[strongSwan-dev] Read private key with OpenSSL Engine

[Ignacio Alamo Corsino]

Hello,


after some research, I think I can answer my own question in case anyone finds the same problem in the future.

The line that should be added in this case to ipsec.secrets is:


<leftipaddress> : PIN %smartcard:N "1234"


Being N the slot number of the smartcard and "pin1234" the pin code.

More info here: https://wiki.strongswan.org/projects/strongswan/wiki/PinSecret


After this step, I still had problems because when I wrote my engine, I didn't implement a PIN command.

This has to be added to your OpenSSL Engine implementation.


As an example, one can take a look to the implementation of the OpenSSL dynamic engine:

https://github.com/openssl/openssl/blob/master/crypto/engine/eng_dyn.c


Now the key is loaded and everything works fine.

Hope this helps anyone.


Best regards,


Ignacio



________________________________
De: Dev <dev-bounces at lists.strongswan.org> en nombre de Ignacio Alamo Corsino <nacao2001 at hotmail.com>
Enviado: lunes, 7 de agosto de 2017 15:55
Para: dev at lists.strongswan.org
Asunto: [strongSwan-dev] Read private key with OpenSSL Engine


Hello,


I have written an OpenSSL engine to communicate with my smartcard (no pkcs#11 involved).

This engine loads some private key information from the smartcard (n,e) and also performs private key operations like signing.

The private key is normally loaded with the ENGINE_load_private_key OpenSSL function.


The problem that I have is that I don't know how to tell strongSwan to load the private key information using my engine in ipsec.secrets,

so I always end up with an "no private key found for 'Cert_XXXXXX'" error.


I am aware that I should use the openssl plugin but I don't know how to apply it to this case.


Thanks for your time.


Regards,


Ignacio


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20170809/244afb43/attachment.html>