[Pkg-swan-devel] Bug#927158: strongswan-nm: charon-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl

Grizzard, Robert robert.grizzard at quoininc.com
Mon Apr 15 18:05:30 BST 2019 

Package: strongswan-nm
Version: 5.7.2-1
Severity: important
Tags: upstream

Dear Maintainer,

When using a yubikey 4 smartcard device with strongswan configured according to 
the instructions for smartcard
usage (https://wiki.strongswan.org/projects/strongswan/wiki/
SmartCards#strongSwan-configuration) with 
network-manager-strongswan and strongswan-nm, network manager fails to 
authenticate.  
Using the smartcard with swanctl works properly.
Using the same certificate and key that were loaded onto the smartcard with the 
network manager Authentication option "Certificate/private key" authenticates 
correctly.  

The complete output when using the "Smartcard" option in network manager seen 
in /var/log/syslog is:
Apr 15 12:31:33 qir9rgyf8 NetworkManager[624]: <info>  [1555345893.6013] vpn-
connection[0x55af49452780,f8d08eec-07
52-4309-9a9a-fc5f27a6d376,"New vpn connection",0]: Saw the service appear; 
activating connection
Apr 15 12:31:33 qir9rgyf8 charon-nm: 04[CFG] received initiate for 
NetworkManager connection New vpn connection
Apr 15 12:31:33 qir9rgyf8 charon-nm: 04[CFG] using CA certificate, gateway 
identity 'openbsd.lan.domain'
Apr 15 12:31:33 qir9rgyf8 NetworkManager[624]: <warn>  [1555345893.6077] vpn-
connection[0x55af49452780,f8d08eec-07
52-4309-9a9a-fc5f27a6d376,"New vpn connection",0]: VPN connection: failed to 
connect: 'no usable smartcard certificate found.'


The relevant output seen in /var/log/syslog when using swanctl with the 
smartcard is:
Apr 15 12:43:12 qir9rgyf8 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 
daemon using ipsec.conf.
Apr 15 12:43:12 qir9rgyf8 ipsec[7908]: Starting strongSwan 5.7.2 IPsec 
[starter]...
Apr 15 12:43:12 qir9rgyf8 charon: 00[DMN] Starting IKE charon daemon 
(strongSwan 5.7.2, Linux 4.19.0-4-amd64, x86_64)
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG] loaded PKCS#11 v2.20 library 
'opensc' (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so)
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG]   OpenSC Project: OpenSC smartcard 
framework v0.19
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG]   found token in slot 'opensc':0 
(Yubico YubiKey OTP+FIDO+CCID 00 00)

The contents of /etc/strongswan.d/charon/pkcs11.conf are:
pkcs11 {

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

    # Reload certificates from all tokens if charon receives a SIGHUP.
    # reload_certs = no

    # Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc
    # option).
    # use_dh = no

    # Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
    # operations. ECDSA private keys can be used regardless of this option.
    # use_ecc = no

    # Whether the PKCS#11 modules should be used to hash data.
    # use_hasher = no

    # Whether the PKCS#11 modules should be used for public key operations, 
even
    # for keys not stored on tokens.
    # use_pubkey = no

    # Whether the PKCS#11 modules should be used as RNG.
    # use_rng = no

    # List of available PKCS#11 modules.
    modules {

        opensc {

            # Whether to automatically load certificates from tokens.
            # load_certs = yes

            # Whether OS locking should be enabled for this module.
            # os_locking = no

            # Full path to the shared object file of this PKCS#11 module.
             path = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

        }

    }

}


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (3, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages strongswan-nm depends on:
ii  libc6                 2.28-8
ii  libglib2.0-0          2.58.3-1
ii  libnm0                1.14.6-2
ii  libstrongswan         5.7.2-1
ii  strongswan-libcharon  5.7.2-1

Versions of packages strongswan-nm recommends:
ii  network-manager-strongswan  1.4.4-2

strongswan-nm suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-swan-devel/attachments/20190415/483ed261/attachment.sig>

More information about the Pkg-swan-devel mailing list