Hello Stephen, > We want to use strongswan IKEv2 in such a way that the private key used > by IKE (e.g. for creating the AUTH payload) never leaves some > specialized custom secure hardware.
> 00[CFG] loaded private key from > %smartca...@etoken:33423544384442423444303736374239 > > Suggesting that strongSwan is reading in the private key into its > memory from a smartcard, just as I assume it does in the non-smartcard > case (i.e., reading from a file). While the log statement might be a little misleading, it actually does what you'd like to achieve. The key itself never leaves the card, most smartcard configurations actually don't allow you to extract the key. The signature/decryption operations are delegated to the smartcard using all the PKCS#11 interface magic. Our PKCS#11 backend for charon [1] is rather complete and should work fine with OpenSC or commercial PKCS#11 libraries. If your custom hardware does not have a PKCS#11 interface (yet), you might want to avoid all the PKCS#11 stuff and just provide private key operations in a plugin through our interface [2] (as it is actually done in our PKCS#11 wrapper [3]). Regards Martin [1]http://wiki.strongswan.org/projects/strongswan/wiki/SmartCardsIKEv2 [2]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/credentials/keys/private_key.h [3]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
