[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?
Martin Willi
martin at strongswan.org
Fri Oct 12 09:56:55 CEST 2012
Hi,
> > Does your token contain a public key object that is readable without login?
>
> [[GR]] Yes
> pkcs11-tool --module /usr/lib/libetpkcs11.so -O -l --private
> Please enter User PIN:
> Private Key Object; RSA
> label: eTCAPI private key
> ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
> Usage: decrypt, sign, unwrap
> Private Key Object; RSA
> label: eTCAPI private key
> ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a31
> Usage: decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
> label: (eTCAPI) richter3's ID
> ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
> Certificate Object, type = X.509 cert
> label: (eTCAPI) richter3's ID
> ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a31
I don't see a public key object at all, even with login. If you generate
a keypair using PKCS#11, this usually results in both a public and a
private key.
If your private key does not have an associated public key, our pkcs11
backend can't use it (because it can't fingerprint the key). As a
work-around, you can try to extract the certificate, the public key in
it, and store the plain public key with the correct ID back to the
token.
I don't know how exotic it is that a public key is missing, I've never
seen such a token. But if it is not that uncommon, we might provide a
fallback that reads the public key from the certificate.
> : PIN %smartcard1 at etoken-module %prompt
> charon: 15[CFG] line 22: the given %smartcard specifier is invalid
You still have to provide the keyid select the private key. But if you
define slot, module and keyid, pkcs11 does not have to search for a
public key without login, but can immediately login to the token and
load the private key. Anyway, it doesn't help in your case, as the
public key is completely missing.
> Is there another way to specify the private key in addition to give the
> subject as leftid?
No. The certificate is selected based on the leftid. Once we have a
certificate, we look for a private key with a matching keyid (not the
CKA_ID, but the computed hash over the public key).
Regards
Martin
More information about the Users
mailing list