[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?

richter at ecos.de richter at ecos.de
Tue Oct 23 13:29:52 CEST 2012


Hi Martin,

I have tested your patch and it works partly:

1.) The fallback to pub key from cert works for me with the attached patch. The patch makes the following changes:

	a.) Increase max cert req payloads to 20 (this is not smartcard related, but necessary for me because I have 6 ca certs in etc/cacerts)
	b.) Increase max length of pubkey id from 63 to 127 (the eToken has an id longer than 63 chars)
	c.) In find_lib_by_keyid also fallback to use pubkey from cert, so I can use %smartcard:<keyed> in ipsec.secrets without module and slot
	d.) find_pubkey_in_certs does not work for me if type is set to CKC_X_509

2.) Using leftcert=%smartcard:<keyid> instead of leftid works for me too

3.) My second token with tcos card and preloaded certificates (I cannot change them), still does not find it's private key when I start a connection. I have tried with leftid and with giving the key id in leftcert, both fails. I have run thru Charon with gdb and I found the following:

Breakpoint 3, get_private (this=0x1942d658, type=KEY_RSA, id=0x1946ff50, auth=0x19450098) at credentials/credential_manager.c:1066
1066                    cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);

The call to auth->get fails, because

Breakpoint 4, get (this=0x19450098, type=AUTH_RULE_SUBJECT_CERT) at credentials/auth_cfg.c:418
418                     if (type == current_type)
(gdb) p current_type
$12 = AUTH_RULE_CA_CERT

There is only one current_type which is set to  AUTH_RULE_CA_CERT so never matches the above condition.

The certificate and the private key are successfully loaded according to the systemlog.

Any hints what to change or how to debug are welcome

Thanks & Regards

Gerald



> -----Original Message-----
> From: Martin Willi [mailto:martin at strongswan.org]
> Sent: Monday, October 15, 2012 6:23 PM
> To: Gerald Richter - ECOS
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] How to use Strongswan 5.0.1 & Smartcard
> correctly?
> 
> Hi Gerald,
> 
> > I'll have a look at it next week, shouldn't be too hard to implement
> > this fallback.
> 
> I've pushed a few changes to [1], bringing support for:
>       * Fallback to load the public key associated to a private key from
>         a certificate if no raw public key has been found.
>       * Defining explicit PKCS#11 certificates to use in a connection,
>         using the new leftcert=%smartcard:<keyid> ipsec.conf option.
> 
> Please let me know if these changes work with your smartcards.
> 
> Regards
> Martin
> 
> [1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/pk
> cs11-certs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pub_in_cert1.patch
Type: application/octet-stream
Size: 4883 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121023/123a9079/attachment.obj>


More information about the Users mailing list