Branch: refs/heads/master
Home: https://github.com/OpenSC/libp11
Commit: 10295b7eb531aef1a9f7e990d5f2527c420b3b72
https://github.com/OpenSC/libp11/commit/10295b7eb531aef1a9f7e990d5f2527c420b3b72
Author: Stanislav Levin <sl...@al...>
Date: 2019-10-04 (Fri, 04 Oct 2019)
Changed paths:
M src/eng_parse.c
M tests/rsa-evp-sign.softhsm
Log Message:
-----------
Add support for pin-source within PKCS11 URI
According to https://tools.ietf.org/html/rfc7512#page-9:
"""
2.4. PKCS #11 URI Scheme Query Attribute Semantics
An application can always ask for a PIN by any means it decides to.
What is more, in order not to limit PKCS #11 URI portability, the
"pin-source" attribute value format and interpretation is left to be
implementation specific. However, the following rules SHOULD be
followed in descending order for the value of the "pin-source"
attribute:
o If the value represents a URI, it SHOULD be treated as an object
containing the PIN. Such a URI may be "file:", "https:", another
PKCS #11 URI, or something else.
o If the value contains "|<absolute-command-path>", the
implementation SHOULD read the PIN from the output of an
application specified with absolute path "<absolute-command-
path>". Note that character "|" representing a pipe does not have
to be percent-encoded in the query component of a PKCS #11 URI.
o Interpret the value as needed in an implementation-dependent way.
"""
This patch is based on:
https://github.com/OpenSC/libp11/pull/236,
but implements only the first clause of RFC, since the second one
is considered as dangerous.
For example, such functionality is required by FreeIPA
(Bind + OpenDNSSEC).
Fixes: https://github.com/OpenSC/libp11/issues/273
Co-authored-by: Ortigali Bazarov <ort...@gm...>
Signed-off-by: Stanislav Levin <sl...@al...>
|
