[strongSwan-dev] Read private key with OpenSSL Engine

Ignacio Alamo Corsino nacao2001 at hotmail.com
Wed Aug 9 16:27:21 CEST 2017


after some research, I think I can answer my own question in case anyone finds the same problem in the future.

The line that should be added in this case to ipsec.secrets is:

<leftipaddress> : PIN %smartcard:N "1234"

Being N the slot number of the smartcard and "pin1234" the pin code.

More info here: https://wiki.strongswan.org/projects/strongswan/wiki/PinSecret

After this step, I still had problems because when I wrote my engine, I didn't implement a PIN command.

This has to be added to your OpenSSL Engine implementation.

As an example, one can take a look to the implementation of the OpenSSL dynamic engine:


Now the key is loaded and everything works fine.

Hope this helps anyone.

Best regards,


De: Dev <dev-bounces at lists.strongswan.org> en nombre de Ignacio Alamo Corsino <nacao2001 at hotmail.com>
Enviado: lunes, 7 de agosto de 2017 15:55
Para: dev at lists.strongswan.org
Asunto: [strongSwan-dev] Read private key with OpenSSL Engine


I have written an OpenSSL engine to communicate with my smartcard (no pkcs#11 involved).

This engine loads some private key information from the smartcard (n,e) and also performs private key operations like signing.

The private key is normally loaded with the ENGINE_load_private_key OpenSSL function.

The problem that I have is that I don't know how to tell strongSwan to load the private key information using my engine in ipsec.secrets,

so I always end up with an "no private key found for 'Cert_XXXXXX'" error.

I am aware that I should use the openssl plugin but I don't know how to apply it to this case.

Thanks for your time.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20170809/244afb43/attachment.html>

More information about the Dev mailing list