Hello Anand, your private key is not well formed. The OpenSSL command
openssl rsa -inform der -in caKey.der -noout -check RSA key error: dmp1 not congruent to d RSA key error: dmq1 not congruent to d shows this. If I execute ipsec pki --gen > caKey1.der on my system, my key is ok. You somehow modified your openssl library so that it generates corrupt keys. Regards Andreas On 11/14/2011 10:37 AM, anand rao wrote: > Hi Andreas, > >>> Did you activate or insert any debug statements writing >>> to stdout either in the strongSwan or OpenSSL code? > > > Yes. It was my mistake, I added a debug message in openSSL rsa_gen.c in > function RSA_generate_key_ex(). > Now I removed the print statement, and command "openssl rsa -inform der -in > caKey.der -noout -text" was successful. > > But when I try to Generate a self-signed certificate for RSA public key I am > getting below errors. > > ipsec pki --self --in caKey.der --dn "C=IN, O=strongSwan, CN=strongSwanCA" > > caCert.der > building CRED_PRIVATE_KEY - RSA failed, tried 6 builders > parsing private key failed > > I have attached caKey.der. > Please help. > > Regards, > Anand > > > ----- Original Message ----- > From: Andreas Steffen <andreas.stef...@strongswan.org> > To: anand rao <anandrao...@yahoo.co.in> > Cc: "users@lists.strongswan.org" <users@lists.strongswan.org> > Sent: Friday, November 11, 2011 6:29 PM > Subject: Re: [strongSwan] strongswan pki command error > > Hmmm, very strange. The first couple of characters as ASCII Text are > > od -t a caKey.der > > 0000000 r s a - > m e t h - > r s a _ k > 0000020 e y g e n nl > > rsa->meth->rsa_keygen\n > > The ensuing characters are then the correct binary ASN.1 DER encoding > of the private key > > od -t x1 caKey.der > > 0000000 72 73 61 2d 3e 6d 65 74 68 2d 3e 72 73 61 5f 6b > 0000020 65 79 67 65 6e 0a > 30 82 05 a7 02 01 00 02 82 01 > 0000040 01 00 ee 75 b8 c4 cc a1 97 b1 fa c6 2d 7a 24 f2 > 0000060 d3 0d 80 e2 a5 2b d6 f7 b1 e3 82 c1 e9 68 80 cb > 0000100 8a a6 2c 02 ca 1c c2 7f c8 e5 a2 9d b2 2f 1c ab > 0000120 7c 4d 40 ae 3a 88 8e 8e 95 cd 46 b6 36 4e 3f 6b > 0000140 3a 86 d9 d3 f5 b0 21 d5 fb 23 d8 15 5a da 91 30 > > 30 82 05 a7 # RSA Private key, length 1447 bytes > 02 01 # Version: 0 > 00 # > 02 82 01 01 # Modulus n, length 257 bytes > 00 ee 75 .. > > Size of caKey.der file 1473 bytes. > Size of debug string -22 bytes > Size of ASN.1 sequence tag and length field -4 bytes > ---------- > Encoded RSA private key length 1447 bytes > > I grepped our whole source code for "rsa_keygen" but there was > no hit. Did you activate or insert any debug statements writing > to stdout either in the strongSwan or OpenSSL code? > > Regards > > Andreas > > On 11/11/2011 01:13 PM, anand rao wrote: >> Hi Andreas, >> >> Please find the caKey.der attached. It was unreadable using cat command. >> >> Regards >> Anand >> >> >> >> ----- Original Message ----- >> From: Andreas Steffen <andreas.stef...@strongswan.org> >> To: anand rao <anandrao...@yahoo.co.in> >> Cc: "users@lists.strongswan.org" <users@lists.strongswan.org> >> Sent: Friday, November 11, 2011 5:39 PM >> Subject: Re: [strongSwan] strongswan pki command error >> >> Could you send me that private key file? >> >> Regards >> >> Andreas >> >> On 11/11/2011 12:00 PM, anand rao wrote: >>> Hi Andreas, >>> >>> when I execute openssl rsa -inform der -in caKey.der -noout -text >>> I am getting below errors. >>> >>> >>> root@OpenWrt:/# openssl rsa -inform der -in caKey.der -noout -text >>> unable to load Private Key >>> 8193:error:0D094065:lib(13):func(148):reason(101):NA:0: >>> 8193:error:0D0680A8:lib(13):func(104):reason(168):NA:0: >>> 8193:error:0D07803A:lib(13):func(120):reason(58):NA:0:Type=RSA >>> 8193:error:0D09A00D:lib(13):func(154):reason(13):NA:0: >>> >>> >>> BR's >>> Anand >>> >>> >>> ----- Original Message ----- >>> From: Andreas Steffen <andreas.stef...@strongswan.org> >>> To: anand rao <anandrao...@yahoo.co.in> >>> Cc: "users@lists.strongswan.org" <users@lists.strongswan.org> >>> Sent: Thursday, November 10, 2011 7:28 PM >>> Subject: Re: [strongSwan] strongswan pki command error >>> >>> Hi Anand, >>> >>> If I execute the same commands then the ca cert generation works. >>> >>> - Verify if openssl rsa -inform der -in caKey.der -noout -text works >>> >>> Regards >>> >>> Andreas >>> >>> On 10.11.2011 14:49, anand rao wrote: >>>> Hi, >>>> >>>> I am using strongswan 4.3.6 >>>> >>>> I have tried generate certificates using strongswan PKI gen tool to >>>> generate RSA certificate. >>>> I am getting below errors. >>>> >>>> root@evm1gw:/etc/cert# ipsec pki --gen> caKey.der >>>> root@evm1gw:/etc/cert# >>>> root@evm1gw:/etc/cert# ipsec pki --self --in caKey.der --dn >>>> "C=IN,O=strongSwan, CN=strongSwan CA" --ca> caCert.der >>>> file coded in unknown format, discarded >>>> building CRED_PRIVATE_KEY - RSA failed, tried 6 builders >>>> parsing private key failed >>>> >>>> I have used the default load so all the plugins are loaded. Please help. >>>> >>>> Thanks, >>>> Anand >> >> ====================================================================== >> Andreas Steffen andreas.stef...@strongswan.org >> strongSwan - the Linux VPN Solution! www.strongswan.org >> Institute for Internet Technologies and Applications >> University of Applied Sciences Rapperswil >> CH-8640 Rapperswil (Switzerland) >> ===========================================================[ITA-HSR]== > > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users