Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)

From: Reinhard Moosauer (rm_at_moosauer.de)
Date: Mon Dec 02 2002 - 22:40:50 CET

• Next message: Catalin Mihailescu: "[Users] Corrupted files"
• Previous message: Matthias Gorjup: "[Users] GW-to-GW VPN"
• In reply to: Andreas Steffen: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Next in thread: Andreas Steffen: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Reply: Andreas Steffen: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Reply: Reinhard Moosauer: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Reply: Igmar Palsenberg: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Reply: Reinhard Moosauer: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Andreas,

many thanks for the pointer. I started diagnostics with both FS and sentinel
in full debug mode and tried to compare the actions at both sides.
First of all: the public key is ok. After comparing serial numbers I loaded
the certificate as a cacert into FS and compared the RSA "AwEAAcqLJ" string.
And yes, the smartcard _does_ a successful sign operation each time I try to
connect. AccessionLite logs it. And I enter my PIN in the reader.

BTW: I can use SSH to log to a linux server with Cert on the same smartcard
without problems. (with freeware SSH Client 3.2.2 from ssh.com and the same
AccessionLite)

I can find absolutely no error, nowhere.
In the logs, there is a point:
".. hashing 1248 bytes of SA"
Until that, everything looks wonderfully clear and matching. There seems to
be simply no chance to pick any wrong key. The last message before is:
"Public key validated".
And again: the public key, which is used to check the RSA Sig came obviously
in the very same packet.

Pretty wicked.
At this moment, I cannot try the same cert with&without smartcard, because
Kobil SmartKey doesn't let me import certs onto my smartcard by now.
I hope to get this done during next days and maybe this will bring more light
to this problem. What do you think?

I saved a recording of one of these conversations between FS an Sentinel.
If somebody feels like, he could take a look at it. Please mail me, because I
don't want to publish all my data to this list.

I would still appreciate any new idea to track this prob. Who else uses
smartcards like that?

Have a nice day,

Reinhard

Am Sonntag, 1. Dezember 2002 18:24 schrieben Sie:
> Hello Reinhard,
>
> it seems that the private key with which SSH Sentinel (or rather the
> smartcard) signs the IKE message does not match the public key contained
> in the certificate that was sent to FreeS/WAN. Try to find out with the
> help of
>
> ipsec auto --listall
>
> if the public key with the key id AwEAAcQLJ belongs to the
> user certificate issued by TC Trustcenter. If yes then SSH Sentinel
> does not delegate the signing process to the smartcard but uses some
> private key of its own.
>
> Kind regards
>
> Andreas
>
> > Hello List,
> >
> > With SSH Sentinel 1.4 and Freeswan 1.98b with x509 Patch, I am using
> > a normal Roadwarrior-Configuration.
> > Certs had been issued by openssl by now.
> > So far, everything works fine.
> >
> > Now I tried to use a Smartcard-Certificate with SSH Accession. This
> > Certificate was issued by TC Trustcenter (trustcenter.de).
> > I set up the TC CA as trusted in Sentinel and configured the VPN to use
> > my TC certificate.
> > I also gave the trustcenter CA cert to freeswan. It is listed with
> > --listcacerts and Fingerprints matches the one shown in Sentinel.
> >
> > But FS refused to set up a connection. The error message is:
> > -----
> > Nov 29 15:06:27 wall pluto[18645]: "roadwarrior"[2] 149.225.134.23 #1:
> > Peer ID is ID_DER_ASN1_DN: 'C=DE
> > , CN=My Name, E=me_at_mydomain.de'
> > Nov 29 15:06:27 wall pluto[18645]: "roadwarrior"[2] 149.225.134.23 #1:
> > Signature check (on C=DE, CN=My Name, E=me_at_mydomain.de) failed (wrong
> > key?); tried *AwEAAcqLJ
> > Nov 29 15:06:27 wall pluto[18645]: | public key for C=DE, CN=My Name,
> > E=me_at_mydomain.de failed: decrypted SIG payload into a malformed ECB (00
> > separator not present)
> > Nov 29 15:06:27 wall pluto[18645]: | state transition function for
> > STATE_MAIN_R2 failed: INVALID_KEY_IN
> > FORMATION
> > -----
> > I would be very grateful for any pointers to fix this problem.
> > I was not able to subscribe today, so please mail to my address:
> > rm_at_moosauer.de
> >
> > Thanks a lot,
> >
> > Reinhard
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users_at_lists.freeswan.org
> > http://lists.freeswan.org/mailman/listinfo/users

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Catalin Mihailescu: "[Users] Corrupted files"
• Previous message: Matthias Gorjup: "[Users] GW-to-GW VPN"
• In reply to: Andreas Steffen: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Next in thread: Andreas Steffen: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Reply: Andreas Steffen: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Reply: Reinhard Moosauer: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Reply: Igmar Palsenberg: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Reply: Reinhard Moosauer: "Re: [Users] SSH Sentinel 1.4 with X509 Cert on Smartcard (interop bug?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Dec 04 2002 - 05:20:58 CET