On Fri, 16 Sep 2005, Alon Bar-Lev wrote: > Hello, > > This patch enabled openvpn to access PKCS#11 cryptographic > tokens. It is based on the opensc patch that was post earlier > (http://sourceforge.net/tracker/index.php?func=detail&aid=1114521&group_id=48978&atid=454721). > > This patch was tested under Linux. It was tested with the > opensc PKCS#11 provider. Since it works with the opensc > provider and PKCS#11 standard is much more common, it makes > the opensc patch obsolete. > > This patch compiles under Windows, but was not tested. I will > be glad if somebody will test it under Windows as well. > > The patch is capable of using several PKCS#11 providers at the > same time. > > The following options were added: > --pkcs11-providers provider... - Loads a PKCS#11 provider. > --pkcs11-sign-mode - How to perform signature. > --pkcs11-slot-type - Specifies how to locate correct slot. > --pkcs11-slot - Specifies slot name. > --pkcs11-id-type - Specifies how to find certificate and key. > --pkcs11-id - Specifies certificate and key name. > > The following standalone options were added: > --show-pkcs11-slots - Displays PKCS#11 slots. > --show-pkcs11-objects - Displays PKCS#11 token contents. > > Please refer to man page for further information. > > The patch can be found at > http://sourceforge.net/tracker/index.php?func=detail&aid=1293066&group_id=48978&atid=454721 > > Any comments/suggestions will be gladly accepted > (mailto:alon.bar...@gmail.com). > > Special thanks to: > Fritz Elfert - Wrote the original patch. > Iván Casado Ruiz - Updated original patch and helped in > testing this one.
Alon, This is very cool -- thanks for your efforts. We'll plan on merging this when the 2.1 beta series starts up. I'd like to see some Windows testing as well. If you don't mind, it would also be great if you could put together a mini-HOWTO on this. A few details: Make sure that it's easy to #ifdef out all the pkcs11 stuff, if people don't want it. This is mostly for the embedded crowd who are very sensitive to code size. Notice how almost every major non-core option can be selectively disabled: ./configure --help | grep disable Try to add a ./configure --disable-pkcs11 option as well. The other minor point is that you add a pkcs11 directory in the source distribution root for some header files. Right now, just to stay consistent with the current source file organization, could you keep those files in the root as well? (I know that means that you'll end up with two pkcs11.h files, so one would need to be renamed) Thanks, James
