PKCS11 / smartcard

David Woodhouse dwmw2 at infradead.org
Fri Dec 2 12:57:50 EST 2011


On Fri, 2011-12-02 at 17:48 +0000, Tony Beets wrote:
> I am fairly new to opensc and the use of smart cards but it seemed
> actually pretty straight forward to get it to work. I followed some of
> the documentation here:
> 
> http://www.gooze.eu/tutorials
> 
> 
> And here is an example of the pkcs11 engine working with stunnel:
> http://www.gooze.eu/howto/using-stunnel-with-smart-cards
> 
> 
> If you are interested in supporting smartcard tokens in openconnect I
> would be happy to contribute to the project by donating a card and a
> reader (I can probably ship it to you if you want to give me a post
> address off list).

That's a kind offer. I do actually have one of the Feitian ePass USB
tokens... somewhere. It arrived just before I want to linux.conf.au this
year, and travelled with me... and I *think* it made it home, although I
can't find it.

Really, I ought to be able to test PKCs#11 support in OpenConnect with
*just* a software "token", so and I *certainly* ought to be able to find
the USB stick amongst the nappies and toys and other paraphernalia that
have infested the house since February... eventually :)

If you already have the OpenSSL PKCS#11 engine working, you should be
able to use it to connect to the AnyConnect server by using 'openssl
s_client -crlf' and talking HTTP to it manually (which isn't
particularly difficult since you can watch the traffic that openconnect
generates). Once *that's* working, converting the TPM code to work with
it should be a no-brainer.

If you let me have the openssl s_client command line you use (it'll
involve -engine pkcs11 and -keyform engine etc., I imagine), then I'll
attempt to come up with an openconnect patch for you to test.

-- 
dwmw2




More information about the openconnect-devel mailing list