Hi Martin, > > I pushes a slightly different patch [2] that looks for a public key on all > tokens > first (current behavior), and then for a certificate. Let me know if this > works > for you. >
I will give it a try later on, but from reviewing your code changes I think it should work. > > d.) find_pubkey_in_certs does not work for me if type is set to > > CKC_X_509 > > I think it's not unproblematic, because a token with non-X509 certs could > break that lookup. > > According to PKCS#11, CKO_CERTIFICATE object MUST have a > CKA_CERTIFICATE_TYPE set when created with C_CreateObject (PKCS#11 > 2.30, 10.6.2), hence I don't change the current behavior for now. Unfortunately not every vendor reads the specification... I try to figure out more about how this certificate is stored and if there is a better workaround. > > > There is only one current_type which is set to AUTH_RULE_CA_CERT so > > never matches the above condition. > > There really should be a AUTH_RULE_SUBJECT_CERT when you define > leftcert. Either this lookup happens on the wrong config, or something else is > wrong. > I have "leftcert=%smarcard:<keyid>" and syslog says that the certificate is loaded. When I start Charon I get: Oct 24 11:49:17 ThinClient charon: 13[CFG] loaded certificate "C=DE, SN=000000000222388793001, CN=B A, S=A, G=B, [email protected], 2b:06:01:05:05:07:09:03=M" from '%smartcard:70ee000003ef' Oct 24 11:49:17 ThinClient charon: 13[CFG] id '%any' not confirmed by certificate, defaulting to 'C=DE, SN=000000000222388793001, CN=XXX, S=A, G=B, [email protected], 2b:06:01:05:05:07:09:03=M' When I enter "ipsec secrets" I am prompted for the PIN and log says: Oct 24 11:52:10 ThinClient charon: 16[CFG] found key on PKCS#11 token 'tcos-module':0 Oct 24 11:52:18 ThinClient charon: 16[CFG] loaded private key from %smartcard:70ee000003ef "ipsec listcerts" shows both certs that are on the token. After an ipsec up I get no RSA private key found for 'C=DE, SN=000000000222388793001, CN=B A, S=A, G=B, [email protected], 2b:06:01:05:05:07:09:03=M' Any hints where to start debugging this issue. How can I find out why AUTH_RULE_SUBJECT_CERT is not defined. Where is the place where it should be set, so I can run through it with gdb and check what's wrong? Thanks Gerald _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
