[strongSwan] strongSwan with "FEITIAN PKI card"
Peter Winterer
winterer at informatik.uni-freiburg.de
Fri Nov 12 11:29:09 CET 2010
Hi Martin,
since everything now works with the eToken, I was thinking that the
processes should be similar for a "FEITIAN PKI card".
So I made the following changes to the strongSwan setup. However, it
doesn't work for me. Maybe I selected the wrong pkcs11-lib?
Could you please take a look at the config and logs below:
(Linux Distri: Ubunutu 10.10)
ipsec.secrets:
: PIN %smartcard at openSC:45 XXXX
strongswan.conf:
..
pkcs11 {
modules {
openSC {
path = /usr/lib/opensc-pkcs11.so
}
}
..
daemon.log:
...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
00[CFG] loaded PKCS#11 v2.20 library 'openSC' (/usr/lib/opensc-pkcs11.so)
00[CFG] OpenSC (www.opensc-project.org): smart card PKCS#11 API v0.0
..--<loop>--...
syslog:
...
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
charon: 00[CFG] OpenSC (www.opensc-project.org): smart card PKCS#11
API v0.0
kernel: [94745.511060] charon[8281]: segfault at 1 ip 00000001 sp
bfeb733c error 4 in librt-2.12.1.so[110000+7000]
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
charon: 00[CFG] OpenSC (www.opensc-project.org): smart card PKCS#11
API v0.0
kernel: [94751.542447] charon[8284]: segfault at 1 ip 00000001 sp
bfb1edbc error 4 in libc-2.12.1.so[110000+157000]
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
charon: 00[CFG] OpenSC (www.opensc-project.org): smart card PKCS#11
API v0.0
kernel: [94757.584391] charon[8288]: segfault at 1 ip 00000001 sp
bfcaafac error 4 in libstrongswan-random.so[110000+1000]
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
charon: 00[CFG] OpenSC (www.opensc-project.org): smart card PKCS#11
API v0.0
kernel: [94763.606013] charon[8290]: segfault at 1 ip 00000001 sp
bfb0bc7c error 4 in libstrongswan-x509.so[110000+d000]
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
charon: 00[CFG] OpenSC (www.opensc-project.org): smart card PKCS#11
API v0.0
kernel: [94769.640363] charon[8293]: segfault at 1 ip 00000001 sp
bfbd4b1c error 4 in libstrongswan-sha2.so[110000+3000]
"FEITIAN PKI card":
pkcs15-tool --list-pins --list-keys --list-certificates
-------------
Using reader with a card: Dell smart card reader keyboard 00 00
X.509 Certificate [Certificate]
Flags : 2
Authority: no
Path : 3f0050153145
ID : 45
Private RSA Key [Private Key]
Com. Flags : 3
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract,
local
ModLength : 1024
Key ref : 1
Native : yes
Path : 3f005015
Auth ID : 01
ID : 45
PIN [User PIN]
Com. Flags: 0x3
ID : 01
Flags : [0x30], initialized, needs-padding
Length : min_len:4, max_len:16, stored_len:16
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Path : 3f005015
-------------
pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 0 --login
--list-objects
-------------
Please enter User PIN:
Private Key Object; RSA
label: Private Key
ID: 45
Usage: sign
Public Key Object; RSA 1024 bits
label: Public Key
ID: 45
Usage: none
Certificate Object, type = X.509 cert
label: Certificate
ID: 45
-----------
Am 10.11.2010 14:54, schrieb Peter Winterer:
>
> ipsec.secrets:
> : PIN %smartcard1 at eToken:33423544384442423444303736374239 XXXX
>
> ipsec.conf:
> .....
> conn mopo
> left=%defaultroute
> keyexchange=ike
> leftsourceip=%config
> leftid=winterer at vpn
> leftfirewall=no
> right=ip-gw
> rightsubnet=0.0.0.0/0
> rightid=root at vpn
> auto=add
> ...
>
> strongswan.conf:
> ....
> libstrongswan {
>
> # set to no, the DH exponent size is optimized
> # dh_exponent_ansi_x9_42 = no
> # ...
> plugins {
> pkcs11 {
> modules {
> eToken {
> path = /usr/lib/libeTPkcs11.so
> }
> }
> }
> }
> }
> ....
More information about the Users
mailing list