Hi Gerald, > a.) Increase max cert req payloads to 20 (this is not smartcard > related, but necessary for me because I have 6 ca certs in etc/cacerts)
Yes, seems to make sense for IKEv1, as we have a CERTREQ for each CA. > b.) Increase max length of pubkey id from 63 to 127 (the eToken has an > id longer than 63 chars) I pushed [1] that doubles the buffer sizes. > c.) In find_lib_by_keyid also fallback to use pubkey from cert, so I > can use %smartcard:<keyed> in ipsec.secrets without module and slot I pushes a slightly different patch [2] that looks for a public key on all tokens first (current behavior), and then for a certificate. Let me know if this works for you. > d.) find_pubkey_in_certs does not work for me if type is set to CKC_X_509 I think it's not unproblematic, because a token with non-X509 certs could break that lookup. According to PKCS#11, CKO_CERTIFICATE object MUST have a CKA_CERTIFICATE_TYPE set when created with C_CreateObject (PKCS#11 2.30, 10.6.2), hence I don't change the current behavior for now. > There is only one current_type which is set to AUTH_RULE_CA_CERT so > never matches the above condition. There really should be a AUTH_RULE_SUBJECT_CERT when you define leftcert. Either this lookup happens on the wrong config, or something else is wrong. Regards Martin [1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=334eca9b [2]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=9b25d7c8 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
