[strongSwan] strongSwan with eToken

Peter Winterer winterer at informatik.uni-freiburg.de
Wed Nov 10 16:00:26 CET 2010

After applying your patch, it works :)
00[CFG] loaded PKCS#11 v2.1 library 'eToken' (/usr/lib/libeTPkcs11.so)
00[CFG]   Aladdin Ltd.: eToken PKCS#11 v5.0
00[CFG]   found token in slot 'eToken':1 (AKS ifdh 00 00)
00[CFG]     eToken (Aladdin Knowledge Systems Ltd.: eToken)
00[CFG]     loaded trusted cert '726B6D14FAFB125D'
00[CFG]     loaded trusted cert '(eTCAPI) MoPo Root-CA's MoPo WLAN Uni
Freiburg ID'


Am 10.11.2010 15:21, schrieb Martin Willi:
>> Do I need to set the "Extended Key Usage"?
> No, unless you use the NetworkManager frontend. 
>> C_FindObjectsInit() failed: ATTRIBUTE_TYPE_INVALID
> Looks like your PKCS#11 library does not like the search template for
> certificates.
>> loaded private key from
>> %smartcard1 at eToken:33423544384442423444303736374239
> The private key loads fine, though. 
>> no private key found for 'winterer at vpn'
> If the daemon does have no certificate, it of course can't find a
> private key for an identity.
>> loaded PKCS#11 v2.1 library 'eToken-module'
> I have implemented the PKCS#11 interface against v2.30, your library is
> v2.1. Probably the CKA_TRUSTED attribute is not supported and the search
> template fails.
> You may try the attached patch, it removes the TRUSTED flag from the
> search template. Using this patch, ALL certificates from any token are
> handled as trusted (i.e. as CA root anchor if the CA constraint is set).
> If this works, I'll add v2.1 specific variant for the search template.

More information about the Users mailing list