Chris J Arges wrote:
This patch allows one to specify --pkcs11-id auto to automatically
select the first certificate on a pkcs11 device. This simplifies
scripts and usage in environments where clients may only use a single
certificate for connecting to a VPN.
Based on a patch by Oliver Dumschat-Hötte.

some security-minded (paranoid?) folks will say that you should never automatically select a certificate/key pair (which is what a normal user would want, of course). This patch does seem like a useful addition, and it actually restores some functionality found in earlier versions of OpenVPN, IIRC. Perhaps more warnings should be added about this being a (minor) security risk.

A man page snippet for this is missing from the patch, but that can be done if the patch is ACKed by others.
I'm not authoratitive on ACKing patches, but as far as I am concerned: ACK

JJK

Reported-by: Oliver Dumschat-Hötte <o.dumsc...@trisinus.de>
Signed-off-by: Chris J Arges <chris.j.ar...@canonical.com>
---
 src/openvpn/pkcs11.c |   41 +++++++++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 8 deletions(-)

diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index 3a15ef6..11d5e8f 100644
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -669,14 +669,39 @@ tls_ctx_use_pkcs11 (
                }
        }
        else {
-               if (
-                       (rv = pkcs11h_certificate_deserializeCertificateId (
-                               &certificate_id,
-                               pkcs11_id
-                       )) != CKR_OK
-               ) {
-                       msg (M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", 
rv, pkcs11h_getMessage (rv));
-                       goto cleanup;
+               if ( strcmp(pkcs11_id, "auto") == 0 ) {
+                       char *pkcs11_id_read = NULL;
+                       char *base64 = NULL;
+                       if ( !pkcs11_management_id_get(
+                              0,
+                              &pkcs11_id_read,
+                              &base64
+                          )
+                       ) {
+                               msg (M_WARN, "PKCS#11: pkcs11_management_id_get 0 
failed");
+                               goto cleanup;
+                       }
+                       if (
+                               (rv = 
pkcs11h_certificate_deserializeCertificateId (
+                                       &certificate_id,
+                                       pkcs11_id_read
+                               )) != CKR_OK
+                       ) {
+                               msg (M_WARN, "PKCS#11: Cannot deserialize auto id 
%ld-'%s'", rv,
+                                    pkcs11h_getMessage (rv));
+                               goto cleanup;
+                       }
+               } else {
+                       if (
+                               (rv = 
pkcs11h_certificate_deserializeCertificateId (
+                                       &certificate_id,
+                                       pkcs11_id
+                               )) != CKR_OK
+                       ) {
+                               msg (M_WARN, "PKCS#11: Cannot deserialize id 
%ld-'%s'", rv,
+                                    pkcs11h_getMessage (rv));
+                               goto cleanup;
+                       }
                }
        }


Reply via email to