[strongSwan] charon IKEv2 usb smartcard dongle integration

[Dimitrios Siganos]

Hi,

I have been asked by a client to investigate what it would take to 
create a linux strongswan deployment that integrates strongswan IKEv2 
with a USB security smartcard. We already have some Aladdin Token 
JavaCard (USB ID 0529:0620) dongles but I imagine that any well known 
dongle will do. We want to deploy a PKI based system where the RSA 
private key is stored in the smartcard.

Just to make sure I don't get the wrong replies, I would like to 
reiterate that this email refers to charon (IKEv2) smartcard 
integration. The smartcard related pages in the strongswan wiki, don't 
apply in this case, because they refer to pluto IKEv1 smartcard integration.

My understanding from reading various sources, is that to get charon to 
work with a smartcard, I need to do the following:
1) setup charon to use openssl instead of its default plugins for RSA
2) use engine_pkcs11 to provide PKCS openssl engine (and somehow get 
charon to use it)
3) use openct to provide driver access to the dongle
4) I think I also need opensc because engine_pkcs11 expects it but I am 
not sure.

Does anyone have any experience with this sort of integration? I believe 
the client is willing to pay for this. Obviously a ready made solution 
would be ideal but if we will have to develop it ourselves.

Regards,
Dimitrios Siganos