[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?

richter at ecos.de richter at ecos.de
Fri Oct 12 06:13:31 CEST 2012 

Hi Martin,

> 
> > : PIN %smartcard:70ee000003ef %prompt
> 
> > [...] pkcs11_public_key_connect later on fails.
> 
> Does your token contain a public key object that is readable without login?

[[GR]] Yes

> Does this public key have the same CKA_ID keyid as the associated private
> key?

[[GR]] Not sure. pkcs11-tool -O only shows the certificate ID not the id of the public key. Which tool can I use to view the public key id?
At least the private key id is the same as the certificate id:

pkcs11-tool --module /usr/lib/libetpkcs11.so -O -l --private
Please enter User PIN: 
Private Key Object; RSA 
  label:      eTCAPI private key
  ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
  Usage:      decrypt, sign, unwrap
Private Key Object; RSA 
  label:      eTCAPI private key
  ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a31
  Usage:      decrypt, sign, unwrap
Certificate Object, type = X.509 cert
  label:      (eTCAPI) richter3's  ID
  ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Certificate Object, type = X.509 cert
  label:      (eTCAPI) richter3's  ID
  ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a31


> 
> This is required to find the correct module and slot before login. If it isn't the
> case, you might try to specify module and slot explicitly (man ipsec.secrets
> for syntax details). This way the login is enforced without checking for a
> public key, so make sure to select the right module and token.
> 

[[GR]] http://wiki.strongswan.org/projects/strongswan/wiki/PinSecret says: "The IKEv2 daemon supports multiple modules (configured in strongswan.conf) with the format %smartcard[<slotnr>[@<module>]]:<keyid>, but always requires a keyid to uniquely select the correct key." 

And as expected if I try

: PIN %smartcard1 at etoken-module %prompt

I get

charon: 15[CFG] line 22: the given %smartcard specifier is invalid


There was a second question in my original mail. With my second card "ipsec secrets" works and the private key is loaded correctly, but when it comes to authentication, no private RSA key is found. Is there another way to specify the private key in addition to give the subject as leftid?

Thanks & Regards

Gerald

More information about the Users mailing list