Enable support for Rfc7512 token serial strings AND allow the old original token serial string scheme to be used #72
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We are going to want to use this for parsing %XX hex escapes in RFC7512 PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only one existing caller at the moment, it's simple just to let the caller have responsibility for that check. Signed-off-by: David Woodhouse <[email protected]>
… IDs The old format is still accepted for compatibility. Signed-off-by: David Woodhouse <[email protected]>
Signed-off-by: David Woodhouse <[email protected]>
It's a limitation of the core pkcs11-helper token matching code that we need to specify *all* of model=, token=, manufacturer= and serial=. This was true of the legacy serialization format, so it isn't a regression. At least it *wouldn't* have been, if we it had distinguished between an *explicit* "model=" parameter, and the model not being specified at all. Thus https://bugzilla.redhat.com/show_bug.cgi?id=2298882 The requirement for all four token fields to be specified does mean that applications using pkcs11-helper aren't *quite* as versatile and user friendly as something which implements the full search algorithm shown in §8 of http://david.woodhou.se/draft-woodhouse-cert-best-practice.html by first searching for the specified certificate in all tokens without a login, then only logging into the token in which the *certificate* was found, to access the key. But that's OK, and something we can improve on later. It's not a barrier to using the RFC7512 URI format in place of the legacy serialization format.
…cy token serialization strings
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
By setting
PKCS11H_TOKEN_SERIALIZE_FORMAT=legacytoken serials are formatted and searched for using the original pkcs11-helper string values. If unset or set touriRFC7512 is used instead.This change allows me to build pkcs11-helper from source and still use my pre-existing gpg keys created on Centos etc after RFC5712 support was added to Redhat versions of the library.