The PKCS#11 standard does not make any guarantees about
slot numbering, so the slot ID alone should not be used
to identify a token. Instead, the token's Serial Number
or Label should be used to ensure the correct token
is being used.
This patch adds two new config options to the p11_crypto
plugin: token_serial_number and token_label.
These new options allow for more flexibility in configuring
the PKCS#11 module. The config may include either the token's
serial number or its label.
Serial numbers should be unique, so they take higher precedence.
Some devices allow tokens to have the same label, so this patch
ensures that only one token with the specified label is present.
If both serial number and label are given, only the serial number
will be checked and an error will be raised if it is not found.
slot_id continues to work as expected, although its use is discouraged
and may be deprecated in a future patch. If the conf contains
only the slot_id, it will be used. If the serial number or
label are also provided, the new logic will ignore the slot_id
and search for the serial number or label instead.
Change-Id: I115cf1a7006a6c85f37c5e50ded13134a3dfd1a3
(cherry picked from commit 69459a0ecf)
601f5ec733