vici: Add command to load a private key from a token

PINs are stored in a "hidden" credential set, so that its shared
secrets are not exposed via VICI.  Since they are not explicitly loaded as
shared secrets via VICI a client might consider them as removed secrets and
remove them.

1 files changed, 18 insertions, 0 deletions

diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 5c29ed361..556d05e32 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -491,6 +491,24 @@ including keys found in other backends.
 		]
 	}
 
+### load-token() ###
+
+Load a private key located on a token into the daemon.  Such keys may be listed
+and unloaded using the _get-keys_ and _unload-key_ commands, respectively (based
+on the key identifier derived from the public key).
+
+	{
+		handle = <hex-encoded CKA_ID of the private key on token>
+		slot = <optional slot number>
+		module = <optional PKCS#11 module>
+		pin = <optional PIN to access the key, has to be provided via other
+			   means if not given>
+	} => {
+		success = <yes or no>
+		errmsg = <error string on failure>
+		id = <hex-encoded SHA-1 key identifier of the public key on success>
+	}
+
 ### load-shared() ###
 
 Load a shared IKE PSK, EAP or XAuth secret into the daemon.