ssh-agent pkcs11 uri to select certificate

[petrus at gozmail.bzh]

Hello,


I have two hardware tokens (Thales/Safenet eToken 5110cc) that both 
contain certificates for various uses. They obviously use the same 
driver, libeToken.so (version 10.7.77). I have no issues using one of 
them either directly (with -I/PKCS11Provider) with ssh or ssh-agent.

However, I have to keep both tokens connected and I need to add only one 
specific certificate to ssh-agent. For test purposes both tokens use the 
same pin code, as with every try if the pin code is different, the one 
for which it is incorrect will increment the tentative counter on the 
token thus ending locking it. If the two pin codes are different the 
selection will be based on available certificates with that pin, so that 
kinda works until one of the two tokens is locked.

 From what I've read, p11-kit seems to be the piece of software that was 
missing to glue various middlewares to 'consumer' software like ssh.

So, here are my two certificates:

     $ p11tool --list-all-certs
     
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo
     
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=ABCDEF1234567890;token=bar

 From what I've read, this syntax should be correct:

     $ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so 
'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo'

Or even

     $ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so 
pkcs11:serial=1234567890ABCDEF

(I'm using ssh-add through p11-kit-proxy.so for now as I've not been 
able to directly use the pkcs11 uri - not sure if that matters).

But the pkcs11 uri does not seem to be used and all certificates end up 
being added to ssh-agent:

     $ ssh-add -L
     ssh-rsa AAAAB3<snip> foo
     ssh-rsa AAAAC5<snip> bar

Is this because of the use of p11-kit-proxy, or something else I've 
missed? If there is another method than p11-kit to achieve this I'm also 
interested!

thanks,
pierre