Hi Martin, I have tested your patch and it works partly:
1.) The fallback to pub key from cert works for me with the attached patch. The
patch makes the following changes:
a.) Increase max cert req payloads to 20 (this is not smartcard
related, but necessary for me because I have 6 ca certs in etc/cacerts)
b.) Increase max length of pubkey id from 63 to 127 (the eToken has an
id longer than 63 chars)
c.) In find_lib_by_keyid also fallback to use pubkey from cert, so I
can use %smartcard:<keyed> in ipsec.secrets without module and slot
d.) find_pubkey_in_certs does not work for me if type is set to
CKC_X_509
2.) Using leftcert=%smartcard:<keyid> instead of leftid works for me too
3.) My second token with tcos card and preloaded certificates (I cannot change
them), still does not find it's private key when I start a connection. I have
tried with leftid and with giving the key id in leftcert, both fails. I have
run thru Charon with gdb and I found the following:
Breakpoint 3, get_private (this=0x1942d658, type=KEY_RSA, id=0x1946ff50,
auth=0x19450098) at credentials/credential_manager.c:1066
1066 cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
The call to auth->get fails, because
Breakpoint 4, get (this=0x19450098, type=AUTH_RULE_SUBJECT_CERT) at
credentials/auth_cfg.c:418
418 if (type == current_type)
(gdb) p current_type
$12 = AUTH_RULE_CA_CERT
There is only one current_type which is set to AUTH_RULE_CA_CERT so never
matches the above condition.
The certificate and the private key are successfully loaded according to the
systemlog.
Any hints what to change or how to debug are welcome
Thanks & Regards
Gerald
> -----Original Message-----
> From: Martin Willi [mailto:[email protected]]
> Sent: Monday, October 15, 2012 6:23 PM
> To: Gerald Richter - ECOS
> Cc: [email protected]
> Subject: Re: [strongSwan] How to use Strongswan 5.0.1 & Smartcard
> correctly?
>
> Hi Gerald,
>
> > I'll have a look at it next week, shouldn't be too hard to implement
> > this fallback.
>
> I've pushed a few changes to [1], bringing support for:
> * Fallback to load the public key associated to a private key from
> a certificate if no raw public key has been found.
> * Defining explicit PKCS#11 certificates to use in a connection,
> using the new leftcert=%smartcard:<keyid> ipsec.conf option.
>
> Please let me know if these changes work with your smartcards.
>
> Regards
> Martin
>
> [1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/pk
> cs11-certs
pub_in_cert1.patch
Description: Binary data
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
