[strongSwan] strongSwan with eToken
Peter Winterer
winterer at informatik.uni-freiburg.de
Wed Nov 10 16:00:26 CET 2010
After applying your patch, it works :)
..
00[CFG] loaded PKCS#11 v2.1 library 'eToken' (/usr/lib/libeTPkcs11.so)
00[CFG] Aladdin Ltd.: eToken PKCS#11 v5.0
00[CFG] found token in slot 'eToken':1 (AKS ifdh 00 00)
00[CFG] eToken (Aladdin Knowledge Systems Ltd.: eToken)
00[CFG] loaded trusted cert '726B6D14FAFB125D'
00[CFG] loaded trusted cert '(eTCAPI) MoPo Root-CA's MoPo WLAN Uni
Freiburg ID'
..
Thanks,
peter
Am 10.11.2010 15:21, schrieb Martin Willi:
>
>> Do I need to set the "Extended Key Usage"?
>
> No, unless you use the NetworkManager frontend.
>
>> C_FindObjectsInit() failed: ATTRIBUTE_TYPE_INVALID
>
> Looks like your PKCS#11 library does not like the search template for
> certificates.
>
>> loaded private key from
>> %smartcard1 at eToken:33423544384442423444303736374239
>
> The private key loads fine, though.
>
>> no private key found for 'winterer at vpn'
>
> If the daemon does have no certificate, it of course can't find a
> private key for an identity.
>
>> loaded PKCS#11 v2.1 library 'eToken-module'
>
> I have implemented the PKCS#11 interface against v2.30, your library is
> v2.1. Probably the CKA_TRUSTED attribute is not supported and the search
> template fails.
>
> You may try the attached patch, it removes the TRUSTED flag from the
> search template. Using this patch, ALL certificates from any token are
> handled as trusted (i.e. as CA root anchor if the CA constraint is set).
>
> If this works, I'll add v2.1 specific variant for the search template.
More information about the Users
mailing list