尝试使用 swanctl 通过智能卡证书进行身份验证时出现“NO_PROPOSAL_CHOSEN”

尝试使用 swanctl 通过智能卡证书进行身份验证时出现“NO_PROPOSAL_CHOSEN”

我正在尝试使用 strongSwan(就我在这里使用而言swanctl)在两个虚拟机(名为 A 和 B)之间创建 VPN 隧道,使用主机到主机配置(如所述这里)以及用于 B 身份验证的智能卡

我生成了 CA 证书并用该证书为 A 和 B 签署了 CRT,一切按预期工作。(隧道创建没有问题)

之后,我决定在我的 yubikey 上生成一个 crt(使用yubikey-manager),我用我的 CA 对其进行签名,并且我配置 strongSwan 以使用 opensc 的模块来访问此卡。

我的swanctl --load-creds工作正常,我的也是swanctl --load-conns

这是我的结果swanctl --load-creds

loaded certificate from '/etc/swanctl/x509ca/ca.crt' #
loaded key tokenyubikey from token [keyid: "..."]

但是当我尝试启动时,swanctl --initiate出现了一些错误

每次尝试之前,我都会在每个主机上输入以下内容

systemctl restart swanctl
swanctl --load-conns
swanctl --load-creds

当我尝试从 B(带有 Yubikey 的那个)连接到 A 时,这是 A 上的输出(使用swanctl --log

我使用的命令是swanctl --initiate --child host-host

10[NET] sending packet: from <IP A>[500] to <IP B>[500] (273 bytes)
09[NET] received packet: from <IP B>[4500] to <IP A>[4500] (1104 bytes)
09[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
09[DMN] thread 9 received 11
09[LIB]  dumping 20 stack frame addresses:
09[LIB]   /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f0c30448000 [0x7f0c3045a890]
09[LIB]     -> ??:?
09[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c3092b170]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libstrongswan/networking/host.c:84
09[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 (host_printf_hook+0x37) [0x7f0c3092b347]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libstrongswan/networking/host.c:114
09[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c309456a6]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libstrongswan/utils/printf_hook/printf_hook_glibc.c:118
09[LIB]   /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 [0x7f0c300b0473]
09[LIB]     -> /build/glibc-OTsEL5/glibc-2.27/stdio-common/vfprintf.c:2004
09[LIB]   /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 (_IO_vfprintf+0x192a) [0x7f0c300b3cba]
09[LIB]     -> /build/glibc-OTsEL5/glibc-2.27/stdio-common/vfprintf.c:1688
09[LIB]   /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 (__vsnprintf_chk+0xa9) [0x7f0c30189169]
09[LIB]     -> /build/glibc-OTsEL5/glibc-2.27/debug/vsnprintf_chk.c:65
09[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30676c42]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libcharon/bus/bus.c:398
09[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30676e2a]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libcharon/bus/bus.c:441
09[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c3069ab36]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libcharon/sa/ike_sa.c:973
09[LIB]   /usr/lib/ipsec/plugins/libstrongswan-connmark.so @ 0x7f0c2f6ae000 [0x7f0c2f6af6bb]
09[LIB]     -> ??:0
09[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30675a47]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libcharon/bus/bus.c:885
09[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30698e21]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libcharon/sa/ike_sa.c:1114
09[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c306a875c]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libcharon/sa/ikev2/task_manager_v2.c:1585
09[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c30697f47]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libcharon/sa/ike_sa.c:1587
09[LIB]   /usr/lib/ipsec/libcharon.so.0 @ 0x7f0c30667000 [0x7f0c3069182f]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libcharon/processing/jobs/process_message_job.c:74
09[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c30931806]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libstrongswan/processing/processor.c:235
09[LIB]   /usr/lib/ipsec/libstrongswan.so.0 @ 0x7f0c308f9000 [0x7f0c30943d7b]
09[LIB]     -> /home/john/strongswan-5.8.1/src/libstrongswan/threading/thread.c:332 (discriminator 4)
09[LIB]   /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f0c30448000 [0x7f0c3044f6db]
09[LIB]     -> /build/glibc-OTsEL5/glibc-2.27/nptl/pthread_create.c:463
09[LIB]   /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f0c30057000 (clone+0x3f) [0x7f0c3017888f]
09[LIB]     -> /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:97
09[DMN] killing ourself, received critical signal

从这里开始,我的 StrongSwan 似乎已经死机了,我必须重新启动它。

当我尝试从 A 初始化到 B 时遇到了同样的问题(因为它是主机到主机的连接)

我尝试使用另一个虚拟机 A,当尝试从 B 到 A 时,出现了此输出。新的 A 主机使用 sterongswan swanctl 版本 5.6.2(从 apt 安装)

13[IKE] received cert request for "<CA's CN>"
13[IKE] received end entity cert "CN=<B's CN>"
13[CFG] looking for peer configs matching <New A's IP>[A]...<B's ip>[B]
13[CFG] selected peer config 'host-host'
13[IKE] no trusted RSA public key found for 'B'
13[IKE] peer supports MOBIKE
13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
13[NET] sending packet: from <New A's IP>[4500] to <B's IP>[4500] (80 bytes)

当我尝试从新的 A 连接到 B 时,它崩溃了,如上所示

更多详细信息

这是我在 B 上的 swanctl.conf

    connections {
        home {
            remote_addrs = <A's ip> 

        local {
                auth = pubkey
                id = "B"
                certs = B.crt #It's the cert on my yubikey that i extracted and put onto /etc/swanctl/x509
            }
            remote {
                auth = pubkey
                id = "A"
        }
            children {
                host-host {
                    start_action = trap
                }
            }
        }
    }

    secrets {
    tokenyubikey {
        pin = <my pin>
        slot = 0
        handle = 1 # From what i understood, it's here that my crt is
        module = opensc 
    }
    }

这是我的命令的结果pkcs11-tool -M,显示支持 RSA256(至少据我所知)

Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000
  ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
  ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
  RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
  RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
  SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
  SHA384-RSA-PKCS, keySize={1024,3072}, sign, verify
  SHA512-RSA-PKCS, keySize={1024,3072}, sign, verify
  MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify

这是我的 pkcs11-tool -O 的结果

Using slot 0 with a present token (0x0)
Public Key Object; RSA 1024 bits
  label:      PIV AUTH pubkey
  ID:         01
  Usage:      encrypt, verify, wrap
Certificate Object; type = X.509 cert
  label:      Certificate for PIV Authentication
  ID:         01
Data object 2496313968
  label:          'Card Capability Container'
  application:    'Card Capability Container'
  app_id:         2.16.840.1.101.3.7.1.219.0
  flags:          <empty>
Data object 2496314064
  label:          'Card Holder Unique Identifier'
  application:    'Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.0
  flags:          <empty>
Data object 2496314160
  label:          'Unsigned Card Holder Unique Identifier'
  application:    'Unsigned Card Holder Unique Identifier'
  app_id:         2.16.840.1.101.3.7.2.48.2
  flags:          <empty>
Data object 2496314256
  label:          'X.509 Certificate for PIV Authentication'
  application:    'X.509 Certificate for PIV Authentication'
  app_id:         2.16.840.1.101.3.7.2.1.1
  flags:          <empty>
Data object 2496314640
  label:          'X.509 Certificate for Digital Signature'
  application:    'X.509 Certificate for Digital Signature'
  app_id:         2.16.840.1.101.3.7.2.1.0
  flags:          <empty>
Data object 2496314736
  label:          'X.509 Certificate for Key Management'
  application:    'X.509 Certificate for Key Management'
  app_id:         2.16.840.1.101.3.7.2.1.2
  flags:          <empty>
Data object 2496314832
  label:          'X.509 Certificate for Card Authentication'
  application:    'X.509 Certificate for Card Authentication'
  app_id:         2.16.840.1.101.3.7.2.5.0
  flags:          <empty>
Data object 2496314928
  label:          'Security Object'
  application:    'Security Object'
  app_id:         2.16.840.1.101.3.7.2.144.0
  flags:          <empty>
Data object 2496315024
  label:          'Discovery Object'
  application:    'Discovery Object'
  app_id:         2.16.840.1.101.3.7.2.96.80
  flags:          <empty>

以下是我的 /etc/strongswan.d/charon/pkcs11.conf 中的内容

pkcs11 {
    load = yes
    modules {
    opensc {
        path = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
    }
    }
}

我在我的 Yubikey 上生成了一个 CSR yubikey-manager,然后按如下方式签名:

ipsec pki --issue --in b.csr --type pkcs10 --cacert <CA's crt> --dn "<CA's DN>CN=B" --san B --outform pem > b.crt 

然后使用以下方式将生成的 CRT 导入 Yubikeyyubikey-manager

我在 Ubuntu 18.04 上,Swanctl 是版本 5.8.1

编辑:这是结果pkcs11-tool --test --login

Using slot 0 with a present token (0x0)
Logging in to "PIV Card Holder pin (PIV_II)".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (PIV AUTH key) 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
  testing key 1 (1024 bits, label=SIGN key) with 1 signature mechanism
Logging in to "PIV Card Holder pin (PIV_II)".
Please enter context specific PIN: 
    RSA-X-509: OK
  testing key 2 (1024 bits, label=KEY MAN key) with 1 signature mechanism -- can't be used to sign/verify, skipping
Verify (currently only for RSA)
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
  testing key 1 (SIGN key) with 1 mechanism
Logging in to "PIV Card Holder pin (PIV_II)".
Please enter context specific PIN: 
    RSA-X-509: OK
  testing key 2 (KEY MAN key) with 1 mechanism -- can't be used to sign/verify, skipping
Unwrap: not implemented
Decryption (currently only for RSA)
  testing key 0 (PIV AUTH key) 
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 1 (SIGN key) 
    RSA-X-509: Logging in to "PIV Card Holder pin (PIV_II)".
Please enter context specific PIN: 
OK
    RSA-PKCS: Logging in to "PIV Card Holder pin (PIV_II)".
Please enter context specific PIN: 
OK
  testing key 2 (KEY MAN key) 
    RSA-X-509: OK
    RSA-PKCS: OK
No errors

答案1

感谢 ecdsa,我终于让它工作了。

对于像我这样想知道如何使用 yubikey(在我的情况下是 Yubikey 5C)与 StrongSwan 建立主机 - 主机连接的人来说,我的配置正在运行。

我的问题是由于安装不当(我安装的不同 StrongSwan 版本之间存在一些冲突)

不要忘记将 crt 放到 x509 目录上,/etc/swanctl/x509这样它就可以正常工作了!

相关内容