On Wed, 2011-11-30 at 19:34 +0000, Tony Beets wrote: > I was wondering if there is a way to get openconnect to use > certificates stored on a smartcard? I can't seem to find any way to > point openconnect to use a pkcs11 interface but maybe I missed > something? > Or maybe it is a feature planned for future releases? > The option to us TPM is nice put smart cards are fairly common in > corporate environments. There is an OpenSSL Engine (plugin) for PKCS#11: http://www.opensc-project.org/engine_pkcs11 If you get that working with your smartcard, it would be relatively simple to make OpenConnect use it. It would look fairly similar to the existing code to use the TPM Engine. In fact, just changing the "tpm" in the ENGINE_by_id() call at the start of load_tpm_certificate() to "pkcs11" should probably get you most of the way there. I'd recommend you start with getting OpenSSL and the engine working. Once you have that, the OpenConnect parts should be easy and I'd be very keen to support it. -- dwmw2
