[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?

Martin Willi martin at strongswan.org
Fri Oct 12 09:56:55 CEST 2012 

Hi,

> > Does your token contain a public key object that is readable without login?
> 
> [[GR]] Yes

> pkcs11-tool --module /usr/lib/libetpkcs11.so -O -l --private
> Please enter User PIN: 
> Private Key Object; RSA 
>   label:      eTCAPI private key
>   ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
>   Usage:      decrypt, sign, unwrap
> Private Key Object; RSA 
>   label:      eTCAPI private key
>   ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a31
>   Usage:      decrypt, sign, unwrap
> Certificate Object, type = X.509 cert
>   label:      (eTCAPI) richter3's  ID
>   ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
> Certificate Object, type = X.509 cert
>   label:      (eTCAPI) richter3's  ID
>   ID:         39453945373335312d333545442d343031612d384637302d3238463636393036363042303a31

I don't see a public key object at all, even with login. If you generate
a keypair using PKCS#11, this usually results in both a public and a
private key.

If your private key does not have an associated public key, our pkcs11
backend can't use it (because it can't fingerprint the key). As a
work-around, you can try to extract the certificate, the public key in
it, and store the plain public key with the correct ID back to the
token.

I don't know how exotic it is that a public key is missing, I've never
seen such a token. But if it is not that uncommon, we might provide a
fallback that reads the public key from the certificate.

> : PIN %smartcard1 at etoken-module %prompt

> charon: 15[CFG] line 22: the given %smartcard specifier is invalid

You still have to provide the keyid select the private key. But if you
define slot, module and keyid, pkcs11 does not have to search for a
public key without login, but can immediately login to the token and
load the private key. Anyway, it doesn't help in your case, as the
public key is completely missing.

> Is there another way to specify the private key in addition to give the
> subject as leftid?

No. The certificate is selected based on the leftid. Once we have a
certificate, we look for a private key with a matching keyid (not the
CKA_ID, but the computed hash over the public key).

Regards
Martin

More information about the Users mailing list