This patch allows one to specify --pkcs11-id auto to automatically
select the first certificate on a pkcs11 device. This simplifies
scripts and usage in environments where clients may only use a single
certificate for connecting to a VPN.
Based on a patch by Oliver Dumschat-Hötte.
Reported-by: Oliver Dumschat-Hötte <o.dumsc...@trisinus.de>
Signed-off-by: Chris J Arges <chris.j.ar...@canonical.com>
---
src/openvpn/pkcs11.c | 41 +++++++++++++++++++++++++++++++++--------
1 file changed, 33 insertions(+), 8 deletions(-)
diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index 3a15ef6..11d5e8f 100644
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -669,14 +669,39 @@ tls_ctx_use_pkcs11 (
}
}
else {
- if (
- (rv = pkcs11h_certificate_deserializeCertificateId (
- &certificate_id,
- pkcs11_id
- )) != CKR_OK
- ) {
- msg (M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'",
rv, pkcs11h_getMessage (rv));
- goto cleanup;
+ if ( strcmp(pkcs11_id, "auto") == 0 ) {
+ char *pkcs11_id_read = NULL;
+ char *base64 = NULL;
+ if ( !pkcs11_management_id_get(
+ 0,
+ &pkcs11_id_read,
+ &base64
+ )
+ ) {
+ msg (M_WARN, "PKCS#11: pkcs11_management_id_get
0 failed");
+ goto cleanup;
+ }
+ if (
+ (rv =
pkcs11h_certificate_deserializeCertificateId (
+ &certificate_id,
+ pkcs11_id_read
+ )) != CKR_OK
+ ) {
+ msg (M_WARN, "PKCS#11: Cannot deserialize auto
id %ld-'%s'", rv,
+ pkcs11h_getMessage (rv));
+ goto cleanup;
+ }
+ } else {
+ if (
+ (rv =
pkcs11h_certificate_deserializeCertificateId (
+ &certificate_id,
+ pkcs11_id
+ )) != CKR_OK
+ ) {
+ msg (M_WARN, "PKCS#11: Cannot deserialize id
%ld-'%s'", rv,
+ pkcs11h_getMessage (rv));
+ goto cleanup;
+ }
}
}
--
1.7.9.5
