Menu
▾
▴
opencryptoki-users
|
From: David M. <bl...@gm...> - 2007-04-04 04:01:07
|
Hey. I was just wondering if anyone had successfully managed to use opencryptoki with Strongswan? I'm trying to store my x.509 cert/key in the TPM module of my T43p and have Strongswan use it. Currently (according to all the tpmtoken tools) the key/cert are stored successfully, but when I try and get strongswan to use it it keeps claiming the pin is incorrect. strace on tcsd shows no activity with this failed pin attempt, so I'm a bit dubious. I've pinged the strongswan-users list as well, but was just curious if anyone had tried this setup before and had some hints? Thanks, -David |
|
From: Tom L. <to...@us...> - 2007-04-04 13:50:25
|
bl...@gm... wrote on 04/03/2007 11:01:07 PM: > Hey. I was just wondering if anyone had successfully managed to use > opencryptoki with Strongswan? I'm trying to store my x.509 cert/key in > the TPM module of my T43p and have Strongswan use it. > > Currently (according to all the tpmtoken tools) the key/cert are > stored successfully, but when I try and get strongswan to use it it > keeps claiming the pin is incorrect. strace on tcsd shows no activity > with this failed pin attempt, so I'm a bit dubious. Let me start by saying that I'm not very familiar with Strongswan... Is Strongswan running under your userid when attempting to access the cert/key through the PKCS#11 api? The TPM token store is a per-user token store. So if Strongswan is running as daemon under a specific user then you will need to store your cert/key as the Strongswan daemon user. You will then need to be sure that Strongswan provides the proper pin to the PKCS#11 api in order to access the cert/key objects. Tom > > I've pinged the strongswan-users list as well, but was just curious if > anyone had tried this setup before and had some hints? > > Thanks, > -David > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: David M. <bl...@gm...> - 2007-04-05 02:08:14
|
On 4/4/07, Tom Lendacky <to...@us...> wrote: > Is Strongswan running under your userid when attempting to access the > cert/key through the PKCS#11 api? The TPM token store is a per-user > token store. So if Strongswan is running as daemon under a specific > user then you will need to store your cert/key as the Strongswan daemon > user. You will then need to be sure that Strongswan provides the proper > pin to the PKCS#11 api in order to access the cert/key objects. Strongswan is running as root, the token was stored as root. The pin failure seems pretty instantaneous, which I find suspicious. The tpmtoken commands take a few seconds to verify the pin. I've got strongswan using PKCS11_API.so as it's pkcs module. I suspect it's possibly a strongswan issue. People tend to use OpenSC for PKCS11 support, so that's what tends to get tested :-/ I'll try and trace through what's happening, it just gets a bit messy between all the processes, and daemons floating around, was hoping someone had come across this use before. -David > > Tom > > > > > I've pinged the strongswan-users list as well, but was just curious if > > anyone had tried this setup before and had some hints? > > > > Thanks, > > -David > > > > > ------------------------------------------------------------------------- > > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > > opinions on IT & business topics through brief surveys-and earn cash > > > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > > opencryptoki-users mailing list > > ope...@li... > > > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > |
|
From: David M. <bl...@gm...> - 2007-04-05 03:20:43
|
On 4/4/07, Tom Lendacky <to...@us...> wrote: > Let me start by saying that I'm not very familiar with Strongswan... I'm fairly clueless about PKCS11 (and way out of practice at even reading C code). I had a look over the header files. Strongswan distributes with the rsaref pkcs11 header files for compilation, and they seem to use the v2.2 ones. Trying to swap in the opencryptoki headers shows they actually use some of the 2.2 stuff as well :) Are there any plans to update opencryptoki to the v2.2 spec? -David |
|
From: David M. <bl...@gm...> - 2007-04-17 00:26:00
|
On 4/5/07, David MacKinnon <bl...@gm...> wrote: > Are there any plans to update opencryptoki to the v2.2 spec? I take it that's a no/not any time soon? :) -David |
|
From: Tom L. <to...@us...> - 2007-04-17 14:57:58
|
"David MacKinnon" <bl...@gm...> wrote on 04/16/2007 07:25:59 PM: > On 4/5/07, David MacKinnon <bl...@gm...> wrote: > > > Are there any plans to update opencryptoki to the v2.2 spec? > > I take it that's a no/not any time soon? :) > Sorry, the post got lost in my long list of emails... We are working on moving up to the v2.2 level of the spec. However, there is no time line in place as to when the work will be complete. Thanks, Tom > -David |
|
From: David M. <bl...@gm...> - 2007-04-17 15:34:17
|
On 4/18/07, Tom Lendacky <to...@us...> wrote: > > Sorry, the post got lost in my long list of emails... > > We are working on moving up to the v2.2 level of the spec. However, > there is no time line in place as to when the work will be complete. > Ahh, cool. The fact that it's planned is a Good Thing for us :) The ability to store x.509 keys/certs in the Thinkpad TPM module for ipsec auth is something we're quite keen to have. I'm currently seeing how hard it would be to patch strongswan "back" to pkcs#11 2.1 spec, but that's going back quite a way (initial smartcard support commit in fact. The very next commit in their cvs repository is moving up to v2.2, and that's for the old 2.x series, not the current 4.x code). -David > Thanks, > Tom > > > -David > |
|
From: Michael H. <mha...@us...> - 2007-04-17 16:31:24
|
On Tue, Apr 17, 2007 at 09:57:36AM -0500, Tom Lendacky wrote: > "David MacKinnon" <bl...@gm...> wrote on 04/16/2007 07:25:59 PM: >=20 > > On 4/5/07, David MacKinnon <bl...@gm...> wrote: > > > > > Are there any plans to update opencryptoki to the v2.2 spec? > > > > I take it that's a no/not any time soon? :) > > >=20 > Sorry, the post got lost in my long list of emails... >=20 > We are working on moving up to the v2.2 level of the spec. However, > there is no time line in place as to when the work will be complete. There is a CVS branch with an alpha version containing the v2.20 spec features. The name of the branch is ``v2_20''. If you want to try it out, do a CVS checkout of the v2_20 branch. Note that any bugfixes that went into the main branch over the last 4 or 5 months have not been merged into that branch as of yet. cvs -z3 -d:pserver:ano...@op...:/cvsroot/open= cryptoki co -r v2_20 -P opencryptoki Mike |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X