[strongSwan] strongSwan with "FEITIAN PKI card"

Peter Winterer winterer at informatik.uni-freiburg.de
Fri Nov 12 11:29:09 CET 2010


Hi Martin,
since everything now works with the eToken, I was thinking that the
processes should be similar for a "FEITIAN PKI card".
So I made the following changes to the strongSwan setup. However, it
doesn't work for me. Maybe I selected the wrong pkcs11-lib?

Could you please take a look at the config and logs below:
(Linux Distri: Ubunutu 10.10)

ipsec.secrets:
 : PIN %smartcard at openSC:45 XXXX

strongswan.conf:
..

   pkcs11 {
     modules {
          openSC {
          path = /usr/lib/opensc-pkcs11.so
        }
      }
..

daemon.log:
...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
00[CFG] loaded PKCS#11 v2.20 library 'openSC' (/usr/lib/opensc-pkcs11.so)
00[CFG]   OpenSC (www.opensc-project.org): smart card PKCS#11 API v0.0
..--<loop>--...

syslog:
...
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
charon: 00[CFG]   OpenSC (www.opensc-project.org): smart card PKCS#11
API v0.0
kernel: [94745.511060] charon[8281]: segfault at 1 ip 00000001 sp
bfeb733c error 4 in librt-2.12.1.so[110000+7000]
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
charon: 00[CFG]   OpenSC (www.opensc-project.org): smart card PKCS#11
API v0.0
kernel: [94751.542447] charon[8284]: segfault at 1 ip 00000001 sp
bfb1edbc error 4 in libc-2.12.1.so[110000+157000]
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
charon: 00[CFG]   OpenSC (www.opensc-project.org): smart card PKCS#11
API v0.0
kernel: [94757.584391] charon[8288]: segfault at 1 ip 00000001 sp
bfcaafac error 4 in libstrongswan-random.so[110000+1000]
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
charon: 00[CFG]   OpenSC (www.opensc-project.org): smart card PKCS#11
API v0.0
kernel: [94763.606013] charon[8290]: segfault at 1 ip 00000001 sp
bfb0bc7c error 4 in libstrongswan-x509.so[110000+d000]
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
charon: 00[CFG]   OpenSC (www.opensc-project.org): smart card PKCS#11
API v0.0
kernel: [94769.640363] charon[8293]: segfault at 1 ip 00000001 sp
bfbd4b1c error 4 in libstrongswan-sha2.so[110000+3000]


"FEITIAN PKI card":

pkcs15-tool --list-pins --list-keys --list-certificates
-------------
Using reader with a card: Dell smart card reader keyboard 00 00
X.509 Certificate [Certificate]
        Flags    : 2
        Authority: no
        Path     : 3f0050153145
        ID       : 45

Private RSA Key [Private Key]
        Com. Flags  : 3
        Usage       : [0x4], sign
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract,
local
        ModLength   : 1024
        Key ref     : 1
        Native      : yes
        Path        : 3f005015
        Auth ID     : 01
        ID          : 45

PIN [User PIN]
        Com. Flags: 0x3
        ID        : 01
        Flags     : [0x30], initialized, needs-padding
        Length    : min_len:4, max_len:16, stored_len:16
        Pad char  : 0x00
        Reference : 1
        Type      : ascii-numeric
        Path      : 3f005015
-------------

pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 0 --login
--list-objects
-------------
Please enter User PIN:
Private Key Object; RSA
  label:      Private Key
  ID:         45
  Usage:      sign
Public Key Object; RSA 1024 bits
  label:      Public Key
  ID:         45
  Usage:      none
Certificate Object, type = X.509 cert
  label:      Certificate
  ID:         45
-----------

Am 10.11.2010 14:54, schrieb Peter Winterer:
> 
> ipsec.secrets:
>  : PIN %smartcard1 at eToken:33423544384442423444303736374239 XXXX
> 
> ipsec.conf:
> .....
> conn mopo
>       left=%defaultroute
>       keyexchange=ike
>       leftsourceip=%config
>       leftid=winterer at vpn
>       leftfirewall=no
>       right=ip-gw
>       rightsubnet=0.0.0.0/0
>       rightid=root at vpn
>       auto=add
> ...
> 
> strongswan.conf:
> ....
> libstrongswan {
> 
>         #  set to no, the DH exponent size is optimized
>         #  dh_exponent_ansi_x9_42 = no
>          # ...
>   plugins {
>     pkcs11 {
>       modules {
>           eToken {
>           path = /usr/lib/libeTPkcs11.so
>         }
>       }
>     }
>   }
> }
> ....




More information about the Users mailing list