Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using SoftHSMv2 Token for StrongSwan #748

Open
Wellnitz-Stefan opened this issue May 23, 2024 · 0 comments
Open

Using SoftHSMv2 Token for StrongSwan #748

Wellnitz-Stefan opened this issue May 23, 2024 · 0 comments

Comments

@Wellnitz-Stefan
Copy link

Hi there,

I'm using StrongSwan (IPSec) in the "RoadWarrior"-Scenario. Since StrongSwan offers a PKCS#11 PlugIn, I tried to use the Token from StrongSwan. But I'm receiving this Error:

00[DMN] Starting IKE charon daemon (strongSwan 6.0.0beta6, Linux 6.1.0-18-amd64, x86_64)
00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.40 library 'hsm-module' (/usr/lib/softhsm/libsofthsm2.so)
00[CFG]   SoftHSM: Implementation of PKCS11 v2.6
00[CFG]   found token in slot 'hsm-module':1807073400 (SoftHSM slot ID 0x6bb5c078)
00[CFG]     my_token (SoftHSM project: SoftHSM v2)
00[CFG]   found token in slot 'hsm-module':1 (SoftHSM slot ID 0x1)
00[CFG]       (SoftHSM project: SoftHSM v2)
00[LIB] plugin 'sha1': failed to load - sha1_plugin_create not found and no plugin file available
00[LIB] plugin 'tpm': failed to load - tpm_plugin_create not found and no plugin file available
00[LIB] providers loaded by OpenSSL: legacy default
00[CFG] install DNS servers in '/etc/resolv.conf'
00[CFG]     loaded untrusted cert 'MyCertificate'
00[CFG] opening session failed: TOKEN_NOT_RECOGNIZED
00[LIB] loaded plugins: charon pkcs11 sha3 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pgp dnskey sshkey pem openssl pkcs8 xcbc cmac kdf drbg attr kernel-netlink resolve socket-default vici updown xauth-generic
00[JOB] spawning 16 worker threads
00[DMN] executing start script 'creds' (swanctl --load-creds)
04[CFG] module 'hsm-module' does not support hot-plugging, canceled
loaded PKCS#11 v2.40 library 'hsm-module' (/usr/lib/softhsm/libsofthsm2.so)
  SoftHSM: Implementation of PKCS11 v2.6
  found token in slot 'hsm-module':1807073400 (SoftHSM slot ID 0x6bb5c078)
    my_token (SoftHSM project: SoftHSM v2)
  found token in slot 'hsm-module':1 (SoftHSM slot ID 0x1)
      (SoftHSM project: SoftHSM v2)
    loaded untrusted cert 'MyCertificate'
opening session failed: TOKEN_NOT_RECOGNIZED
module 'hsm-module' does not support hot-plugging, canceled
08[CFG] loaded certificate 'C=CH, O=strongswan, CN=moon.strongswan.org'
10[CFG] loaded certificate 'C=CH, O=strongSwan, CN=strongSwan Root CA'
16[CFG] loaded ED25519 private key
12[CFG] found key on PKCS#11 token 'hsm-module':1807073400
12[CFG] loaded RSA private key from token
Segmentation fault (core dumped)
00[DMN] executing start script 'conns' (swanctl --load-conns)
loaded PKCS#11 v2.40 library 'hsm-module' (/usr/lib/softhsm/libsofthsm2.so)
  SoftHSM: Implementation of PKCS11 v2.6
  found token in slot 'hsm-module':1807073400 (SoftHSM slot ID 0x6bb5c078)
    my_token (SoftHSM project: SoftHSM v2)
  found token in slot 'hsm-module':1 (SoftHSM slot ID 0x1)
      (SoftHSM project: SoftHSM v2)
    loaded untrusted cert 'MyCertificate'
opening session failed: TOKEN_NOT_RECOGNIZED
module 'hsm-module' does not support hot-plugging, canceled
11[CFG] added vici connection: IKEv2
Segmentation fault (core dumped)
00[DMN] executing start script 'pools' (swanctl --load-pools)
loaded PKCS#11 v2.40 library 'hsm-module' (/usr/lib/softhsm/libsofthsm2.so)
  SoftHSM: Implementation of PKCS11 v2.6
  found token in slot 'hsm-module':1807073400 (SoftHSM slot ID 0x6bb5c078)
    my_token (SoftHSM project: SoftHSM v2)
  found token in slot 'hsm-module':1 (SoftHSM slot ID 0x1)
      (SoftHSM project: SoftHSM v2)
    loaded untrusted cert 'MyCertificate'
opening session failed: TOKEN_NOT_RECOGNIZED
module 'hsm-module' does not support hot-plugging, canceled
14[CFG] added vici pool mypool: 10.1.0.1, 254 entries
Segmentation fault (core dumped)
03[NET] received packet: from 192.168.254.3[500] to 192.168.254.2[500] (1100 bytes)
03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]
03[IKE] received strongSwan vendor ID
03[IKE] 192.168.254.3 is initiating an IKE_SA
03[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA1/MODP_1024
03[CFG] C_GenerateKeyPair() error: GENERAL_ERROR

Using SoftHSM 2.6.1

This is the configuration for StrongSwan:

strongswan.conf:


charon {
  #threads = 1
  # Definiert Skripte, die beim Start von Charon ausgeführt werden. In diesem Fall werden die Befehle swanctl --load-creds, swanctl --load-conns und swanctl --load-pools ausgeführt, um Anmeldeinformationen, Verbindungen und IP-Pools zu laden.
  start-scripts {
     creds = swanctl --load-creds
     conns = swanctl --load-conns
     pools = swanctl --load-pools
  }
  
  #  Definiert die Log-Einstellungen für Charon. In diesem Fall wird das Standard-Log-Level auf 1 gesetzt und die Log-Nachrichten werden an stderr gesendet.
  filelog {
     stderr {
        default = 1
     }
  }
   
  send_vendor_id = yes
  prefer_configured_proposals = no
  fragment_size = 1480
  max_packet = 30000  
	load_modular = yes
  nonce_plugins = random
	plugins {
		include strongswan.d/charon/*.conf
    vici {
      load = yes
    }
    random {
      # Enable the plugin
      load = yes
    }
    sha1 {
      # Enable the plugin
      load = yes
    }

    sha3 {
      # Enable the plugin
      load = yes
    }
    
    socket-default {
      # Enable the plugin
      use = netkey
    }

    openssl {
      # Enable the plugin
      load = yes
      path = /usr/lib/x86_64-linux-gnu/ruby/3.1.0/openssl.so
    }
	}
}

swanctl {
  load = pem pkcs11 x509 revocation constraints pubkey openssl random
}

include strongswan.d/*.conf

libstrongswan {
  plugins {
    pkcs11 {
      use_dh = true
      use_ecc = true
      use_pubkey = true
      
      modules {
        hsm-module {
          path = /usr/lib/softhsm/libsofthsm2.so
        }
      }
    }
  }
}

swanctl.conf

connections {
	IKEv2 {
		fragmentation=yes
		keyingtries=0
		reauth_time=0s
		rekey_time=1d
		version=2
		remote_addrs=192.168.254.3
		local_addrs=192.168.254.2
		local_port=500
		remote_port=500
		vips=0.0.0.0
		proposals=aes128-sha256-prfsha1-modp1024, default
		dpd_delay=180
		pools = mypool
		children {
			IKEv2 {
				local_ts  = 10.1.0.0/16
				remote_ts = 0.0.0.0/0
			}
		}
		local {
			auth = pubkey
			certs = myCert.pem
			id = moon.strongswan.org
		}
		remote {
			auth = pubkey
		}
	}
}

pools {
    mypool {
        addrs = 10.1.0.1-10.1.0.254
    }
}

authorities {
	myca {
		cacert=caCert.pem
	}
}
secrets {
	privateKey{
			file=privateKey.pem
	}
	tokenSofthsm {
			handle=4142
			# SLOT_ID gets replaced automatically
			slot=SLOT_ID
			module=hsm-module
			pin=2345
	}
}

This is how the Token is created:

softhsm2-util --init-token \
              --slot 0 \
              --free \
              --label "my_token" \
              --pin 2345 \
              --so-pin 2345 \
              | cut -d ' ' -f11 > /id_file && \
\
export LD_LIBRARY_PATH=/usr/local/lib/:$LD_LIBRARY_PATH && \
\
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \
            -l -k \
            --key-type rsa:2048 \
            --id 4142 \
            --label "aeskey" \
            --pin 2345 \
            --usage-decrypt \
            --usage-sign \
            --extractable && \ 
\
export PKCS11_MODULE_PATH=/usr/lib/softhsm/libsofthsm2.so && \
\
openssl req \
          -new \
          -keyform engine \
          -engine pkcs11 \
          -key slot_$(cat /id_file)-id_4142 \
          -passin pass:2345 \
          -out certificate_request.csr \
          -subj "/C=DE/ST=Unknown/L=Unknown/O=MeineFirma/OU=IT/CN=example.com/emailAddress=admin@example.com" \
          -nodes \
          -addext "keyUsage = digitalSignature, keyEncipherment" && \
          \
openssl x509 \
          -req \
          -days 365 \
          -in certificate_request.csr \
          -engine pkcs11 \
          -keyform engine \
          -key slot_$(cat /id_file)-id_4142 \
          -passin pass:2345 \
          -out certificate.crt && \
\
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so \
            --login \
            --pin 2345 \
            --write-object certificate.crt \
            --type cert \
            --label "MyCertificate"

There is also a Ticket in StrongSwan-Project: strongswan/strongswan#2248

Please advise,
I'm not sure what leads to this error and how to fix this.
How should the Token be configured that StrongSwan can use it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant