[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?
richter at ecos.de
richter at ecos.de
Wed Oct 24 11:58:54 CEST 2012
Hi Martin,
>
> I pushes a slightly different patch [2] that looks for a public key on all tokens
> first (current behavior), and then for a certificate. Let me know if this works
> for you.
>
I will give it a try later on, but from reviewing your code changes I think it should work.
> > d.) find_pubkey_in_certs does not work for me if type is set to
> > CKC_X_509
>
> I think it's not unproblematic, because a token with non-X509 certs could
> break that lookup.
>
> According to PKCS#11, CKO_CERTIFICATE object MUST have a
> CKA_CERTIFICATE_TYPE set when created with C_CreateObject (PKCS#11
> 2.30, 10.6.2), hence I don't change the current behavior for now.
Unfortunately not every vendor reads the specification...
I try to figure out more about how this certificate is stored and if there is a better workaround.
>
> > There is only one current_type which is set to AUTH_RULE_CA_CERT so
> > never matches the above condition.
>
> There really should be a AUTH_RULE_SUBJECT_CERT when you define
> leftcert. Either this lookup happens on the wrong config, or something else is
> wrong.
>
I have "leftcert=%smarcard:<keyid>" and syslog says that the certificate is loaded. When I start Charon I get:
Oct 24 11:49:17 ThinClient charon: 13[CFG] loaded certificate "C=DE, SN=000000000222388793001, CN=B A, S=A, G=B, E=x at xxx.de, 2b:06:01:05:05:07:09:03=M" from '%smartcard:70ee000003ef'
Oct 24 11:49:17 ThinClient charon: 13[CFG] id '%any' not confirmed by certificate, defaulting to 'C=DE, SN=000000000222388793001, CN=XXX, S=A, G=B, E=x at xxx.de, 2b:06:01:05:05:07:09:03=M'
When I enter "ipsec secrets" I am prompted for the PIN and log says:
Oct 24 11:52:10 ThinClient charon: 16[CFG] found key on PKCS#11 token 'tcos-module':0
Oct 24 11:52:18 ThinClient charon: 16[CFG] loaded private key from %smartcard:70ee000003ef
"ipsec listcerts" shows both certs that are on the token.
After an ipsec up I get
no RSA private key found for 'C=DE, SN=000000000222388793001, CN=B A, S=A, G=B, E=x at xxx.de, 2b:06:01:05:05:07:09:03=M'
Any hints where to start debugging this issue. How can I find out why AUTH_RULE_SUBJECT_CERT is not defined. Where is the place where it should be set, so I can run through it with gdb and check what's wrong?
Thanks Gerald
More information about the Users
mailing list