[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?

richter at ecos.de richter at ecos.de
Wed Oct 24 11:58:54 CEST 2012 

Hi Martin,

> 
> I pushes a slightly different patch [2] that looks for a public key on all tokens
> first (current behavior), and then for a certificate. Let me know if this works
> for you.
>

I will give it a try later on, but from reviewing your code changes I think it should work.
 
> > d.) find_pubkey_in_certs does not work for me if type is set to
> > CKC_X_509
> 
> I think it's not unproblematic, because a token with non-X509 certs could
> break that lookup.
> 
> According to PKCS#11, CKO_CERTIFICATE object MUST have a
> CKA_CERTIFICATE_TYPE set when created with C_CreateObject (PKCS#11
> 2.30, 10.6.2), hence I don't change the current behavior for now.

Unfortunately not every vendor reads the specification...

 I try to figure out more about how this certificate is stored and if there is a better workaround. 

> 
> > There is only one current_type which is set to  AUTH_RULE_CA_CERT so
> > never matches the above condition.
> 
> There really should be a AUTH_RULE_SUBJECT_CERT when you define
> leftcert. Either this lookup happens on the wrong config, or something else is
> wrong.
> 

I have "leftcert=%smarcard:<keyid>" and syslog says that the certificate is loaded. When I start Charon I get:


Oct 24 11:49:17 ThinClient charon: 13[CFG]   loaded certificate "C=DE, SN=000000000222388793001, CN=B A, S=A, G=B, E=x at xxx.de, 2b:06:01:05:05:07:09:03=M" from '%smartcard:70ee000003ef' 
Oct 24 11:49:17 ThinClient charon: 13[CFG]   id '%any' not confirmed by certificate, defaulting to 'C=DE, SN=000000000222388793001, CN=XXX, S=A, G=B, E=x at xxx.de, 2b:06:01:05:05:07:09:03=M'

When I enter "ipsec secrets" I am prompted for the PIN and log says:

Oct 24 11:52:10 ThinClient charon: 16[CFG] found key on PKCS#11 token 'tcos-module':0 
Oct 24 11:52:18 ThinClient charon: 16[CFG]   loaded private key from %smartcard:70ee000003ef

"ipsec listcerts" shows both certs that are on the token.

After an ipsec up I get

no RSA private key found for 'C=DE, SN=000000000222388793001, CN=B A, S=A, G=B, E=x at xxx.de, 2b:06:01:05:05:07:09:03=M'


Any hints where to start debugging this issue. How can I find out why AUTH_RULE_SUBJECT_CERT is not defined. Where is the place where it should be set, so I can run through it with gdb and check what's wrong?

Thanks Gerald

More information about the Users mailing list