pkcs11: handle query in URI (and pin-value specifically)
When PIN for pkcs#11 object is given as URL variable (pkcs11:token=TOKEN;object=OBJECT?pin-value=PIN1
), interesting things happen:
-
URI is accepted as-is
-
with no PIN set in
802-1x.private-key-password
property, NM tries to pass both neverthless:Sep 03 09:29:07 localhost.localdomain wpa_supplicant[57039]: private_key - hexdump(len=63): 70 6b 63 73 31 31 3a 74 6f 6b 65 6e 3d 74 65 73 74 2d 74 6f 6b 65 6e 3b 6f 62 6a 65 63 74 3d 63 6c 69 65 6e 74 3f 70 69 6e 2d 76 61 6c 75 65 3d 31 32 33 34 3f 70 69 6e 2d 76 61 6c 75 65 3d
which translates to
pkcs11:token=test-token;object=client?pin-value=1234?pin-value=
I'd expect two clean approaches, either prohibit giving PIN in pkcs11 URI, or handle when it is given, choose if it has priority over private-key-password
or vice versa and append only one.
Additionally, if query part of URI is used in used for real-world HSMs/smartcards, NM should respect it and add pin-value as another variable, e.g: 802-1x.private-key pkcs11:token=T;object=0?super_important_var=some_value 802-1x.private-key-password 1234
should be passed to wpa_supplicant as pkcs11:token=T;object=0?super_important_var=some_value&pin-value=1234
.