Hi Gerald, > Do I understand right: > > 1 the certificate is selected using the first certificate that has a matching > subject compared to leftid > 2 the fingerprint of the associated public key is computed > 3 from any private key, you compute the public key and compute the > fingerprint of that public key > 4 These fingerprints from 3 are compared the fingerprint from 2 and the > matching one is selected
Actually, step 3 does not happen exactly like this. When the private key is loaded (not actually the key of course as that is safely stored on the token) a public key with the same CKA_ID is searched, if none is found the private key will be destroyed, hence you should see that in the log when the secrets are loaded. There is actually a TODO in the code in regards to extracting the public key from a certificate if no public key is found [1]. Also, I think it wouldn't be that hard to introduce the ability to load a specific certificate via left|rightcert (and cacert in ca sections) similar to pluto (but with the same syntax used now in ipsec.secrets) plus an option to disable the automatic loading of certificates (which could be problematic anyway, e.g. if lots of certificates are stored on the token and, thus, starting charon will take a long time, in which case starter might kill it). Regards, Tobias [1] http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/pkcs11/pkcs11_public_key.c#l889 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
