PKCS#11 URI query attribute parsing broken #142
Comments
|
@dwmw2 What do you think? |
|
Hmm... I for one see no problem with this: and don't see why it should stop working. |
|
We don't have to (and probably we should not) detect invalid URIs. We just need to accept valid ones. Accepting "?" and "&" as alternative separators besides ";" should do the job. |
|
Makes perfect sense, thank you! |
|
By this point I'm quite keen on ditching my own implementation of the parser altogether, and just using libp11-kit instead... |
|
Sorry for too late comment. I think it's was not a good decicion to accept ";?&" as common seporators. The problem may become when pk11-pattr attributes contains "&" inside values. For example, take a "pkcs11:token=token&serial=12345678?pin-value=1234567" URI.
So, what do your think about changing your parser to the right RFC version in future? |
|
I still think we should ditch it and use the p11-kit one. In fact since OpenSSL has deprecated ENGINEs entirely, I think there's a lot of scope for building a new OpenSSL 'provider' around p11-kit directly. |
According to the grammar on page 5 of RFC 7512, the
p11-valueattribute is a query attribute, not a path attribute.These are correct:
This is not (well, technically it might be considered a vendor specific attribute...):
Therefore, the URI parser should look for it in the query part. Moreover, it should preferrably reject it in the path, as unlike the path part of the URI it's potentially sensitive information and applications may be assuming that it's okay to handle the path as non-sensitive (e.g. print it into log files). Not sure how feasible would that be though, since it will probably break user configurations.
The text was updated successfully, but these errors were encountered: