[Openvpn-devel] [PATCH v2] Add auto value to pkcs11-id parameter

Mon, 04 Mar 2013 16:12:52 +0000 

This patch allows one to specify --pkcs11-id auto to automatically
select the first certificate on a pkcs11 device. This simplifies
scripts and usage in environments where clients may only use a single
certificate for connecting to a VPN.
Based on a patch by Oliver Dumschat-Hötte.

Reported-by: Oliver Dumschat-Hötte <o.dumsc...@trisinus.de>
Signed-off-by: Chris J Arges <chris.j.ar...@canonical.com>
---
 doc/openvpn.8        |    7 +++++++
 src/openvpn/pkcs11.c |   41 +++++++++++++++++++++++++++++++++--------
 2 files changed, 40 insertions(+), 8 deletions(-)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 829bbd2..84e38dd 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4228,6 +4228,13 @@ Specify the serialized certificate id to be used. The id 
can be gotten
 by the standalone
 .B \-\-show-pkcs11-ids
 option.
+If
+.B name
+is specified as the string
+.B 'auto'
+, then certificate id 0 will be used. This
+is useful in single user cases; however, care should be taken to ensure the 
correct
+certificate is selected.
 .\"*********************************************************
 .TP
 .B \-\-pkcs11-id-management
diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index 3a15ef6..11d5e8f 100644
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -669,14 +669,39 @@ tls_ctx_use_pkcs11 (
                }
        }
        else {
-               if (
-                       (rv = pkcs11h_certificate_deserializeCertificateId (
-                               &certificate_id,
-                               pkcs11_id
-                       )) != CKR_OK
-               ) {
-                       msg (M_WARN, "PKCS#11: Cannot deserialize id %ld-'%s'", 
rv, pkcs11h_getMessage (rv));
-                       goto cleanup;
+               if ( strcmp(pkcs11_id, "auto") == 0 ) {
+                       char *pkcs11_id_read = NULL;
+                       char *base64 = NULL;
+                       if ( !pkcs11_management_id_get(
+                              0,
+                              &pkcs11_id_read,
+                              &base64
+                          )
+                       ) {
+                               msg (M_WARN, "PKCS#11: pkcs11_management_id_get 
0 failed");
+                               goto cleanup;
+                       }
+                       if (
+                               (rv = 
pkcs11h_certificate_deserializeCertificateId (
+                                       &certificate_id,
+                                       pkcs11_id_read
+                               )) != CKR_OK
+                       ) {
+                               msg (M_WARN, "PKCS#11: Cannot deserialize auto 
id %ld-'%s'", rv,
+                                    pkcs11h_getMessage (rv));
+                               goto cleanup;
+                       }
+               } else {
+                       if (
+                               (rv = 
pkcs11h_certificate_deserializeCertificateId (
+                                       &certificate_id,
+                                       pkcs11_id
+                               )) != CKR_OK
+                       ) {
+                               msg (M_WARN, "PKCS#11: Cannot deserialize id 
%ld-'%s'", rv,
+                                    pkcs11h_getMessage (rv));
+                               goto cleanup;
+                       }
                }
        }

-- 
1.7.9.5

Reply via email to