From: Reinhard Moosauer (rm_at_moosauer.de)
Date: Tue Dec 03 2002 - 13:31:11 CET
Hello Andreas,
heureka!
In the meantime I had already the feeling that I am looking for a problem,
where no problem exists.
I mentioned that my CSP-Software needs an Update. Since this update,
everything works (at least my VPN tunnel).
I think you were right with your idea that the signature from
Accession/CSP/smartcard was malformed. But it was not wasted for me, because
I have much more confidence in freeswan's abilties since that quest.
Thanks again for your help.
kind regards,
Reinhard
PS: some time ago, I wrote my own version of CA.sh (openssl), because I think
this one needed a little hand before really being useful.
Works for me. Maybe somebody likes it too.
Andreas wrote:
> Just an idea that popped up in my mind. Could it be that the smartcard's
> padding of the hash value does not comply with PKCS#1? FreeS/WAN's decision
> whether the correct public key was used to decrypt the signature is
> based on the form of the padding, which in your case is not correct:
>>>Nov 29 15:06:27 wall pluto[18645]: | public key for C=DE, CN=My Name,
>>>E=me_at_mydomain.de failed: decrypted SIG payload into a malformed ECB (00
>>>separator not present)
> This means that the padding byte just in front of the MD5 (16 bytes) or
> SHA-1 (20 bytes) hash is not zero. It could also be that Sentinel
> and FreeS/WAN negotiated an MD5 hash but the smartcard assumed a
> SHA-1 hash (or vice versa).
> Regards
> Andreas
Am Montag, 2. Dezember 2002 22:40 schrieben Sie:
> Hello Andreas,
>
> many thanks for the pointer. I started diagnostics with both FS and
> sentinel in full debug mode and tried to compare the actions at both sides.
> First of all: the public key is ok. After comparing serial numbers I loaded
> the certificate as a cacert into FS and compared the RSA "AwEAAcqLJ"
> string. And yes, the smartcard _does_ a successful sign operation each time
> I try to connect. AccessionLite logs it. And I enter my PIN in the reader.
>
> BTW: I can use SSH to log to a linux server with Cert on the same smartcard
> without problems. (with freeware SSH Client 3.2.2 from ssh.com and the same
> AccessionLite)
>
> I can find absolutely no error, nowhere.
> In the logs, there is a point:
> ".. hashing 1248 bytes of SA"
> Until that, everything looks wonderfully clear and matching. There seems
> to be simply no chance to pick any wrong key. The last message before is:
> "Public key validated".
> And again: the public key, which is used to check the RSA Sig came
> obviously in the very same packet.
>
> Pretty wicked.
> At this moment, I cannot try the same cert with&without smartcard, because
> Kobil SmartKey doesn't let me import certs onto my smartcard by now.
> I hope to get this done during next days and maybe this will bring more
> light to this problem. What do you think?
>
> I saved a recording of one of these conversations between FS an Sentinel.
> If somebody feels like, he could take a look at it. Please mail me, because
> I don't want to publish all my data to this list.
>
> I would still appreciate any new idea to track this prob. Who else uses
> smartcards like that?
>
> Have a nice day,
>
> Reinhard
>
> Am Sonntag, 1. Dezember 2002 18:24 schrieben Sie:
> > Hello Reinhard,
> >
> > it seems that the private key with which SSH Sentinel (or rather the
> > smartcard) signs the IKE message does not match the public key contained
> > in the certificate that was sent to FreeS/WAN. Try to find out with the
> > help of
> >
> > ipsec auto --listall
> >
> > if the public key with the key id AwEAAcQLJ belongs to the
> > user certificate issued by TC Trustcenter. If yes then SSH Sentinel
> > does not delegate the signing process to the smartcard but uses some
> > private key of its own.
> >
> > Kind regards
> >
> > Andreas
> >
> > > Hello List,
> > >
> > > With SSH Sentinel 1.4 and Freeswan 1.98b with x509 Patch, I am using
> > > a normal Roadwarrior-Configuration.
> > > Certs had been issued by openssl by now.
> > > So far, everything works fine.
> > >
> > > Now I tried to use a Smartcard-Certificate with SSH Accession. This
> > > Certificate was issued by TC Trustcenter (trustcenter.de).
> > > I set up the TC CA as trusted in Sentinel and configured the VPN to use
> > > my TC certificate.
> > > I also gave the trustcenter CA cert to freeswan. It is listed with
> > > --listcacerts and Fingerprints matches the one shown in Sentinel.
> > >
> > > But FS refused to set up a connection. The error message is:
> > > -----
> > > Nov 29 15:06:27 wall pluto[18645]: "roadwarrior"[2] 149.225.134.23 #1:
> > > Peer ID is ID_DER_ASN1_DN: 'C=DE
> > > , CN=My Name, E=me_at_mydomain.de'
> > > Nov 29 15:06:27 wall pluto[18645]: "roadwarrior"[2] 149.225.134.23 #1:
> > > Signature check (on C=DE, CN=My Name, E=me_at_mydomain.de) failed (wrong
> > > key?); tried *AwEAAcqLJ
> > > Nov 29 15:06:27 wall pluto[18645]: | public key for C=DE, CN=My Name,
> > > E=me_at_mydomain.de failed: decrypted SIG payload into a malformed ECB (00
> > > separator not present)
> > > Nov 29 15:06:27 wall pluto[18645]: | state transition function for
> > > STATE_MAIN_R2 failed: INVALID_KEY_IN
> > > FORMATION
> > > -----
> > > I would be very grateful for any pointers to fix this problem.
> > > I was not able to subscribe today, so please mail to my address:
> > > rm_at_moosauer.de
> > >
> > > Thanks a lot,
> > >
> > > Reinhard
> > >
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users_at_lists.freeswan.org
> > > http://lists.freeswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Wed Dec 04 2002 - 05:20:58 CET