[strongSwan] strongSwan with "FEITIAN PKI card"

Peter Winterer winterer at informatik.uni-freiburg.de
Wed Nov 17 16:45:27 CET 2010 

Martin, thank you for your answer and sorry for the delay of mine!

I have applied your patch and it solves the seg fault.
However another issue occures. charon can't read the secret key from the
card. Thanks for taking a look at the logs/configs below:

ipsec.secrets:
..
: PIN %smartcard0 at openSC:45 XXXX
..

strongswan.conf:
...
libstrongswan {
  plugins {
    pkcs11 {
      modules {
          openSC {
          path = /usr/lib/opensc-pkcs11.so
          os_locking=yes
        }
      }
    }

daemon.log:
...
charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
charon: 00[CFG] loaded PKCS#11 v2.20 library 'openSC'
(/usr/lib/opensc-pkcs11.so)
00[CFG]   OpenSC (www.opensc-project.org): smart card PKCS#11 API v0.0
00[CFG]   uses OS locking functions
00[CFG]   found token in slot 'openSC':0 (Dell smart card reader
keyboard 00 00)
charon: 00[CFG]     MoPo (User PIN) (EnterSafe: PKCS#15)
charon: 00[CFG]     loaded trusted cert 'Certificate'
...

charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon: 00[CFG]   loaded ca certificate "C=DE, O=MoPo WLAN Uni Freiburg,
CN=MoPo Root-CA" from '/etc/ipsec.d/cacerts/root.pem'
...
charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
charon: 00[CFG] C_GetAttributeValue(NULL) error: ATTRIBUTE_TYPE_INVALID
charon: 00[LIB] building CRED_PRIVATE_KEY - (0) failed, tried 3 builders
....
charon: 00[JOB] spawning 16 worker threads
charon: 05[CFG] module 'openSC' does not support hot-plugging, cancelled
charon: 08[CFG] received stroke: add connection 'mopo'
...


pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 0 --login
--list-objects
Please enter User PIN:
Private Key Object; RSA
  label:      Private Key
  ID:         45
  Usage:      sign
Public Key Object; RSA 1024 bits
  label:      Public Key
  ID:         45
  Usage:      none
Certificate Object, type = X.509 cert
  label:      Certificate
  ID:         45


Regards
peter



Am 12.11.2010 14:54, schrieb Martin Willi:
> The OpenSC library seems to work fine with OS Locking functions.
> Unfortunately, we can't enforce these for OpenSC: querying the library
> name is not allowed before initializing it.
> 
> The attached patch allows you to enforce these functions by specifying
> os_locking=yes in your PKCS#11 module section.

More information about the Users mailing list