[strongSwan] smartcard/HSM question
martin at strongswan.org
Wed May 30 15:10:54 CEST 2012
> We want to use strongswan IKEv2 in such a way that the private key used
> by IKE (e.g. for creating the AUTH payload) never leaves some
> specialized custom secure hardware.
> 00[CFG] loaded private key from %smartca... at etoken:33423544384442423444303736374239
> Suggesting that strongSwan is reading in the private key into its
> memory from a smartcard, just as I assume it does in the non-smartcard
> case (i.e., reading from a file).
While the log statement might be a little misleading, it actually does
what you'd like to achieve. The key itself never leaves the card, most
smartcard configurations actually don't allow you to extract the key.
The signature/decryption operations are delegated to the smartcard using
all the PKCS#11 interface magic.
Our PKCS#11 backend for charon  is rather complete and should work
fine with OpenSC or commercial PKCS#11 libraries.
If your custom hardware does not have a PKCS#11 interface (yet), you
might want to avoid all the PKCS#11 stuff and just provide private key
operations in a plugin through our interface  (as it is actually done
in our PKCS#11 wrapper ).
More information about the Users