509 plugin isn't happy about the unparsed
generalName (while parse_otherName() returns TRUE, no id_type or
encoding is returned, so parse_generalName() eventually returns NULL,
which causes x509_parse_generalNames() to fail).

Regards,
Tobias



--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Open Source VPN Solution!  www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[INS-HSR]==



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [strongSwan] Loading certificate fails

2018-06-05 Thread Tobias Brunner 
Hi Andreas,

> L6 - generalNames:
> L7 - generalName:
> L8 - otherName:
> => 80 bytes @ 0xd78923
> 0: 06 03 55 04 0A A0 49 0C 47 67 65 6D 61 74 69 6B  ..U...I.Ggematik
>16: 20 47 65 73 65 6C 6C 73 63 68 61 66 74 20 66 C3   Gesellschaft f.
>32: BC 72 20 54 65 6C 65 6D 61 74 69 6B 61 6E 77 65  .r Telematikanwe
>48: 6E 64 75 6E 67 65 6E 20 64 65 72 20 47 65 73 75  ndungen der Gesu
>64: 6E 64 68 65 69 74 73 6B 61 72 74 65 20 6D 62 48  ndheitskarte mbH
> L9 - type-id:
>'O'
> L9 - value:
> => 73 bytes @ 0xd7892a
> 0: 0C 47 67 65 6D 61 74 69 6B 20 47 65 73 65 6C 6C  .Ggematik Gesell
>16: 73 63 68 61 66 74 20 66 C3 BC 72 20 54 65 6C 65  schaft f..r Tele
>32: 6D 61 74 69 6B 61 6E 77 65 6E 64 75 6E 67 65 6E  matikanwendungen
>48: 20 64 65 72 20 47 65 73 75 6E 64 68 65 69 74 73   der Gesundheits
>64: 6B 61 72 74 65 20 6D 62 48   karte mbH
> 
> which is just being ignored.

It actually isn't.  pki --print only successfully parses the certificate
if the openssl plugin is loaded, otherwise it fails right after the
output you posted above.  The x509 plugin isn't happy about the unparsed
generalName (while parse_otherName() returns TRUE, no id_type or
encoding is returned, so parse_generalName() eventually returns NULL,
which causes x509_parse_generalNames() to fail).

Regards,
Tobias

Re: [strongSwan] Loading certificate fails

2018-06-05 Thread Andreas Steffen 

Hi Mike,

with strongSwan 5.7.0dr, pki --print returns the following information:

  subject:  "C=DE, ST=Berlin, L=Berlin, O=gematik GmbH TEST-ONLY - 
NOT-VALID, CN=80276883130047021254-20170828, postalCode=10117, 
STREET=Friedrichstra??e 136"
  issuer:   "C=DE, O=gematik GmbH NOT-VALID, OU=Komponenten-CA der 
Telematikinfrastruktur, CN=GEM.KOMP-CA27 TEST-ONLY"

  validity:  not before Aug 28 14:23:52 2017, ok
 not after  Aug 27 14:23:51 2022, ok (expires in 1544 days)
  serial:49
  flags: serverAuth clientAuth
  OCSP URIs: http://ocsp-testref.komp-ca.telematik-test/ocsp
  authkeyId: 7d:6d:64:43:c5:89:f0:04:a7:62:d9:00:6a:eb:64:cc:5e:ed:77:74
  subjkeyId: b8:df:ef:87:8e:a7:1b:13:66:90:2a:9f:81:00:46:96:96:93:70:72
  pubkey:RSA 2048 bits
  keyid: ef:5d:7e:46:2c:56:c9:87:33:70:f4:ba:8f:b1:ad:74:54:00:5e:a1
  subjkey:   b8:df:ef:87:8e:a7:1b:13:66:90:2a:9f:81:00:46:96:96:93:70:72

There is an otherName defined in the subjectAltName extension of type-id
"organisation"

L6 - generalNames:
L7 - generalName:
L8 - otherName:
=> 80 bytes @ 0xd78923
   0: 06 03 55 04 0A A0 49 0C 47 67 65 6D 61 74 69 6B  ..U...I.Ggematik
  16: 20 47 65 73 65 6C 6C 73 63 68 61 66 74 20 66 C3   Gesellschaft f.
  32: BC 72 20 54 65 6C 65 6D 61 74 69 6B 61 6E 77 65  .r Telematikanwe
  48: 6E 64 75 6E 67 65 6E 20 64 65 72 20 47 65 73 75  ndungen der Gesu
  64: 6E 64 68 65 69 74 73 6B 61 72 74 65 20 6D 62 48  ndheitskarte mbH
L9 - type-id:
  'O'
L9 - value:
=> 73 bytes @ 0xd7892a
   0: 0C 47 67 65 6D 61 74 69 6B 20 47 65 73 65 6C 6C  .Ggematik Gesell
  16: 73 63 68 61 66 74 20 66 C3 BC 72 20 54 65 6C 65  schaft f..r Tele
  32: 6D 61 74 69 6B 61 6E 77 65 6E 64 75 6E 67 65 6E  matikanwendungen
  48: 20 64 65 72 20 47 65 73 75 6E 64 68 65 69 74 73   der Gesundheits
  64: 6B 61 72 74 65 20 6D 62 48   karte mbH

which is just being ignored.

Best regards

Andreas

On 05.06.2018 11:49, Ettrich, Mike, NMU-DSJ wrote:

Hi!

Because the strongswan log doesn’t tell a lot about the reasons I have
to call for help solving the problem “building CRED_CERTIFICATE - ANY
failed, tried 1 builders”.

We do use a symlink to the certificate but it seems to be a structural
problem.

We have problems to load the certificate (80276883130047021254.cert.pem):

-BEGIN CERTIFICATE-
MIIFNDCCBBygAwIBAgIBSTANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCREUx
HzAdBgNVBAoMFmdlbWF0aWsgR21iSCBOT1QtVkFMSUQxMjAwBgNVBAsMKUtvbXBv
bmVudGVuLUNBIGRlciBUZWxlbWF0aWtpbmZyYXN0cnVrdHVyMSAwHgYDVQQDDBdH
RU0uS09NUC1DQTI3IFRFU1QtT05MWTAeFw0xNzA4MjgxMjIzNTJaFw0yMjA4Mjcx
MjIzNTFaMIGzMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQH
DAZCZXJsaW4xKzApBgNVBAoMImdlbWF0aWsgR21iSCBURVNULU9OTFkgLSBOT1Qt
VkFMSUQxJjAkBgNVBAMMHTgwMjc2ODgzMTMwMDQ3MDIxMjU0LTIwMTcwODI4MQ4w
DAYDVQQRDAUxMDExNzEdMBsGA1UECQwURnJpZWRyaWNoc3RyYcOfZSAxMzYwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCehPry2MyAIkDwS3+DYdTQbCr0
FM1W5OqceoP2jK14yFk9iDFOeE0kVld+U3QZyxhVlRX+D4BcRih9tiHt+Smunlln
wglltDWLmt1huPZ38cLPRMYk5enZ+OMpj3YgqIUPNne8dYIYld7s4e5+w5xQ0akM
2houp3JK7uxjRRs40nYVo2QdaC+PkfcdBPHaJR9hk26/fD0UO5sLR2lLdRnCuXqh
n1JsjcAbyw2Uwd5Uh3eSuklg+fWGpU/AsbqMSY6+LoI7Oaepiu5FAFumaRtC4owX
rbNcf3YLy4l2c62Ay/QE00nB0Pv0ZVKS8OasmuTT3ArJiERljwAsfDd/WI1PAgMB
AAGjggF+MIIBejAdBgNVHQ4EFgQUuN/vh46nGxNmkCqfgQBGlpaTcHIwHwYDVR0j
BBgwFoAUfW1kQ8WJ8ASnYtkAautkzF7td3QwSwYIKwYBBQUHAQEEPzA9MDsGCCsG
AQUFBzABhi9odHRwOi8vb2NzcC10ZXN0cmVmLmtvbXAtY2EudGVsZW1hdGlrLXRl
c3Qvb2NzcDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0gBBkwFzAKBggqghQATASBIzAJBgcq
ghQATARQMFsGA1UdEQRUMFKgUAYDVQQKoEkMR2dlbWF0aWsgR2VzZWxsc2NoYWZ0
IGbDvHIgVGVsZW1hdGlrYW53ZW5kdW5nZW4gZGVyIEdlc3VuZGhlaXRza2FydGUg
bWJIMC8GBSskCAMDBCYwJDAiMCAwHjAcMA8MDU5ldHprb25uZWt0b3IwCQYHKoIU
AEwEaDANBgkqhkiG9w0BAQsFAAOCAQEAIC2ftr1046BhsVdi92EIefD/23aDDgFA
86ChWepmEfZ+n56QCYsLdw3ugVgUVBmBF6CnwrmKN91tglS3EN0IV2G2UdzitdFB
xAcIfRB2rcVAfQu8wcegQSVPYtOk0N8v/QOayLg8gYdEdxpRihYOyHBtbURE3Dyt
UFxuqxleE32sVZlYnf0m7SmXt9XtkO7eN+synlJBR8JUogyxQfMOqwfZPK7Rf7em
chKs4WFQtcPsPGzU4Q1yRzG3PxAiDVUgdCj2zuNl0epRkjmE7ZPRI/umtyorJmx5
lWA6ti+ZxtUZUImLbtKZy3CeNhohFUNQ5oveQ42ADyyp3SHnGssBQg==
-END CERTIFICATE-

PKI – Call:

ipsec pki --print --in 80276883130047021254.cert.pem

building CRED_CERTIFICATE - X509 failed, tried 3 builders

parsing input failed

OpenSsl – Call:

openssl x509 -in 80276883130047021254.cert.pem -text –noout

 X509v3 Subject Alternative Name:

 othername:

 1.3.36.8.3.3:

Netzkonnektor0...*...L.h0.0..

 Signature Algorithm: sha256WithRSAEncryption

 20:2d:9f:b6:bd:74:e3:a0:61:b1:57:62:f7:61:08:79:f0:ff:

 db:76:83:0e:01:40:f3:a0:a1:59:ea:66:11:f6:7e:9f:9e:90:

09:8b:0b:77:0d:ee:81:58:14:54:19:81:17:a0:a7:c2:b9:8a:

 37:dd:6d:82:54:b7:10:dd:08:57:61:b6:51:dc:e2:b5:d1:41:

c4:07:08:7d:10:76:ad:c5:40:7d:0b:bc:c1:c7:a0:41:25:4f:

 62:d3:a4:d0:df:2f:fd:03:9a:c8:b8:3c:81:87:44:77:1a:51:

8a:16:0e:c8:70:6d:6d:44:44:dc:3c:ad:50:5c:6e:ab:19:5e:

[strongSwan] Loading certificate fails

2018-06-05 Thread Ettrich, Mike, NMU-DSJ 
Hi!
Because the strongswan log doesn't tell a lot about the reasons I have to call 
for help solving the problem "building CRED_CERTIFICATE - ANY failed, tried 1 
builders".
We do use a symlink to the certificate but it seems to be a structural problem.

We have problems to load the certificate (80276883130047021254.cert.pem):

-BEGIN CERTIFICATE-
MIIFNDCCBBygAwIBAgIBSTANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCREUx
HzAdBgNVBAoMFmdlbWF0aWsgR21iSCBOT1QtVkFMSUQxMjAwBgNVBAsMKUtvbXBv
bmVudGVuLUNBIGRlciBUZWxlbWF0aWtpbmZyYXN0cnVrdHVyMSAwHgYDVQQDDBdH
RU0uS09NUC1DQTI3IFRFU1QtT05MWTAeFw0xNzA4MjgxMjIzNTJaFw0yMjA4Mjcx
MjIzNTFaMIGzMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQH
DAZCZXJsaW4xKzApBgNVBAoMImdlbWF0aWsgR21iSCBURVNULU9OTFkgLSBOT1Qt
VkFMSUQxJjAkBgNVBAMMHTgwMjc2ODgzMTMwMDQ3MDIxMjU0LTIwMTcwODI4MQ4w
DAYDVQQRDAUxMDExNzEdMBsGA1UECQwURnJpZWRyaWNoc3RyYcOfZSAxMzYwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCehPry2MyAIkDwS3+DYdTQbCr0
FM1W5OqceoP2jK14yFk9iDFOeE0kVld+U3QZyxhVlRX+D4BcRih9tiHt+Smunlln
wglltDWLmt1huPZ38cLPRMYk5enZ+OMpj3YgqIUPNne8dYIYld7s4e5+w5xQ0akM
2houp3JK7uxjRRs40nYVo2QdaC+PkfcdBPHaJR9hk26/fD0UO5sLR2lLdRnCuXqh
n1JsjcAbyw2Uwd5Uh3eSuklg+fWGpU/AsbqMSY6+LoI7Oaepiu5FAFumaRtC4owX
rbNcf3YLy4l2c62Ay/QE00nB0Pv0ZVKS8OasmuTT3ArJiERljwAsfDd/WI1PAgMB
AAGjggF+MIIBejAdBgNVHQ4EFgQUuN/vh46nGxNmkCqfgQBGlpaTcHIwHwYDVR0j
BBgwFoAUfW1kQ8WJ8ASnYtkAautkzF7td3QwSwYIKwYBBQUHAQEEPzA9MDsGCCsG
AQUFBzABhi9odHRwOi8vb2NzcC10ZXN0cmVmLmtvbXAtY2EudGVsZW1hdGlrLXRl
c3Qvb2NzcDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0gBBkwFzAKBggqghQATASBIzAJBgcq
ghQATARQMFsGA1UdEQRUMFKgUAYDVQQKoEkMR2dlbWF0aWsgR2VzZWxsc2NoYWZ0
IGbDvHIgVGVsZW1hdGlrYW53ZW5kdW5nZW4gZGVyIEdlc3VuZGhlaXRza2FydGUg
bWJIMC8GBSskCAMDBCYwJDAiMCAwHjAcMA8MDU5ldHprb25uZWt0b3IwCQYHKoIU
AEwEaDANBgkqhkiG9w0BAQsFAAOCAQEAIC2ftr1046BhsVdi92EIefD/23aDDgFA
86ChWepmEfZ+n56QCYsLdw3ugVgUVBmBF6CnwrmKN91tglS3EN0IV2G2UdzitdFB
xAcIfRB2rcVAfQu8wcegQSVPYtOk0N8v/QOayLg8gYdEdxpRihYOyHBtbURE3Dyt
UFxuqxleE32sVZlYnf0m7SmXt9XtkO7eN+synlJBR8JUogyxQfMOqwfZPK7Rf7em
chKs4WFQtcPsPGzU4Q1yRzG3PxAiDVUgdCj2zuNl0epRkjmE7ZPRI/umtyorJmx5
lWA6ti+ZxtUZUImLbtKZy3CeNhohFUNQ5oveQ42ADyyp3SHnGssBQg==
-END CERTIFICATE-

PKI - Call:
ipsec pki --print --in 80276883130047021254.cert.pem
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing input failed

OpenSsl - Call:
openssl x509 -in 80276883130047021254.cert.pem -text -noout


X509v3 Subject Alternative Name:
othername:
1.3.36.8.3.3:
Netzkonnektor0...*...L.h0.0..
Signature Algorithm: sha256WithRSAEncryption
20:2d:9f:b6:bd:74:e3:a0:61:b1:57:62:f7:61:08:79:f0:ff:
db:76:83:0e:01:40:f3:a0:a1:59:ea:66:11:f6:7e:9f:9e:90:
09:8b:0b:77:0d:ee:81:58:14:54:19:81:17:a0:a7:c2:b9:8a:
37:dd:6d:82:54:b7:10:dd:08:57:61:b6:51:dc:e2:b5:d1:41:
c4:07:08:7d:10:76:ad:c5:40:7d:0b:bc:c1:c7:a0:41:25:4f:
62:d3:a4:d0:df:2f:fd:03:9a:c8:b8:3c:81:87:44:77:1a:51:
8a:16:0e:c8:70:6d:6d:44:44:dc:3c:ad:50:5c:6e:ab:19:5e:
13:7d:ac:55:99:58:9d:fd:26:ed:29:97:b7:d5:ed:90:ee:de:
37:eb:32:9e:52:41:47:c2:54:a2:0c:b1:41:f3:0e:ab:07:d9:
3c:ae:d1:7f:b7:a6:72:12:ac:e1:61:50:b5:c3:ec:3c:6c:d4:
e1:0d:72:47:31:b7:3f:10:22:0d:55:20:74:28:f6:ce:e3:65:
d1:ea:51:92:39:84:ed:93:d1:23:fb:a6:b7:2a:2b:26:6c:79:
95:60:3a:b6:2f:99:c6:d5:19:50:89:8b:6e:d2:99:cb:70:9e:
36:1a:21:15:43:50:e6:8b:de:43:8d:80:0f:2c:a9:dd:21:e7:
1a:cb:01:42

If this certificate is used by our Test-Roadwarrior  Charon.log contains:

Jun  5 09:20:56 14[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Jun  5 09:20:56 14[CFG]   loading certificate from 'my.C_NK_VPN.pem' failed

Kind regards,
Mike.