Re: Re: OpenSwan

On Wed, May 10, 2006 at 11:05:19PM +0200, Andreas Jellinghaus wrote:
> does openswan use engine_pkcs11 like strongswan
> or do they still use the native opensc interface?
native opensc, no dep on engine_pkcs11. Thats also how the
overview on strongswan.org states it.

> I don't want deep hacked up changes in opensc,
> so if they use that interface, you would have to hack
> their code.
Hm.. can the two certs be mixed by any chance, so that the app
gets the second cert first? Would also solve my need to patch,
and could also work with more apps.

> but if they use engine_pkcs11, we could add some
> ".X" syntax where you can specify if you want the
> second, third ... certificate with one id.
> sure, would be ugly, but practical ...
Or some override that can be set in the configfile?
"If app wants cert #44 give it #45." For that also some
different id-numbering would be needed to be able to address
exactly every cert.

> > Looks like opensc-api, the pluto-daemon is linked against
> > libopensc, libssl, libopenct and libpcsclite here.
> oops, ok, openssl :(
OpenSwan uses it also for the ipsec-operations, so no clue
just from seeing it linked if it is involved in cardreading.

> sorry, no time to dive into their code this week .
no problem, after all its only one application amongst some
that have to handle the situation. 
Shuffling the two certs with the same id would be the
easiest help i see.

Christian