[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?

richter at ecos.de richter at ecos.de
Fri Oct 12 10:47:36 CEST 2012 

Hi Martin,

> 
> I don't see a public key object at all, even with login. If you generate a keypair
> using PKCS#11, this usually results in both a public and a private key.
> 
> If your private key does not have an associated public key, our pkcs11
> backend can't use it (because it can't fingerprint the key). As a work-around,
> you can try to extract the certificate, the public key in it, and store the plain
> public key with the correct ID back to the token.
> 
> I don't know how exotic it is that a public key is missing, I've never seen such
> a token. But if it is not that uncommon, we might provide a fallback that
> reads the public key from the certificate.
> 

[[GR]] That's an eToken and the Certificate was written with Safenet Windows Software (using Window CAPI). I also tested with a newer eToken with a Javacard instead of Siemens OS, but same behavior.

You can't tell me that (Aladdin/Safenet) eTokens are exotic...

What might make the difference is, that the certificates are written with Windows CAPI and not using pkcs#11, but this is also not very exotic.

The same Token with the same certificates worked for years with pluto and are still working with openvpn on linux, without the need to extract the certificate. Pluto does not search for a public key, but for a certificate. I didn't looked deeper into it, but I guess it always takes the public key from the certificate instead of searching for a public key (because it nowhere in the source searches for a public key). 

So it seems that what you describe as fallback above, was the default in pluto?

If you give me a few hints where to start I might be able to provide a patch.

> 
> > Is there another way to specify the private key in addition to give
> > the subject as leftid?
> 
> No. The certificate is selected based on the leftid. Once we have a certificate,
> we look for a private key with a matching keyid (not the CKA_ID, but the
> computed hash over the public key).
> 

[[GR]] The problem on the second token, which has a public key (that is listed with pcks11-tool) and where the private key is loaded correctly: I have two certificates with the same subject (different usage (sign, encrypt). So is there a way to tell strongswan which certificate to use (I can't change the smartcard)?

And why is the private key found during "ipsec secrets", but not when I start the connection:

Both keys get loaded:
Oct 12 08:35:01 ThinClient charon: 04[CFG]   loaded private key from %smartcard:70ee000003ef 
Oct 12 08:35:01 ThinClient charon: 04[CFG]   loaded private key from %smartcard:70ee000003f0

But when I start the connection:
Oct 12 08:36:04 ThinClient charon: 13[IKE] no RSA private key found for 'C=DE, SN=00000000018388793001, CN=Gerald Richter, S=Richter, G=Gerald, E=gr at xxxx.de, 2b:06:01:05:05:07:09:03=M'

Thanks & Regards

Gerald

More information about the Users mailing list