From: Claus-Ruediger Meier (CM_at_dosgmbh.de)
Date: Thu Aug 08 2002 - 10:25:24 CEST
Hello,
I have a problem with Freeswan 1.8 + X.509 Patch and SSH Sentinel 1.3.2.2 when I try to use a certificate on a smartcard.
All works fine if I use a certificate stored on the harddisk for SSH Sentinel. But when I change the configuration in SSH to use a stored certificate on a GemSafe smartcard, Freeswan has a problem. With plutodebug=all I get the following lines:
...
next payload type: ISAKMP_NEXT_ID
ISAKMP version: ISAKMP Version 1.0
exchange type: ISAKMP_XCHG_IDPROT
flags: ISAKMP_FLAG_ENCRYPTION
message ID: 00 00 00 00
Peer's ID is ID_USER_FQDN: 'aa_at_ddddddd.de'
hashing 56 bytes ofSA
Hashing his ID: Type ID_USER_FQDN, Protocol 0, Port 0
ID to be hashed: 03 00 00 00
ID to be hashed: 61 61 40 64 64 64 64 64 64 64 2e 64 65
"gateway-demopc6" #132: SIG did not decrypt into good ECB: no leading 00. Bad key ?
state transition function for STATE_MAIN_R2 failed: INVALID_KEY_INFORMATION
next event EVENT_RETRANSMITin 20 seconds for #132
...
I looked at my ipsec.conf for identical subjects in their corresponding RSA-certificate, but there is all ok.
SSH Sentinel runs on an W2K machine. The smartcard is a GEMSafe GPK16000, the reader ist a GEM PC410, the card holds only the certificate, the private and the public key (1024 bits). SSH Sentinel gets the keys, certificates in using SSH Accession Version 1.1. The cryptoki is gclib.dll Version 2.01.
Has anyone ever tried to use such a constellation, with a smartcard stored certificate/keypair ? What exactly means "ECB: no leading 00" ?
Regards,
Claus-Rüdiger
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Thu Aug 08 2002 - 15:19:33 CEST