Menu
▾
▴
Re: [Opensc-devel] crucial issue (for me): slot ID vs index in engine_pkcs11 / libp11
|
From: Alon Bar-L. <alo...@gm...> - 2013-07-31 07:18:42
|
Hi,
Slot id is not fixed in PKCS#11 to allow plug and play. What I suggest
is using token serial number instead to consistent behavior.
Alon
On Wed, Jul 31, 2013 at 9:35 AM, <op...@se...> wrote:
>
> Douglas, Anthony, thank you very much for your enlighting replies.
> My name is Umberto Rustichelli (aka Ubi).
> For the moment, I'm going to try a quick-and-dirty hack in engine_pkcs11.c
> (version is 0.1.5, I know it's old but I'm tied to that by a number of
> dependencies in an old environment), see more lines later.
> Then, I'd like to do something about libp11 but it's not smart to work on
> old code... also: I don't want to break applications that rely on the fact
> that the array index is used
>
>> Greetings.
>>
>> (Note, I find it a bit easier to reply if there's a human name there
>> somewhere. :)
>>
>> On Tue, Jul 30, 2013 at 9:49 AM, <op...@se...> wrote:
>>> The point is that the slot ID (as numbered by the PKCS#11 drver) has
>>> nothing to do with the index of the slots array generated by libp11,
>>> only accidentally they match when [...]
>>> Now, I suspect that the original intention is to put the slot ID, not
>>> the slot array index [...]
>
>> A patch would be interesting, especially if it is obvious that any
>> large number is intended as slot id, not array index -- that could
>> minimize compatibility headaches.
>
> In functions pkcs11_load_key and pkcs11_load_cert I plan to insert this
> code (not compiled yet, some errors may occur):
>
> // Ubi: 20130730: now convert the slot_nr, which is a slot ID for me,
> // into the slot array index, which is what the code here expects
> #if 1
> if (slot_nr >= 0)
> {
> int slotapos; // position in array
> unsigned long curr_slot_ID;
> int found;
> found = 0;
> for (slotapos = 0; slotapos < count; slotapos++)
> {
> curr_slot_ID = slot_list[slotapos]->priv->id;
> if (curr_slot_ID == slot_nr)
> {
> slot_nr = slotapos;
> found = 1;
> break;
> }
> }
> if (!found)
> {
> fprintf(stderr, "Ubi: slot ID %d to idx failed\n", slot_nr);
> PKCS11_release_all_slots(ctx, slot_list, count);
> return NULL;
> }
> else
> {
> fprintf(stderr,
> "Ubi: performed conversion slot ID to idx %d\n", slot_nr);
> }
> }
> #endif
>
> just before the existing part that rejects the slot ID:
>
> if (slot_nr == -1) {
> if (!(slot = PKCS11_find_token(ctx, slot_list, count)))
> fail("didn't find any tokens\n");
> } else if (slot_nr >= 0 && slot_nr < count)
> slot = slot_list + slot_nr;
> else {
> fprintf(stderr, "Invalid slot number: %d\n", slot_nr);
> PKCS11_release_all_slots(ctx, slot_list, count);
> return NULL;
> }
>
>> [...] If you can use a token label, does that work for your cases?
>> libp11 allows access via "label_...." if I remember correctly.
>
> I think the label is for the key label only, not for the slot label.
>
>> Failing that, can you enumerate the slots via libp11 and get a
>> (presumably valid) handle that way?
>
> I can, but I rely on engine_pkcs11 so I will first change the code there.
> In my opinion, libp11 shoould provide functions that work on the array
> index, for backward compatibility, but also expose the slot ID in the
> first place.
> Putting together pkcs11_load_key and pkcs11_load_cert is not a bad idea,
> too, they have so much code in common...
>
> Bye
>
> Ubi
>
>
>
>
> ------------------------------------------------------------------------------
> Get your SQL database under version control now!
> Version control is standard for application code, but databases havent
> caught up. So what steps can you take to put your SQL databases under
> version control? Why should you start doing it? Read more to find out.
> http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
|
