[strongSwan] strongSwan with eToken

Martin Willi martin at strongswan.org
Wed Nov 10 15:21:11 CET 2010

> Do I need to set the "Extended Key Usage"?

No, unless you use the NetworkManager frontend. 

> C_FindObjectsInit() failed: ATTRIBUTE_TYPE_INVALID

Looks like your PKCS#11 library does not like the search template for

> loaded private key from
> %smartcard1 at eToken:33423544384442423444303736374239

The private key loads fine, though. 

> no private key found for 'winterer at vpn'

If the daemon does have no certificate, it of course can't find a
private key for an identity.

> loaded PKCS#11 v2.1 library 'eToken-module'

I have implemented the PKCS#11 interface against v2.30, your library is
v2.1. Probably the CKA_TRUSTED attribute is not supported and the search
template fails.

You may try the attached patch, it removes the TRUSTED flag from the
search template. Using this patch, ALL certificates from any token are
handled as trusted (i.e. as CA root anchor if the CA constraint is set).

If this works, I'll add v2.1 specific variant for the search template.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Handle-all-certificates-from-PKCS-11-tokens-as-trust.patch
Type: text/x-patch
Size: 1125 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101110/86b8bed5/attachment.bin>

More information about the Users mailing list