Re: [Openvpn-devel] [PATCH] Add auto value to pkcs11-id parameter

[Jan Just Keijser]

Chris J Arges wrote:
This patch allows one to specify --pkcs11-id auto to automatically
select the first certificate on a pkcs11 device. This simplifies
scripts and usage in environments where clients may only use a single
certificate for connecting to a VPN.
Based on a patch by Oliver Dumschat-Hötte.
  
some security-minded (paranoid?) folks will say that you should never 
automatically select a certificate/key pair (which is what a normal user 
would want, of course).  This patch does seem like a useful addition, 
and it actually restores some functionality found in earlier versions of 
OpenVPN, IIRC.  Perhaps more warnings should be added about this being a 
(minor) security risk.

A man page snippet for this is missing from the patch, but that can be 
done if the patch is ACKed by others.
I'm not authoratitive on ACKing patches, but as far as I am concerned: ACK

JJK

Reported-by: Oliver Dumschat-Hötte <o.dumsc...@trisinus.de>
Signed-off-by: Chris J Arges <chris.j.ar...@canonical.com>
---
 src/openvpn/pkcs11.c |   41 +++++++++++++++++++++++++++++++++--------
 1 file changed, 33 insertions(+), 8 deletions(-)

diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index 3a15ef6..11d5e8f 100644
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -669,14 +669,39 @@ tls_ctx_use_pkcs11 (
                }
        }
        else {
-               if (
-                       (rv = pkcs11h_certificate_deserializeCertificateId (
-                               &certificate_id,
-                               pkcs11_id
-                       )) != CKR_OK
-               ) {
-                       msg (M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", 
rv, pkcs11h_getMessage (rv));
-                       goto cleanup;
+               if ( strcmp(pkcs11_id, "auto") == 0 ) {
+                       char *pkcs11_id_read = NULL;
+                       char *base64 = NULL;
+                       if ( !pkcs11_management_id_get(
+                              0,
+                              &pkcs11_id_read,
+                              &base64
+                          )
+                       ) {
+                               msg (M_WARN, "PKCS#11: pkcs11_management_id_get 0 
failed");
+                               goto cleanup;
+                       }
+                       if (
+                               (rv = 
pkcs11h_certificate_deserializeCertificateId (
+                                       &certificate_id,
+                                       pkcs11_id_read
+                               )) != CKR_OK
+                       ) {
+                               msg (M_WARN, "PKCS#11: Cannot deserialize auto id 
%ld-'%s'", rv,
+                                    pkcs11h_getMessage (rv));
+                               goto cleanup;
+                       }
+               } else {
+                       if (
+                               (rv = 
pkcs11h_certificate_deserializeCertificateId (
+                                       &certificate_id,
+                                       pkcs11_id
+                               )) != CKR_OK
+                       ) {
+                               msg (M_WARN, "PKCS#11: Cannot deserialize id 
%ld-'%s'", rv,
+                                    pkcs11h_getMessage (rv));
+                               goto cleanup;
+                       }
                }
        }