pkcs11 Plugin

Purpose

The pkcs11 plugin for libstrongswan implements the PKCS#11 smart card interface and can be used by both the IKE charon daemon and the pki tool. Besides RSA keys the plugin also supports ECDSA, DH/ECDH and RNG.

The plugin is disabled by default and can be enabled with the ./configure option

--enable-pkcs11

Configuration

The pkcs11 plugin is configured using the following options in the charon.plugins.pkcs11 section of strongswan.conf:

Key Default Description

modules

This section lists available PKCS#11 modules

modules.<name>.path

Full path to the shared object file of this PKCS#11 module

modules.<name>.os_locking

no

Whether OS locking should be enabled for this module

modules.<name>.load_certs

yes

Whether the PKCS#11 modules should load certificates from tokens

reload_certs

no

Whether the PKCS#11 modules should reload all certificates if charon receives a SIGHUP signal

use_dh

no

Whether the PKCS#11 modules should be used for DH and ECDH

use_ecc

no

Whether the PKCS#11 modules should be used for ECDH and ECDSA public key operations. ECDSA private keys can be used regardless of this option

use_hasher

no

Whether the PKCS#11 modules should be used to hash data

use_pubkey

no

Whether the PKCS#11 modules should be used for public key operations, even for keys not stored on tokens

use_rng

no

Whether the PKCS#11 modules should be used as RNG

use_rsa_pss_hashers

no

Whether the PKCS#11 modules should try to use internal hashing for RSA-PSS signatures (some PKCS#11 libraries don’t implement internal hashing in conjunction with RSA-PSS correctly). RSA-PSS support since version 5.9.14

Example:

libstrongswan {
  # ...
  plugins {
    pkcs11 {
      modules {
        my-xy-module {
          path = /path/to/pkcs11/lib.so
        }
      }
    }
  }
}

Behavior

Certificates stored on smart cards are loaded automatically when the daemon is started. If the PKCS#11 module supports hot-plugging, the certificates are reloaded when a token gets inserted or removed later. The first certificate matching the local identity

connections.<conn>.local<suffix>.id

in swanctl.conf will be used.

Specific certificates can also be loaded via swanctl.conf using sections of the form

connections.<conn>.local<suffix>.cert<suffix>

To access the private key you have to specify the associated PIN in swanctl.conf in section of the form

secrets.token<suffix>

Depending on the configuration reloading the secrets will prompt the user for the PIN.

[[NetworkManager#Smart-card-requirements|NetworkManager]] makes the use of smart cards with IKEv2 even easier.