Hello Alon, good job!
I've tried your patch with my OpenSC token, but it requires me to specify a provider. Can you detail what should go in the provider argument? I've tried to issue a "openvpn --show-pkcs11-slots <provider>" with the following <providers>: - /usr/lib/opensc/engine_pkcs11.so - engine_pkcs11.so - dynamic They all result in the following error message: "Cannot initialize PKCS#11 provider 6-CKR_FUNCTION_FAILED Exiting" Regards, Iván Casado Ruiz SADIEL, S.A. -----Mensaje original----- De: openvpn-devel-ad...@lists.sourceforge.net [mailto:openvpn-devel-ad...@lists.sourceforge.net]En nombre de Alon Bar-Lev Enviado el: sábado, 10 de septiembre de 2005 23:17 Para: openvpn-devel@lists.sourceforge.net; Avner Peled; zv...@globalnet.hr Asunto: [Openvpn-devel] openvpn - support PKCS#11 smartcards Hello, There are two widely used standards of accessing cryptographic devices: RSA Security Inc PKCS#11 and Microsoft Cryptographic Service Provider. Currently openssl has a Microsoft CryptoAPI interface. PKCS#11 is a cross platform vendor independed interface, which is used by most smartcard enabled application that designed to run on none Microsoft environments. (http://www.rsasecurity.com/rsalabs/node.asp?id=2133) There is another standard which is called opensc that is also used in order to access smartcards, but most smartcard vendors do not support this interface. opensc also supply PKCS#11 interface (http://www.opensc.org/files/doc/opensc.html#opensc.pkcs11) so that it should work if PKCS#11 support is added. I took the opensc patch that was sent recently and converted it to support PKCS#11. Original post is http://openvpn.net/archive/openvpn-devel/2005-09/msg00018.html, based on http://openvpn.net/archive/openvpn-devel/2005-02/msg00000.html The patch is suitable for running on Linux (tested) and on Windows (I don't have build environment, but it compiles and the PKCS#11 part works). Another advantage of PKCS#11 is that you don't need to link openvpn with library (as with opensc), so it can be available if ssl available, without any configuration options. This patch adds the following options: --pkcs11-provider provider - PKCS#11 provider to load. --pkcs11-slot-type type - how to find the correct slot, can be: id - by number. name - by slot name. label - by token label. --pkcs11-slot name - the slot name. --pkcs11-id-type type - how to find certificate and private key, can be: id - by id, hex string. label - by label, string. --pkcs11-id name - the id to find. The following standalone options were added: --show-pkcs11-slots provider - show available slots. --show-pkcs11-objects provider slot - show available token objects. I've removed the dialogs and user interactions that were added to the previous patches, in order to specify password you simply use the current openvpn methods, such as --askpass. If someone think it should be added, let's discuss it. I don't see any point in active VPN without smartcard available. I also updated the openssl documentation, I hope my English is correct... :) I will be glad if people will try this patch, especially people who tried the current opensc patch. Since PKCS#11 is available in both Windows and Linux, I hope Windows users will also try this patch, it resolves some problems exists with running openvpn as service and using CryptoAPI, since the service does not need to access user store in order to fetch the certificate. I am no expert in openssl, so I appreciate if some of you will look into the implementation... I may missed some procedures. Please don't be alarm from the size of the patch, it contain the interface of PKCS#11 module (pkcs11.h, pkcs11f.h, pkcs11t.h, cryptoki.h, cryptoki-win32.h). Waiting for feedback... Any comments will be appreciated. Best Regards, Alon Bar-Lev.
