[strongSwan] smartcard/HSM question

Martin Willi martin at strongswan.org
Wed May 30 15:10:54 CEST 2012

Hello Stephen,

> We want to use strongswan IKEv2 in such a way that the private key used
> by IKE (e.g. for creating the AUTH payload) never leaves some
> specialized custom secure hardware.

> 00[CFG]   loaded private key from %smartca... at etoken:33423544384442423444303736374239
> Suggesting that strongSwan is reading in the private key into its
> memory from a smartcard, just as I assume it does in the non-smartcard
> case (i.e., reading from a file).

While the log statement might be a little misleading, it actually does
what you'd like to achieve. The key itself never leaves the card, most
smartcard configurations actually don't allow you to extract the key.
The signature/decryption operations are delegated to the smartcard using
all the PKCS#11 interface magic.

Our PKCS#11 backend for charon [1] is rather complete and should work
fine with OpenSC or commercial PKCS#11 libraries.

If your custom hardware does not have a PKCS#11 interface (yet), you
might want to avoid all the PKCS#11 stuff and just provide private key
operations in a plugin through our interface [2] (as it is actually done
in our PKCS#11 wrapper [3]).



More information about the Users mailing list