Smartcard (pkcs11) support?
Sven Geggus
lists at fuchsschwanzdomain.de
Thu Mar 1 15:57:36 EST 2012
David Woodhouse <dwmw2 at infradead.org> wrote:
> This is a lot more feasible now than it used to be — at least gnutls has
> DTLS support now. You'd just need to add the hacks to make it compatible
> with Cisco's bastardised version of the protocol.
Hm, I asked because gnutls seems to have a clean native pkcs11 Interface
with a unified key/cert adressing scheme.
Using the sourcecode at
http://www.gnu.org/software/gnutls/manual/html_node/Client-using-a-smart-card-with-TLS.html
I have been able now to use my smartcard out of the box adding my
proprietary pkcs11 library to the pool of available pkcs11 libraries.
There is also a nice commandline utility "p11tool" which provides
access to the keys stored on the pkcs11 provides (on the smartcard in
my case).
> Alternatively, use an OpenSSL "Engine". OpenConnect has worked with a
> TPM from the very beginning, that way.
The pkcs11 engine for openssl is provided by a third party and is
unfortunately not very well documented and looks more or less
unmaintaned to me. I have not yet been able to access the card properly
using it. A p11tool equivalent does not seem to exist. At least I
did not yet find one. In gnutls TPM access seems to be also possible
using pkcs11.
Sven
--
TCP/IP: telecommunication protocol for imbibing pilsners
(Man-page uubp(1C) on Debian/GNU Linux)
/me is giggls at ircnet, http://sven.gegg.us/ on the Web
More information about the openconnect-devel
mailing list