Op 4 jun. 2014, om 10:41 heeft Dirk-Willem van Gulik <[email protected]> het
volgende geschreven:
> What is the right syntax in IdentityFIle to specify a specific PKCS#11
> provider or, even better, a
> specific slot or key ?
>
> I am failing to trigger below code :) i.e. getting key populated right.
>
Actually - the more I look at this - the more I wonder if:
> /* Prefer PKCS11 keys that are explicitly listed */
> TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
> if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0)
> continue;
> found = 0;
> TAILQ_FOREACH(id2, &files, next) {
> if (id2->key == NULL ||
> (id2->key->flags & KEY_FLAG_EXT) != 0)
this !=0 not needs to be a == 0 ?
> continue;
> if (key_equal(id->key, id2->key)) {
> TAILQ_REMOVE(&files, id, next);
> TAILQ_INSERT_TAIL(preferred, id, next);
> found = 1;
> break;
> }
> }
As that in the very least would let one set the IdentityFile to the PKCS
dll/lib included — and at least limit
the keys checked* to those provided by that pkcs driver.
Dw.
*: i.e. trying to avoid things like ssh-guard locking an IP out as it tries too
many keys - as the pkcs#11 is too late, etc; something increasingly common now
that sparkle, dropbox and owncloud ‚auto add’ keys into the users their
keychains willy nilly.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]