Project

General

Profile

PT-TLS SWIMA Client

Installing the strongSwan TNC Software

First we have to install some additional Ubuntu packages needed for the strongSwan TNC build

 sudo apt install libssl-dev libcurl4-openssl-dev sqlite3 libsqlite3-dev libjson0-dev

Download the latest strongSwan tarball

wget https://download.strongswan.org/strongswan-5.7.0dr8.tar.bz2

Unpack the tarball

tar xf strongswan-5.7.0dr8.tar.bz2

and change into the strongSwan build directory

cd strongswan-5.7.0dr8

Configure strongSwan with the following options

./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl --enable-tnc-imc --enable-tnccs-20 --enable-imc-os --enable-imc-swima --enable-sqlite --enable-curl

Build and install strongSwan with the commands

make; sudo make install

Configure the strongSwan "sw-collector" Tool

The sw-collector tool allows all software installation events to be collected and stored in an SQLite database. Currently only apt history logs generated by the dpkg packet manager (Debian, Ubuntu, etc.) can be parsed. We set up a clean collector database with the command

sudo -s
mkdir /etc/pts
cat /usr/share/strongswan/templates/database/sw-collector/sw_collector_tables.sql | sqlite3 /etc/pts/collector.db

The sw-collector needs some options defined in /etc/strongswan.conf

sw-collector {
  database = sqlite:///etc/pts/collector.db
  history = /var/log/apt/history.log
  # first_file = /var/log/bootstrap.log
  # first_time = 2017-02-15T20:20:34Z
  rest_api {
    uri = https://admin-user:ietf99hackathon@tnc.example.com/api/
  }
}

By default the installation date of the original Linux OS will be determined from the creation date of the file /var/log/bootstrap.log. If this file does not existe then another file name can be given using the first_file parameter. As alternative an approximate installation date can be set with the first_time parameter. Now we are ready to populate the collector database with all installation events that have already happened. Since there are usually up to 2000 software packages we reduce the debug level for the initial run

sudo sw-collector --debug 1

First-Date: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721
processing "/etc/lsb-release" file
operating system name is 'Ubuntu'
operating system version is '16.04 x86_64'
Last-Event: 2017-02-15T20:20:34Z, eid = 1, epoch = 1849176721
Start-Date: 2017-02-16T04:20:50Z, eid = 2, epoch = 1849176721
  Upgrade:
Start-Date: 2017-02-16T04:23:44Z, eid = 3, epoch = 1849176721
  Install:
Start-Date: 2017-02-16T04:37:48Z, eid = 4, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:17:46Z, eid = 5, epoch = 1849176721
  Upgrade:
Start-Date: 2017-07-07T13:18:15Z, eid = 6, epoch = 1849176721
Start-Date: 2017-07-07T13:18:23Z, eid = 7, epoch = 1849176721
  Purge:
Start-Date: 2017-07-07T13:19:08Z, eid = 8, epoch = 1849176721
Start-Date: 2017-07-07T13:20:01Z, eid = 9, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:20:10Z, eid = 10, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:24:09Z, eid = 11, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:41:44Z, eid = 12, epoch = 1849176721
  Install:
  Upgrade:
Start-Date: 2017-07-07T13:55:18Z, eid = 13, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:57:02Z, eid = 14, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T13:58:05Z, eid = 15, epoch = 1849176721
  Install:
  Upgrade:
Start-Date: 2017-07-07T14:01:13Z, eid = 16, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T14:02:23Z, eid = 17, epoch = 1849176721
  Install:
Start-Date: 2017-07-07T14:03:52Z, eid = 18, epoch = 1849176721
  Install:
  Upgrade:
Start-Date: 2017-07-07T14:24:12Z, eid = 19, epoch = 1849176721
  Install:
Merging:
  merged 1741 installed packages, 1741 registered in database

Creating a Client Certificate

Using the strongSwan pki tool and the CA created in the PT-TLS SWIMA Server section, an end entity certificate can be generated in the following way in the "/etc/pts/pki" directory

pki --gen --type ecdsa --size 256 --outform pem > client1_Key.pem
pki --req --in client1_Key.pem --type ecdsa --dn "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" --san "client1.example.com" --outform pem > client1_Req.pem

The PKCS#10 certificate request can now be signed by the CA

 pki --issue --cakey caKey.pem --cacert caCert.pem --in client1_Req.pem --type pkcs10 --lifetime 1461 --outform pem > client1_Cert.pem

The certificate info can be displayed with

pki --print --in client1_Cert.pem
  subject:  "C=CZ, O=IETF, OU=SACM, CN=TNC Client 1" 
  issuer:   "C=CZ, O=IETF, OU=SACM, CN=IETF 99 Prague Hackathon CA" 
  validity:  not before Jul 07 22:58:17 2017, ok
             not after  Jul 07 22:58:17 2021, ok (expires in 1460 days)
  serial:    30:b7:f1:4b:e4:64:3a:5e
  altNames:  client1.example.com
  authkeyId: 81:44:64:84:26:5f:f6:08:80:4a:c9:77:32:0e:b2:78:d0:8f:e5:84
  subjkeyId: 32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d
  pubkey:    ECDSA 256 bits
  keyid:     f5:7b:fa:bd:ba:f9:72:91:33:91:0d:70:c5:90:36:12:30:1c:f3:25
  subjkey:   32:1f:29:04:6d:16:86:02:3f:c2:09:b9:4d:4d:82:de:95:92:ed:4d

Configuring the strongSwan "pt-tls-client" Tool

The pt-tls-client tool needs some configurations in /etc/strongswan.conf

pt-tls-client {
  load = random nonce x509 revocation constraints openssl pkcs1 pkcs8 pem pubkey tnc-imc tnc-tnccs tnccs-20 curl sqlite

  plugins {
    tnccs-20 {
      max_batch_size = 131056
      max_message_size = 131024
    }
  }
}

libtls {
  suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
}

libimcv {
  plugins {
    imc-os {
      device_cert = /etc/pts/pki/client1_Cert.pem
    }
    imc-swima {
      swid_full = yes
      swid_database = sqlite:///etc/pts/collector.db
    }
  }
}

The /etc/tnc_config file defines which Integrity Measurement Collectors (IMCs) are loaded by the TNC client

#IMC-Configuration
IMC "OS"        /usr/lib/ipsec/imcvs/imc-os.so
IMC "SWIMA"     /usr/lib/ipsec/imcvs/imc-swima.so

The PT-TLS connection parameters are given on the command line. In order to save some typing work we store the parameters in /etc/pts/options

--connect tnc.example.com
--cert /etc/pts/pki/caCert.pem
--cert /etc/pts/pki/client1_Cert.pem
--key /etc/pts/pki/client1_Key.pem
--key-type ecdsa
--debug 1

The SWIMA measurements on the endpoint are now transmitted using the simple command

pt-tls-client --optionsfrom /etc/pts/options