This patch allows one to specify --pkcs11-id auto to automatically select the first certificate on a pkcs11 device. This simplifies scripts and usage in environments where clients may only use a single certificate for connecting to a VPN. Based on a patch by Oliver Dumschat-Hötte.
Reported-by: Oliver Dumschat-Hötte <o.dumsc...@trisinus.de> Signed-off-by: Chris J Arges <chris.j.ar...@canonical.com> --- src/openvpn/pkcs11.c | 41 +++++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c index 3a15ef6..11d5e8f 100644 --- a/src/openvpn/pkcs11.c +++ b/src/openvpn/pkcs11.c @@ -669,14 +669,39 @@ tls_ctx_use_pkcs11 ( } } else { - if ( - (rv = pkcs11h_certificate_deserializeCertificateId ( - &certificate_id, - pkcs11_id - )) != CKR_OK - ) { - msg (M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, pkcs11h_getMessage (rv)); - goto cleanup; + if ( strcmp(pkcs11_id, "auto") == 0 ) { + char *pkcs11_id_read = NULL; + char *base64 = NULL; + if ( !pkcs11_management_id_get( + 0, + &pkcs11_id_read, + &base64 + ) + ) { + msg (M_WARN, "PKCS#11: pkcs11_management_id_get 0 failed"); + goto cleanup; + } + if ( + (rv = pkcs11h_certificate_deserializeCertificateId ( + &certificate_id, + pkcs11_id_read + )) != CKR_OK + ) { + msg (M_WARN, "PKCS#11: Cannot deserialize auto id %ld-'%s'", rv, + pkcs11h_getMessage (rv)); + goto cleanup; + } + } else { + if ( + (rv = pkcs11h_certificate_deserializeCertificateId ( + &certificate_id, + pkcs11_id + )) != CKR_OK + ) { + msg (M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", rv, + pkcs11h_getMessage (rv)); + goto cleanup; + } } } -- 1.7.9.5