I disagree. First certificate tells you nothing, usually you have several (signing, authentication, decryption). First is random, and random is bad. After a while the old certificates also expires and you have new ones added to the card. It would be not wise to enforce your card scheme on others.
If you want you can implement a logic that selects a certificate based on X.509 name tempalte and/or enhanced key usage mask. This would have some benefit. For example, you make sure you would not use your legal signature certificate for authentication based on the clientAuthentication EKU. Alon. On Sun, Feb 28, 2010 at 11:59 PM, David Sommerseth <openvpn.l...@topphemmelig.net> wrote: > From: Oliver Dumschat-Hötte <necro...@users.sourceforge.net> > > When using smartcards, you have to supply the (not very handy) pkcs11-id in > the config file or through the management interface. > Normaly, there is only one smartcard at one time in use, so it is ok to > automaticly set the first appearing smartcard id as pkcs11-id. > This patch add the handling for this behavior by adding the keyword 'auto' > for the pkcs11-id. > > sf.net tracker: > <https://sourceforge.net/tracker/?func=detail&aid=2747189&group_id=48978&atid=454721> > > Signed-off-by: David Sommerseth <d...@users.sourceforge.net> > --- > options.c | 1 + > pkcs11.c | 82 +++++++++++++++++++++++++++++------------------------------- > 2 files changed, 41 insertions(+), 42 deletions(-) > > diff --git a/options.c b/options.c > index c5ca8b6..5f40c15 100644 > --- a/options.c > +++ b/options.c > @@ -564,6 +564,7 @@ static const char usage_message[] = > " cache until token is removed.\n" > "--pkcs11-id-management : Acquire identity from management > interface.\n" > "--pkcs11-id serialized-id 'id' : Identity to use, get using standalone > --show-pkcs11-ids\n" > + " set to 'auto' to use the first > available id\n" > #endif /* ENABLE_PKCS11 */ > "\n" > "SSL Library information:\n" > diff --git a/pkcs11.c b/pkcs11.c > index e06a2ed..9f0ea87 100644 > --- a/pkcs11.c > +++ b/pkcs11.c > @@ -628,52 +628,50 @@ SSL_CTX_use_pkcs11 ( > pkcs11_id > ); > > - if (pkcs11_id_management) { > - struct user_pass id_resp; > - > - CLEAR (id_resp); > - > - id_resp.defined = false; > - id_resp.nocache = true; > - openvpn_snprintf ( > - id_resp.username, > - sizeof (id_resp.username), > - "Please specify PKCS#11 id to use" > - ); > - > - if ( > - !get_user_pass ( > - &id_resp, > - NULL, > - "pkcs11-id-request", > - > GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_STR|GET_USER_PASS_NOFATAL > - ) > - ) { > - goto cleanup; > - } > - > - if ( > - (rv = pkcs11h_certificate_deserializeCertificateId ( > - &certificate_id, > - id_resp.password > - )) != CKR_OK > - ) { > + if (!strcmp(pkcs11_id, "auto")) { > + char *smartcardid; > + char *base64 = NULL; > + pkcs11_management_id_get(0, &smartcardid, &base64); > + rv = pkcs11h_certificate_deserializeCertificateId > (&certificate_id, smartcardid); > + } > + if (rv != CKR_OK) { > + if (pkcs11_id_management) { > + struct user_pass id_resp; > + > + CLEAR (id_resp); > + > + id_resp.defined = false; > + id_resp.nocache = true; > + openvpn_snprintf ( > + id_resp.username, > + sizeof (id_resp.username), > + "Please specify PKCS#11 id to use" > + ); > + > + if ( > + !get_user_pass ( > + &id_resp, > + NULL, > + "pkcs11-id-request", > + > GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_STR|GET_USER_PASS_NOFATAL > + ) > + ) { > + goto cleanup; > + } > + rv = pkcs11h_certificate_deserializeCertificateId ( > + &certificate_id, > + id_resp.password > + ); > + } else > + rv = pkcs11h_certificate_deserializeCertificateId ( > + &certificate_id, > + pkcs11_id); > + if ( rv != CKR_OK ) > + { > msg (M_WARN, "PKCS#11: Cannot deserialize id > %ld-'%s'", rv, pkcs11h_getMessage (rv)); > goto cleanup; > } > } > - else { > - if ( > - (rv = pkcs11h_certificate_deserializeCertificateId ( > - &certificate_id, > - pkcs11_id > - )) != CKR_OK > - ) { > - msg (M_WARN, "PKCS#11: Cannot deserialize id > %ld-'%s'", rv, pkcs11h_getMessage (rv)); > - goto cleanup; > - } > - } > - > if ( > (rv = pkcs11h_certificate_create ( > certificate_id, > -- > 1.6.6.1 > > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
