Use P11_KIT_URI_FOR_ANY to preserve all attributes in PKCS#11 URIs

Otherwise we were losing the attributes which specified a token... which is
a pain when the token doesn't list private keys until you're logged in. In
that case you do *have* to specify the token otherwise the object will never
be found.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/gnutls.c b/gnutls.c
index 1d21dcd..37e2ff4 100644 (file)
--- a/gnutls.c
+++ b/gnutls.c
@@ -923,25 +923,25 @@ static int load_certificate(struct openconnect_info *vpninfo)
                /* Add appropriate pin-source and object-type attributes to
                   both certificate and key URLs, unless they already exist. */
                if (cert_is_p11 &&
-                   !p11_kit_uri_parse(cert_url, P11_KIT_URI_FOR_OBJECT, uri)) {
+                   !p11_kit_uri_parse(cert_url, P11_KIT_URI_FOR_ANY, uri)) {
                        if (!p11_kit_uri_get_pin_source(uri))
                                p11_kit_uri_set_pin_source(uri, pin_source);
                        if (!p11_kit_uri_get_attribute(uri, CKA_CLASS)) {
                                class = CKO_CERTIFICATE;
                                p11_kit_uri_set_attribute(uri, &attr);
                        }
-                       p11_kit_uri_format(uri, P11_KIT_URI_FOR_OBJECT, &cert_url);
+                       p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY, &cert_url);
                }
 
                if (key_is_p11 &&
-                   !p11_kit_uri_parse(key_url, P11_KIT_URI_FOR_OBJECT, uri)) {
+                   !p11_kit_uri_parse(key_url, P11_KIT_URI_FOR_ANY, uri)) {
                        if (!p11_kit_uri_get_pin_source(uri))
                                p11_kit_uri_set_pin_source(uri, pin_source);
                        if (!p11_kit_uri_get_attribute(uri, CKA_CLASS)) {
                                class = CKO_PRIVATE_KEY;
                                p11_kit_uri_set_attribute(uri, &attr);
                        }
-                       p11_kit_uri_format(uri, P11_KIT_URI_FOR_OBJECT, &key_url);
+                       p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY, &key_url);
                }
 
                p11_kit_uri_free(uri);

diff --git a/www/changelog.xml b/www/changelog.xml
index 78febca..e73e78d 100644 (file)
--- a/www/changelog.xml
+++ b/www/changelog.xml
@@ -17,6 +17,7 @@
 <ul>
    <li><b>OpenConnect HEAD</b>
      <ul>
+       <li>Fix PKCS#11 URI handling to preserve all attributes.</li>
        <li>Don't forget key password on GUI reconnect.</li>
        <li>Fix GnuTLS v3 build on OpenBSD.</li>
      </ul><br/>