Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] Continue searching other PKCS#11 tokens if certificates are not found #5905

Open
dpward opened this issue Dec 5, 2021 · 3 comments · May be fixed by #7817
Open

[RFE] Continue searching other PKCS#11 tokens if certificates are not found #5905

dpward opened this issue Dec 5, 2021 · 3 comments · May be fixed by #7817
Assignees
@andreboscatto
Labels
Improvement-Tech-Debt

Comments

@dpward
Copy link
Contributor

dpward commented Dec 5, 2021

p11_child handles (pre-)authentication in two steps. In the first step, it locates a PKCS#11 token that could contain certificates for authentication. In the second step, it checks if there are actually valid, usable certificate(s) on it.

During both steps, filtering is performed based on arguments given to p11_child. If a mismatch occurs during the first step, it simply skips the module/slot/token and goes onto the next one. However if a mismatch occurs in the second step, this is considered a failure; it does not return to the first step to see if a different token contains the right certificates (or to wait for it, if --wait_for_card is given).

To address this, the code needs to be refactored so that the certificate search happens inside the loop that searches/waits for tokens.
@dpward dpward mentioned this issue Dec 7, 2021
Closed
@alexey-tikhonov alexey-tikhonov changed the title Continue searching other PKCS#11 tokens if certificates are not found [RFE] Continue searching other PKCS#11 tokens if certificates are not found Dec 13, 2021
@alexey-tikhonov
Copy link
Member

(splitted of #5025)

@andreboscatto andreboscatto self-assigned this Sep 12, 2023
@andreboscatto andreboscatto mentioned this issue Sep 12, 2023
Closed
@lo1ol
Copy link
Contributor

lo1ol commented Jan 16, 2025

Hi! We faced with the same problem. I got that you have a lack of time to implement this. If we implement it for you, this MR will be had a chance to be merged?

We can implement retrieving all certs on all tokens, and suggest user to choose a label of a proper one. Would it be ok for you?

@sumit-bose
Copy link
Contributor

Hi,

it would be very welcome if you can provide a patch to iterate over all slots and tokens. Please note that SSSD can already handle multiple certificates and prompt the user if more than one pass mapping and matching rules. So you only have to add the iteration.

Thanks.

bye,
Sumit

georgij-sudo added a commit to georgij-sudo/sssd that referenced this issue Jan 27, 2025
@georgij-sudo
P11_CHILD: Make p11_child iterate over all slots
b5690db 
Will do later lol

Resolves: SSSD#5905
georgij-sudo added a commit to georgij-sudo/sssd that referenced this issue Jan 27, 2025
@georgij-sudo
P11_CHILD: Make p11_child iterate over all slots
2625619 
Explanation: Will do later lol

Resolves: SSSD#5905
georgij-sudo added a commit to georgij-sudo/sssd that referenced this issue Jan 28, 2025
@georgij-sudo
P11_CHILD: Make p11_child iterate over all slots
85ef88d 
Explanation: Will do later lol

Resolves: SSSD#5905
georgij-sudo added a commit to georgij-sudo/sssd that referenced this issue Jan 29, 2025
@georgij-sudo
P11_CHILD: Make p11_child iterate over all slots
d61a39d 
Resolves: SSSD#5905
@georgij-sudo georgij-sudo linked a pull request Jan 29, 2025 that will close this issue
Open
georgij-sudo added a commit to georgij-sudo/sssd that referenced this issue Jan 30, 2025
@georgij-sudo
P11_CHILD: Make p11_child iterate over all slots
86cf46e 
Resolves: SSSD#5905
georgij-sudo added a commit to georgij-sudo/sssd that referenced this issue Feb 3, 2025
@georgij-sudo
P11_CHILD: Make p11_child iterate over all slots
fea68ed 
Resolves: SSSD#5905
georgij-sudo added a commit to georgij-sudo/sssd that referenced this issue Feb 3, 2025
@georgij-sudo
P11_CHILD: Make p11_child iterate over all slots
b348f2d 
Resolves: SSSD#5905
georgij-sudo added a commit to georgij-sudo/sssd that referenced this issue Feb 3, 2025
@georgij-sudo
P11_CHILD: Make p11_child iterate over all slots
7647c65 
Resolves: SSSD#5905
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andreboscatto andreboscatto

Labels
Improvement-Tech-Debt
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

P11_CHILD: Make p11_child iterate over all slots georgij-sudo/sssd
5 participants
@dpward @andreboscatto @sumit-bose @lo1ol @alexey-tikhonov