Chris J Arges wrote:
This patch allows one to specify --pkcs11-id auto to automatically
select the first certificate on a pkcs11 device. This simplifies
scripts and usage in environments where clients may only use a single
certificate for connecting to a VPN.
Based on a patch by Oliver Dumschat-Hötte.
some security-minded (paranoid?) folks will say that you should never
automatically select a certificate/key pair (which is what a normal user
would want, of course). This patch does seem like a useful addition,
and it actually restores some functionality found in earlier versions of
OpenVPN, IIRC. Perhaps more warnings should be added about this being a
(minor) security risk.
A man page snippet for this is missing from the patch, but that can be
done if the patch is ACKed by others.
I'm not authoratitive on ACKing patches, but as far as I am concerned: ACK
JJK
Reported-by: Oliver Dumschat-Hötte <o.dumsc...@trisinus.de>
Signed-off-by: Chris J Arges <chris.j.ar...@canonical.com>
---
src/openvpn/pkcs11.c | 41 +++++++++++++++++++++++++++++++++--------
1 file changed, 33 insertions(+), 8 deletions(-)
diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index 3a15ef6..11d5e8f 100644
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -669,14 +669,39 @@ tls_ctx_use_pkcs11 (
}
}
else {
- if (
- (rv = pkcs11h_certificate_deserializeCertificateId (
- &certificate_id,
- pkcs11_id
- )) != CKR_OK
- ) {
- msg (M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'",
rv, pkcs11h_getMessage (rv));
- goto cleanup;
+ if ( strcmp(pkcs11_id, "auto") == 0 ) {
+ char *pkcs11_id_read = NULL;
+ char *base64 = NULL;
+ if ( !pkcs11_management_id_get(
+ 0,
+ &pkcs11_id_read,
+ &base64
+ )
+ ) {
+ msg (M_WARN, "PKCS#11: pkcs11_management_id_get 0
failed");
+ goto cleanup;
+ }
+ if (
+ (rv =
pkcs11h_certificate_deserializeCertificateId (
+ &certificate_id,
+ pkcs11_id_read
+ )) != CKR_OK
+ ) {
+ msg (M_WARN, "PKCS#11: Cannot deserialize auto id
%ld-'%s'", rv,
+ pkcs11h_getMessage (rv));
+ goto cleanup;
+ }
+ } else {
+ if (
+ (rv =
pkcs11h_certificate_deserializeCertificateId (
+ &certificate_id,
+ pkcs11_id
+ )) != CKR_OK
+ ) {
+ msg (M_WARN, "PKCS#11: Cannot deserialize id
%ld-'%s'", rv,
+ pkcs11h_getMessage (rv));
+ goto cleanup;
+ }
}
}