[Opensc-commits] [OpenSC/libp11] 10295b: Add support for pin-source within PKCS11 URI

[Stanislav L. <no...@gi...>]

  Branch: refs/heads/master
  Home:   https://github.com/OpenSC/libp11
  Commit: 10295b7eb531aef1a9f7e990d5f2527c420b3b72
      https://github.com/OpenSC/libp11/commit/10295b7eb531aef1a9f7e990d5f2527c420b3b72
  Author: Stanislav Levin <sl...@al...>
  Date:   2019-10-04 (Fri, 04 Oct 2019)

  Changed paths:
    M src/eng_parse.c
    M tests/rsa-evp-sign.softhsm

  Log Message:
  -----------
  Add support for pin-source within PKCS11 URI

According to https://tools.ietf.org/html/rfc7512#page-9:

"""
2.4.  PKCS #11 URI Scheme Query Attribute Semantics

   An application can always ask for a PIN by any means it decides to.
   What is more, in order not to limit PKCS #11 URI portability, the
   "pin-source" attribute value format and interpretation is left to be
   implementation specific.  However, the following rules SHOULD be
   followed in descending order for the value of the "pin-source"
   attribute:

   o  If the value represents a URI, it SHOULD be treated as an object
      containing the PIN.  Such a URI may be "file:", "https:", another
      PKCS #11 URI, or something else.

   o  If the value contains "|<absolute-command-path>", the
      implementation SHOULD read the PIN from the output of an
      application specified with absolute path "<absolute-command-
      path>".  Note that character "|" representing a pipe does not have
      to be percent-encoded in the query component of a PKCS #11 URI.

   o  Interpret the value as needed in an implementation-dependent way.
"""

This patch is based on:
https://github.com/OpenSC/libp11/pull/236,
but implements only the first clause of RFC, since the second one
is considered as dangerous.

For example, such functionality is required by FreeIPA
(Bind + OpenDNSSEC).

Fixes: https://github.com/OpenSC/libp11/issues/273
Co-authored-by: Ortigali Bazarov <ort...@gm...>
Signed-off-by: Stanislav Levin <sl...@al...>