Hi Martin and Tobias,
Thank you both once again for quick analysis.
Yes, the debug was definitely indicating not being compliant with the PKCS#1
standard.
I will re-check with our hardware vendor on invalid key as they are not seeing
this issue with the keys generated by the same driver they provided to us.
Our hardware vendor had recommended recently that we disable the openssl plugin
for some buggy issues(sorry, don't have the specifics yet) regarding Strongswan
openssl plugin, OCF and Linux 2.6.33.5. They are able to bring up IPsec tunnel
with public key certificate authentication using much earlier strongswan 4.3.6
version + Linux 2.6.33.5 + OCF + openssl cryptodev engine and h/w driver
acceleration. They are currently not supporting an upgrade to 5.0.1. That's the
only variable difference on my setup and the vendors setup.
Are there are any known issues using 5.0.1 version + openssl0.9.8q + OCF +
kernel 2.6.33.5?
This is what we are using in our setup, in addition to hardware vendor's driver
code for acceleration.
Kiran
________________________________
From: Martin Willi <[email protected]>
To: Kiran Joshi <[email protected]>
Cc: "[email protected]" <[email protected]>
Sent: Thursday, January 24, 2013 2:59 AM
Subject: Re: [strongSwan] Unable to load the private key without openssl plugin
Hi Kiran,
> 00[LIB] key integrity tests failed: chect that exp1(150380) is d(150368) mod
> (p(150344)-1), t=-1097449556
> 00[LIB] key integrity tests failed: checkt that exp2(150392) is d(150368) mod
> (q(150356)-1), t=-1097449556
Seems like this key is definitely invalid. By definition in PKCS#1:
exponent1 is d mod (p - 1)
exponent2 is d mod (q - 1)
But in your key, this is not the case.
> is created with the openssl -engine cryptodev (OCF + h/w driver) option.
Looks like a bug to me in your hardware or driver.
> works fine for our SIP TLS
This is absolutely possible, for example if it regenerates the
exponents. Nonetheless, the key is not valid according to PKCS#1.
Regards
Martin
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
