[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?

richter at ecos.de richter at ecos.de
Fri Oct 26 10:17:57 CEST 2012 

Hi Martin,

I have done further debugging regarding the second token that doesn't find its private key.

The token contains a certificate, a public key and a private key.

Which "ipsec secrets" the private key gets successfully loaded, but "ipsec listcerts" does not show that the corresponding certificate has a private key.

When I print out the fingerprint of the key that is found in pkcs11_private_key_connect, it is different from the one listed in "ipsec listcerts" ( I have also done further debugging and this fingerprint isn't in any of the credential sets, so it is not found)

If I change the line 726 in pkcs11_private_key.c from

	this->pubkey =pkcs11_public_key_connect(this->lib, slot, this->type, keyid);

to

	this->pubkey = NULL ; 

the public key is taken from the certificate (because of your latest patches) and everything works as expected.

I am not sure why the public key has a different fingerprint, but maybe you have an idea?

Gerald


> -----Original Message-----
> From: users-bounces+richter=ecos.de at lists.strongswan.org [mailto:users-
> bounces+richter=ecos.de at lists.strongswan.org] On Behalf Of Gerald Richter
> - ECOS
> Sent: Tuesday, October 23, 2012 1:30 PM
> To: Martin Willi
> Cc: users at lists.strongswan.org
> Subject: Re: [strongSwan] How to use Strongswan 5.0.1 & Smartcard
> correctly?
> 
> Hi Martin,
> 
> I have tested your patch and it works partly:
> 
> 1.) The fallback to pub key from cert works for me with the attached patch.
> The patch makes the following changes:
> 
> 	a.) Increase max cert req payloads to 20 (this is not smartcard related,
> but necessary for me because I have 6 ca certs in etc/cacerts)
> 	b.) Increase max length of pubkey id from 63 to 127 (the eToken has
> an id longer than 63 chars)
> 	c.) In find_lib_by_keyid also fallback to use pubkey from cert, so I can
> use %smartcard:<keyed> in ipsec.secrets without module and slot
> 	d.) find_pubkey_in_certs does not work for me if type is set to
> CKC_X_509
> 
> 2.) Using leftcert=%smartcard:<keyid> instead of leftid works for me too
> 
> 3.) My second token with tcos card and preloaded certificates (I cannot
> change them), still does not find it's private key when I start a connection. I
> have tried with leftid and with giving the key id in leftcert, both fails. I have
> run thru Charon with gdb and I found the following:
> 
> Breakpoint 3, get_private (this=0x1942d658, type=KEY_RSA, id=0x1946ff50,
> auth=0x19450098) at credentials/credential_manager.c:1066
> 1066                    cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
> 
> The call to auth->get fails, because
> 
> Breakpoint 4, get (this=0x19450098, type=AUTH_RULE_SUBJECT_CERT) at
> credentials/auth_cfg.c:418
> 418                     if (type == current_type)
> (gdb) p current_type
> $12 = AUTH_RULE_CA_CERT
> 
> There is only one current_type which is set to  AUTH_RULE_CA_CERT so
> never matches the above condition.
> 
> The certificate and the private key are successfully loaded according to the
> systemlog.
> 
> Any hints what to change or how to debug are welcome
> 
> Thanks & Regards
> 
> Gerald
> 
> 
> 
> > -----Original Message-----
> > From: Martin Willi [mailto:martin at strongswan.org]
> > Sent: Monday, October 15, 2012 6:23 PM
> > To: Gerald Richter - ECOS
> > Cc: users at lists.strongswan.org
> > Subject: Re: [strongSwan] How to use Strongswan 5.0.1 & Smartcard
> > correctly?
> >
> > Hi Gerald,
> >
> > > I'll have a look at it next week, shouldn't be too hard to implement
> > > this fallback.
> >
> > I've pushed a few changes to [1], bringing support for:
> >       * Fallback to load the public key associated to a private key from
> >         a certificate if no raw public key has been found.
> >       * Defining explicit PKCS#11 certificates to use in a connection,
> >         using the new leftcert=%smartcard:<keyid> ipsec.conf option.
> >
> > Please let me know if these changes work with your smartcards.
> >
> > Regards
> > Martin
> >
> > [1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads
> > /pk
> > cs11-certs
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list