69459a0ecf
The PKCS#11 standard does not make any guarantees about slot numbering, so the slot ID alone should not be used to identify a token. Instead, the token's Serial Number or Label should be used to ensure the correct token is being used. This patch adds two new config options to the p11_crypto plugin: token_serial_number and token_label. These new options allow for more flexibility in configuring the PKCS#11 module. The config may include either the token's serial number or its label. Serial numbers should be unique, so they take higher precedence. Some devices allow tokens to have the same label, so this patch ensures that only one token with the specified label is present. If both serial number and label are given, only the serial number will be checked and an error will be raised if it is not found. slot_id continues to work as expected, although its use is discouraged and may be deprecated in a future patch. If the conf contains only the slot_id, it will be used. If the serial number or label are also provided, the new logic will ignore the slot_id and search for the serial number or label instead. Change-Id: I115cf1a7006a6c85f37c5e50ded13134a3dfd1a3
15 lines
765 B
YAML
15 lines
765 B
YAML
---
|
|
features:
|
|
- |
|
|
Added two options for the PKCS#11 Crypto Plugin:
|
|
`[p11_crypto_plugin]/token_serial_number` and
|
|
`[p11_crypto_plugin]/token_label`. Both are optional and can be used
|
|
instead of `[p11_crypto_plugin]/slot_id` to identify the Token to be
|
|
used by the PKCS#11 plugin. When either one of the new options is defined
|
|
the plugin will search all slots on the PKCS#11 device for a token that
|
|
matches the given value. `token_serial_number` has the highest precendence
|
|
and other values will be ignored when this value is set. If
|
|
`token_serial_number` is not set, then `token_label` has
|
|
the next highest precedence and `slot_id` will be ignored.
|
|
`slot_id` will be used when neither one of the new options is set.
|