PKCS11 / smartcard
David Woodhouse
dwmw2 at infradead.org
Thu Dec 1 11:25:41 EST 2011
On Wed, 2011-11-30 at 19:34 +0000, Tony Beets wrote:
> I was wondering if there is a way to get openconnect to use
> certificates stored on a smartcard? I can't seem to find any way to
> point openconnect to use a pkcs11 interface but maybe I missed
> something?
> Or maybe it is a feature planned for future releases?
> The option to us TPM is nice put smart cards are fairly common in
> corporate environments.
There is an OpenSSL Engine (plugin) for PKCS#11:
http://www.opensc-project.org/engine_pkcs11
If you get that working with your smartcard, it would be relatively
simple to make OpenConnect use it. It would look fairly similar to the
existing code to use the TPM Engine. In fact, just changing the "tpm" in
the ENGINE_by_id() call at the start of load_tpm_certificate() to
"pkcs11" should probably get you most of the way there.
I'd recommend you start with getting OpenSSL and the engine working.
Once you have that, the OpenConnect parts should be easy and I'd be very
keen to support it.
--
dwmw2
More information about the openconnect-devel
mailing list