Re: [Opensc-devel] crucial issue (for me): slot ID vs index in engine_pkcs11 / libp11

[<op...@se...>]

Douglas, Anthony, thank you very much for your enlighting replies.
My name is Umberto Rustichelli (aka Ubi).
For the moment, I'm going to try a quick-and-dirty hack in engine_pkcs11.c
(version is 0.1.5, I know it's old but I'm tied to that by a number of
dependencies in an old environment), see more lines later.
Then, I'd like to do something about libp11 but it's not smart to work on
old code... also: I don't want to break applications that rely on the fact
that the array index is used

> Greetings.
>
> (Note, I find it a bit easier to reply if there's a human name there
> somewhere.  :)
>
> On Tue, Jul 30, 2013 at 9:49 AM, <op...@se...> wrote:
>> The point is that the slot ID (as numbered by the PKCS#11 drver) has
>> nothing to do with the index of the slots array generated by libp11,
>> only accidentally they match when [...]
>> Now, I suspect that the original intention is to put the slot ID, not
>> the slot array index [...]

> A patch would be interesting, especially if it is obvious that any
> large number is intended as slot id, not array index -- that could
> minimize compatibility headaches.

In functions pkcs11_load_key and pkcs11_load_cert I plan to insert this
code (not compiled yet, some errors may occur):

// Ubi: 20130730: now convert the slot_nr, which is a slot ID for me,
// into the slot array index, which is what the code here expects
#if 1
  if (slot_nr >= 0)
  {
    int slotapos; // position in array
    unsigned long curr_slot_ID;
    int found;
    found = 0;
    for (slotapos = 0; slotapos < count; slotapos++)
    {
       curr_slot_ID = slot_list[slotapos]->priv->id;
       if (curr_slot_ID == slot_nr)
       {
         slot_nr = slotapos;
         found = 1;
         break;
       }
    }
    if (!found)
    {
      fprintf(stderr, "Ubi: slot ID %d to idx failed\n", slot_nr);
      PKCS11_release_all_slots(ctx, slot_list, count);
      return NULL;
    }
    else
    {
      fprintf(stderr,
        "Ubi: performed conversion slot ID to idx %d\n", slot_nr);
    }
	}
#endif

just before the existing part that rejects the slot ID:

if (slot_nr == -1) {
  if (!(slot = PKCS11_find_token(ctx, slot_list, count)))
    fail("didn't find any tokens\n");
} else if (slot_nr >= 0 && slot_nr < count)
  slot = slot_list + slot_nr;
  else {
    fprintf(stderr, "Invalid slot number: %d\n", slot_nr);
    PKCS11_release_all_slots(ctx, slot_list, count);
    return NULL;
}

> [...] If you can use a token label, does that work for your cases?
> libp11 allows access via "label_...." if I remember correctly.

I think the label is for the key label only, not for the slot label.

> Failing that, can you enumerate the slots via libp11 and get a
> (presumably valid) handle that way?

I can, but I rely on engine_pkcs11 so I will first change the code there.
In my opinion, libp11 shoould provide functions that work on the array
index, for backward compatibility, but also expose the slot ID in the
first place.
Putting together pkcs11_load_key and pkcs11_load_cert is not a bad idea,
too, they have so much code in common...

Bye

   Ubi