Skip to content

Add support for pin-source within PKCS11 URI#309

Merged
mtrojnar merged 1 commit intoOpenSC:masterfrom
stanislavlevin:pin_source
Oct 4, 2019
Merged

Add support for pin-source within PKCS11 URI#309
mtrojnar merged 1 commit intoOpenSC:masterfrom
stanislavlevin:pin_source

Conversation

@stanislavlevin
Copy link
Contributor

@stanislavlevin stanislavlevin commented Oct 2, 2019

According to https://tools.ietf.org/html/rfc7512#page-9:

2.4. PKCS 11 URI Scheme Query Attribute Semantics

An application can always ask for a PIN by any means it decides to.
What is more, in order not to limit PKCS 11 URI portability, the
"pin-source" attribute value format and interpretation is left to be
implementation specific. However, the following rules SHOULD be
followed in descending order for the value of the "pin-source"
attribute:

o If the value represents a URI, it SHOULD be treated as an object
containing the PIN. Such a URI may be "file:", "https:", another
PKCS 11 URI, or something else.

o If the value contains "|", the
implementation SHOULD read the PIN from the output of an
application specified with absolute path "". Note that character "|" representing a pipe does not have
to be percent-encoded in the query component of a PKCS 11 URI.

o Interpret the value as needed in an implementation-dependent way.

This patch is based on:
#236,
but implements only the first clause of RFC, since the second one
is considered as dangerous.

For example, such functionality is required by FreeIPA
(Bind + OpenDNSSEC).

Fixes: #273
Co-authored-by: Ortigali Bazarov ortigali.bazarov@gmail.com

@stanislavlevin
Add support for pin-source within PKCS11 URI
2fb62a5 
According to https://tools.ietf.org/html/rfc7512#page-9:

"""
2.4.  PKCS OpenSC#11 URI Scheme Query Attribute Semantics

   An application can always ask for a PIN by any means it decides to.
   What is more, in order not to limit PKCS OpenSC#11 URI portability, the
   "pin-source" attribute value format and interpretation is left to be
   implementation specific.  However, the following rules SHOULD be
   followed in descending order for the value of the "pin-source"
   attribute:

   o  If the value represents a URI, it SHOULD be treated as an object
      containing the PIN.  Such a URI may be "file:", "https:", another
      PKCS OpenSC#11 URI, or something else.

   o  If the value contains "|<absolute-command-path>", the
      implementation SHOULD read the PIN from the output of an
      application specified with absolute path "<absolute-command-
      path>".  Note that character "|" representing a pipe does not have
      to be percent-encoded in the query component of a PKCS OpenSC#11 URI.

   o  Interpret the value as needed in an implementation-dependent way.
"""

This patch is based on:
OpenSC#236,
but implements only the first clause of RFC, since the second one
is considered as dangerous.

For example, such functionality is required by FreeIPA
(Bind + OpenDNSSEC).

Fixes: OpenSC#273
Co-authored-by: Ortigali Bazarov <ortigali.bazarov@gmail.com>
Signed-off-by: Stanislav Levin <slev@altlinux.org>
@mtrojnar mtrojnar merged commit 10295b7 into OpenSC:master Oct 4, 2019
@mtrojnar mtrojnar mentioned this pull request Oct 4, 2019
Closed
@mouse07410 mouse07410 mentioned this pull request Oct 6, 2019
Closed
@keldonin keldonin mentioned this pull request Apr 6, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

pin-source is not handled in PKCS#11 URI

2 participants

@stanislavlevin @mtrojnar