[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?

Martin Willi martin at strongswan.org
Wed Oct 24 11:31:57 CEST 2012


Hi Gerald,

> a.) Increase max cert req payloads to 20 (this is not smartcard
> related, but necessary for me because I have 6 ca certs in etc/cacerts)

Yes, seems to make sense for IKEv1, as we have a CERTREQ for each CA.

> b.) Increase max length of pubkey id from 63 to 127 (the eToken has an
> id longer than 63 chars)

I pushed [1] that doubles the buffer sizes.

> c.) In find_lib_by_keyid also fallback to use pubkey from cert, so I
> can use %smartcard:<keyed> in ipsec.secrets without module and slot

I pushes a slightly different patch [2] that looks for a public key on
all tokens first (current behavior), and then for a certificate. Let me
know if this works for you.

> d.) find_pubkey_in_certs does not work for me if type is set to CKC_X_509

I think it's not unproblematic, because a token with non-X509 certs
could break that lookup.

According to PKCS#11, CKO_CERTIFICATE object MUST have a
CKA_CERTIFICATE_TYPE set when created with C_CreateObject (PKCS#11 2.30,
10.6.2), hence I don't change the current behavior for now.

> There is only one current_type which is set to  AUTH_RULE_CA_CERT so
> never matches the above condition.

There really should be a AUTH_RULE_SUBJECT_CERT when you define
leftcert. Either this lookup happens on the wrong config, or something
else is wrong.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=334eca9b
[2]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=9b25d7c8





More information about the Users mailing list