Migrate serialization format to standard PKCS#11 URIs compliant with RFC7512 #4
Conversation
dwmw2
force-pushed
the
master
branch
3 times, most recently
from
21a7ad1
to
b0787e8
Compare
|
Updated push: helps if I NUL-terminate the serialised strings. |
|
I am unsure what is the cutoff between these two patches, can you please explain? |
|
I think this should address the feedback. I've made incremental commits for easy of review but obviously we can collapse this into the original commit(s) before merging if that's preferred. I've made it use _pkcs11h_util_hexToBinary() as you suggest, for which I had to stop that function requiring that the string be NUL-terminated after the length it was asked to parse. Which was simple enough; there was only one other caller and I just made sure it checked for itself. The loop parsing URI attributes no longer contains I've cleaned up the code parsing the legacy token/certificate IDs to be more symmetric with the URI parsing instead of duplicating the return paths. I think you were asking why we keep I've made a table of the token ID fields which can now be used in three places — the parsing code, and twice during the serialization, which (following the lead of the existing code) was processing the fields twice: once for calculating the length of the string required, and again for actually generating the string. I've cleaned up some of the other code paths and duplication in the latter too. I've prefixed static symbols with __ although I'm a little confused about that request. These really are static symbols within the C unit, not functions which are visible to other C units within the library, but intended to be private to the library. My understanding is that even if you're building without a decent linker that has visibility controls and symbols maps, a symbol which is declared as 'static' within a C file is really not going to be seen elsewhere. So you can call it absolutely anything you like... with the caveat that you should not use symbols starting with two underscores, because those are reserved for the system. But OK :) I've defined URI_SCHEME and used it instead of the bare "pkcs11:" where appropriate. |
|
Now that the PKCS#11 URI format has been published as RFC7512 it would be very good to get this merged... should I collapse the above fixes into the original commits and resubmit? After this length of time there doesn't seem much point in keeping them incremental any more... |
dwmw2
changed the title
|
The pkcs11: URI format is a standard (RFC7512) since this April. It would be nice if pkcs11-helper would support that format. |
|
Updated patch with minor fix from https://bugzilla.redhat.com/show_bug.cgi?id=1264645 |
|
Ping. It would be really good to get this merged... |
|
Hi, On 23 August 2016 at 16:47, dwmw2 notifications@github.com wrote:
|
|
It could be massively simplified if it were to just use libp11-kit for the URI parsing. Other than that, I'm not sure how it could be simpler. |
|
Hi, RFC7512 is now two years old. Could this patch (or any equivalent patch) be merged into pkcs11-helper ? Best regards, -- Emmanuel Deloget |
|
Updated with bug fix from https://bugzilla.redhat.com/show_bug.cgi?id=1516474 |
|
Can we get this crap merged finally so openvpn actualy works with smartcards properly via NetworkManager? Thanks. |
|
Any updates on this one? |
|
As I wrote, this patch is way to complex to achieve the desired task, and is partial as it supports only full pkcs11 url which as far as I understand is the opposite of reaching portability between applications that support the notation. I also got reports that the windows version of openvpn in which this patch is applied is failing to parse urls. I am unsure how it is that important to network manager and am unsure why the openvpn management interface cannot be used to detect the available ids and apply id as opaque. And I keep reminding people that at daemon context openvpn should not have access to user's devices anyway, and the proper solution is to remove the entire pkcs11 support from the daemon and make sure the management interface is capable of delegating all private key operation to the user interface program, however, it seems like the openvpn project is on freeze. |
We are going to want to use this for parsing %XX hex escapes in RFC7512 PKCS#11 URIs, where we cannot expect a trailing NUL. Since there's only one existing caller at the moment, it's simple just to let the caller have responsibility for that check. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
… IDs The old format is still accepted for compatibility. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
|
Updated with fix for https://bugzilla.redhat.com/show_bug.cgi?id=1825496
I'm not quite sure how it could be simpler. I suppose it could take a library like
That doesn't seem to make much sense to me; can you explain what you mean? It will output the full URI when serialising, when listing all available objects. But obviously accepts only a partial URI (i.e. not redundantly specifying all attributes) when identifying an object. In that respect, it behaves like everything else does, and should.
A specific bug report would be very much appreciated, if there is misbehaviour.
There is work on displaying the available objects through a UI (like in Seahorse) and that widget will emit the RFC7512 ID identifying the chosen object. For that, we need to be using the standard.
Yeah, it should do proxying from something in the user's session. But that's slightly orthogonal to the fact that we want to use a standard form to identify PKCS#11 objects. |
|
OpenVPN uses an out-of-date patch set which is bound to fail when maxing out certain token attribute entries, 16-byte serials being the most common case. This was my first problem as well, then something else cropped up. Sadly neither seems to have made it in time for OpenVPN 2.4.9 release. |
|
Literally without this patch, things are broken. Fedora patches their stuff with this. I just bumped into this, can we somehow get this merged or get a clear path forward? |
|
The menioned problems with |
This migrates the serialization format to conform to the PKCS#11 URI scheme as described in RFC7512.
The old form is still recognised for compatibility, but standard PKCS#11 URIs are now generated and accepted. Testing with OpenVPN now gives me the following output:
... and the PKCS#11 URI thus generated is also usable with the
--pkcs11-idoption.