[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?
Tobias Brunner
tobias at strongswan.org
Fri Oct 12 13:09:36 CEST 2012
Hi Gerald,
> Do I understand right:
>
> 1 the certificate is selected using the first certificate that has a matching subject compared to leftid
> 2 the fingerprint of the associated public key is computed
> 3 from any private key, you compute the public key and compute the fingerprint of that public key
> 4 These fingerprints from 3 are compared the fingerprint from 2 and the matching one is selected
Actually, step 3 does not happen exactly like this. When the private
key is loaded (not actually the key of course as that is safely stored
on the token) a public key with the same CKA_ID is searched, if none is
found the private key will be destroyed, hence you should see that in
the log when the secrets are loaded. There is actually a TODO in the
code in regards to extracting the public key from a certificate if no
public key is found [1].
Also, I think it wouldn't be that hard to introduce the ability to load
a specific certificate via left|rightcert (and cacert in ca sections)
similar to pluto (but with the same syntax used now in ipsec.secrets)
plus an option to disable the automatic loading of certificates (which
could be problematic anyway, e.g. if lots of certificates are stored on
the token and, thus, starting charon will take a long time, in which
case starter might kill it).
Regards,
Tobias
[1]
http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c#l889
More information about the Users
mailing list