Discussion:
[strongSwan] Loading certificate fails
Ettrich, Mike, NMU-DSJ
2018-06-05 09:49:49 UTC
Permalink
Hi!
Because the strongswan log doesn't tell a lot about the reasons I have to call for help solving the problem "building CRED_CERTIFICATE - ANY failed, tried 1 builders".
We do use a symlink to the certificate but it seems to be a structural problem.

We have problems to load the certificate (80276883130047021254.cert.pem):

-----BEGIN CERTIFICATE-----
MIIFNDCCBBygAwIBAgIBSTANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCREUx
HzAdBgNVBAoMFmdlbWF0aWsgR21iSCBOT1QtVkFMSUQxMjAwBgNVBAsMKUtvbXBv
bmVudGVuLUNBIGRlciBUZWxlbWF0aWtpbmZyYXN0cnVrdHVyMSAwHgYDVQQDDBdH
RU0uS09NUC1DQTI3IFRFU1QtT05MWTAeFw0xNzA4MjgxMjIzNTJaFw0yMjA4Mjcx
MjIzNTFaMIGzMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQH
DAZCZXJsaW4xKzApBgNVBAoMImdlbWF0aWsgR21iSCBURVNULU9OTFkgLSBOT1Qt
VkFMSUQxJjAkBgNVBAMMHTgwMjc2ODgzMTMwMDQ3MDIxMjU0LTIwMTcwODI4MQ4w
DAYDVQQRDAUxMDExNzEdMBsGA1UECQwURnJpZWRyaWNoc3RyYcOfZSAxMzYwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCehPry2MyAIkDwS3+DYdTQbCr0
FM1W5OqceoP2jK14yFk9iDFOeE0kVld+U3QZyxhVlRX+D4BcRih9tiHt+Smunlln
wglltDWLmt1huPZ38cLPRMYk5enZ+OMpj3YgqIUPNne8dYIYld7s4e5+w5xQ0akM
2houp3JK7uxjRRs40nYVo2QdaC+PkfcdBPHaJR9hk26/fD0UO5sLR2lLdRnCuXqh
n1JsjcAbyw2Uwd5Uh3eSuklg+fWGpU/AsbqMSY6+LoI7Oaepiu5FAFumaRtC4owX
rbNcf3YLy4l2c62Ay/QE00nB0Pv0ZVKS8OasmuTT3ArJiERljwAsfDd/WI1PAgMB
AAGjggF+MIIBejAdBgNVHQ4EFgQUuN/vh46nGxNmkCqfgQBGlpaTcHIwHwYDVR0j
BBgwFoAUfW1kQ8WJ8ASnYtkAautkzF7td3QwSwYIKwYBBQUHAQEEPzA9MDsGCCsG
AQUFBzABhi9odHRwOi8vb2NzcC10ZXN0cmVmLmtvbXAtY2EudGVsZW1hdGlrLXRl
c3Qvb2NzcDAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0gBBkwFzAKBggqghQATASBIzAJBgcq
ghQATARQMFsGA1UdEQRUMFKgUAYDVQQKoEkMR2dlbWF0aWsgR2VzZWxsc2NoYWZ0
IGbDvHIgVGVsZW1hdGlrYW53ZW5kdW5nZW4gZGVyIEdlc3VuZGhlaXRza2FydGUg
bWJIMC8GBSskCAMDBCYwJDAiMCAwHjAcMA8MDU5ldHprb25uZWt0b3IwCQYHKoIU
AEwEaDANBgkqhkiG9w0BAQsFAAOCAQEAIC2ftr1046BhsVdi92EIefD/23aDDgFA
86ChWepmEfZ+n56QCYsLdw3ugVgUVBmBF6CnwrmKN91tglS3EN0IV2G2UdzitdFB
xAcIfRB2rcVAfQu8wcegQSVPYtOk0N8v/QOayLg8gYdEdxpRihYOyHBtbURE3Dyt
UFxuqxleE32sVZlYnf0m7SmXt9XtkO7eN+synlJBR8JUogyxQfMOqwfZPK7Rf7em
chKs4WFQtcPsPGzU4Q1yRzG3PxAiDVUgdCj2zuNl0epRkjmE7ZPRI/umtyorJmx5
lWA6ti+ZxtUZUImLbtKZy3CeNhohFUNQ5oveQ42ADyyp3SHnGssBQg==
-----END CERTIFICATE-----

PKI - Call:
ipsec pki --print --in 80276883130047021254.cert.pem
building CRED_CERTIFICATE - X509 failed, tried 3 builders
parsing input failed

OpenSsl - Call:
openssl x509 -in 80276883130047021254.cert.pem -text -noout


X509v3 Subject Alternative Name:
othername:<unsupported>
1.3.36.8.3.3:
Netzkonnektor0...*...L.h0.0..
Signature Algorithm: sha256WithRSAEncryption
20:2d:9f:b6:bd:74:e3:a0:61:b1:57:62:f7:61:08:79:f0:ff:
db:76:83:0e:01:40:f3:a0:a1:59:ea:66:11:f6:7e:9f:9e:90:
09:8b:0b:77:0d:ee:81:58:14:54:19:81:17:a0:a7:c2:b9:8a:
37:dd:6d:82:54:b7:10:dd:08:57:61:b6:51:dc:e2:b5:d1:41:
c4:07:08:7d:10:76:ad:c5:40:7d:0b:bc:c1:c7:a0:41:25:4f:
62:d3:a4:d0:df:2f:fd:03:9a:c8:b8:3c:81:87:44:77:1a:51:
8a:16:0e:c8:70:6d:6d:44:44:dc:3c:ad:50:5c:6e:ab:19:5e:
13:7d:ac:55:99:58:9d:fd:26:ed:29:97:b7:d5:ed:90:ee:de:
37:eb:32:9e:52:41:47:c2:54:a2:0c:b1:41:f3:0e:ab:07:d9:
3c:ae:d1:7f:b7:a6:72:12:ac:e1:61:50:b5:c3:ec:3c:6c:d4:
e1:0d:72:47:31:b7:3f:10:22:0d:55:20:74:28:f6:ce:e3:65:
d1:ea:51:92:39:84:ed:93:d1:23:fb:a6:b7:2a:2b:26:6c:79:
95:60:3a:b6:2f:99:c6:d5:19:50:89:8b:6e:d2:99:cb:70:9e:
36:1a:21:15:43:50:e6:8b:de:43:8d:80:0f:2c:a9:dd:21:e7:
1a:cb:01:42

If this certificate is used by our Test-Roadwarrior Charon.log contains:

Jun 5 09:20:56 14[LIB] building CRED_CERTIFICATE - ANY failed, tried 1 builders
Jun 5 09:20:56 14[CFG] loading certificate from 'my.C_NK_VPN.pem' failed

Kind regards,
Mike.
Andreas Steffen
2018-06-05 13:39:21 UTC
Permalink
Oops, wasn't aware that my pki setup was using the openssl plugin even
though I was loading the x509 plugin in front of the openssl plugin.

Returning to the actual question whether "organisationName" with
OID 2.5.4.10 is an "otherName" type we should support. Since the
value type is encoded explicitly we could handle any otherName
type we have a known OID for.

Regards

Andreas
Hi Andreas,
0: 06 03 55 04 0A A0 49 0C 47 67 65 6D 61 74 69 6B ..U...I.Ggematik
16: 20 47 65 73 65 6C 6C 73 63 68 61 66 74 20 66 C3 Gesellschaft f.
32: BC 72 20 54 65 6C 65 6D 61 74 69 6B 61 6E 77 65 .r Telematikanwe
48: 6E 64 75 6E 67 65 6E 20 64 65 72 20 47 65 73 75 ndungen der Gesu
64: 6E 64 68 65 69 74 73 6B 61 72 74 65 20 6D 62 48 ndheitskarte mbH
'O'
0: 0C 47 67 65 6D 61 74 69 6B 20 47 65 73 65 6C 6C .Ggematik Gesell
16: 73 63 68 61 66 74 20 66 C3 BC 72 20 54 65 6C 65 schaft f..r Tele
32: 6D 61 74 69 6B 61 6E 77 65 6E 64 75 6E 67 65 6E matikanwendungen
48: 20 64 65 72 20 47 65 73 75 6E 64 68 65 69 74 73 der Gesundheits
64: 6B 61 72 74 65 20 6D 62 48 karte mbH
which is just being ignored.
It actually isn't. pki --print only successfully parses the certificate
if the openssl plugin is loaded, otherwise it fails right after the
output you posted above. The x509 plugin isn't happy about the unparsed
generalName (while parse_otherName() returns TRUE, no id_type or
encoding is returned, so parse_generalName() eventually returns NULL,
which causes x509_parse_generalNames() to fail).
Regards,
Tobias
--
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
Christian Salway
2018-06-12 08:46:38 UTC
Permalink
A client is looking for a clear way to monitor failed and successful logins. Is there any way to log just those?
Loading...