Hi, > > Does your token contain a public key object that is readable without login? > > [[GR]] Yes
> pkcs11-tool --module /usr/lib/libetpkcs11.so -O -l --private > Please enter User PIN: > Private Key Object; RSA > label: eTCAPI private key > ID: > 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 > Usage: decrypt, sign, unwrap > Private Key Object; RSA > label: eTCAPI private key > ID: > 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a31 > Usage: decrypt, sign, unwrap > Certificate Object, type = X.509 cert > label: (eTCAPI) richter3's ID > ID: > 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 > Certificate Object, type = X.509 cert > label: (eTCAPI) richter3's ID > ID: > 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a31 I don't see a public key object at all, even with login. If you generate a keypair using PKCS#11, this usually results in both a public and a private key. If your private key does not have an associated public key, our pkcs11 backend can't use it (because it can't fingerprint the key). As a work-around, you can try to extract the certificate, the public key in it, and store the plain public key with the correct ID back to the token. I don't know how exotic it is that a public key is missing, I've never seen such a token. But if it is not that uncommon, we might provide a fallback that reads the public key from the certificate. > : PIN %smartcard1@etoken-module %prompt > charon: 15[CFG] line 22: the given %smartcard specifier is invalid You still have to provide the keyid select the private key. But if you define slot, module and keyid, pkcs11 does not have to search for a public key without login, but can immediately login to the token and load the private key. Anyway, it doesn't help in your case, as the public key is completely missing. > Is there another way to specify the private key in addition to give the > subject as leftid? No. The certificate is selected based on the leftid. Once we have a certificate, we look for a private key with a matching keyid (not the CKA_ID, but the computed hash over the public key). Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
