[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?
Martin Willi
martin at strongswan.org
Wed Oct 24 11:31:57 CEST 2012
Hi Gerald,
> a.) Increase max cert req payloads to 20 (this is not smartcard
> related, but necessary for me because I have 6 ca certs in etc/cacerts)
Yes, seems to make sense for IKEv1, as we have a CERTREQ for each CA.
> b.) Increase max length of pubkey id from 63 to 127 (the eToken has an
> id longer than 63 chars)
I pushed [1] that doubles the buffer sizes.
> c.) In find_lib_by_keyid also fallback to use pubkey from cert, so I
> can use %smartcard:<keyed> in ipsec.secrets without module and slot
I pushes a slightly different patch [2] that looks for a public key on
all tokens first (current behavior), and then for a certificate. Let me
know if this works for you.
> d.) find_pubkey_in_certs does not work for me if type is set to CKC_X_509
I think it's not unproblematic, because a token with non-X509 certs
could break that lookup.
According to PKCS#11, CKO_CERTIFICATE object MUST have a
CKA_CERTIFICATE_TYPE set when created with C_CreateObject (PKCS#11 2.30,
10.6.2), hence I don't change the current behavior for now.
> There is only one current_type which is set to AUTH_RULE_CA_CERT so
> never matches the above condition.
There really should be a AUTH_RULE_SUBJECT_CERT when you define
leftcert. Either this lookup happens on the wrong config, or something
else is wrong.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=334eca9b
[2]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=9b25d7c8
More information about the Users
mailing list