Improve URI management

[simo5]

Overhaul how URI are parsed.
Add missing attributes specified in RFC 7512
Print URIs instead of ID/Label in text encoders

[simo5]

@mouse07410 you may want to try this PR and execute:

openssl storeutl -keys -text pkcs11:

This way you will see exactly what URI the pkcs11-provider reconstruct from looking at keys.
You can use model/manufacturer/token/serial pkcs11 attributes to print only the keys of a specific token.

[simo5]

Note that although I added support for recognizing these additional pkcs11 URI attributes:

• library-description
• library-manufacturer
• library-version
• slot-description
• slot-id
• slot-manufacturer

At the moment they are ignored and can't be used to filter down keys.

I am on the fence on whether I should allow all them to be used.
I see nothing wrong in allowing it at least for the slot ones (except slot id ..).
It is a bit silly to do it for the library ones, but if it turns out to be easy I'll do that as well.
Neither slot or library attributes are use to print out URIs, they are uncommon and rarely useful attributes anyway.
Only Token and Object attributes are utilized to print object URIs.

[Jakuje]

lgtm.
Maybe notes regarding test coverage:

• the uri parsing functions would be grate candidate for some extensive unit tests
• can we have some automated tests with the openssl storeutl to check the reported uri as a whole is sensible?

[simo5]

Yeah, I will hold on merging until I have a test specific to URIs.
Just need to decide what should be tested, if you have ideas I would like to know.

[Jakuje]

I would go ahead with some corner cases, percent encoding, non-printable bytes when using the storeutil and grepping for the known parts of the uris in the outputs. No more specific thoughts.

[dengert]

Just need to decide what should be tested, if you have ideas I would like to know.

@Jakuje could @simo5 use the regress/unittests/pkcs11/tests.c you wrote in 2017 for OpenSSH as discussed in OpenSC:
OpenSC/OpenSC#2741 (comment) and I was trying to port your patch to OpenSSH current It has some 56 tests.

https://github.com/dengert/openssh-portable/blob/pkcs11-URI/regress/unittests/pkcs11/tests.c

[Jakuje]

Sure. Thats a good idea. I would not say it is complete coverage or it is perfect, but it can be certainly used as a start or at least for ideas for some weird uris I could think of back in that time.

[simo5]

We do not really have unit tests at this stage yet, mostly because the vast majority of the code requires a configured token to work at this time.

So I'll add some testing just to make sure the convesion back and forth works.

[dengert]

The OpenSSH and regress/unittests/pkcs11/tests.c does not test against a token. But there are a lot of tests of making URIs.
The tests are run as part of actions/workflow https://github.com/openssh/openssh-portable/blob/master/.github/workflows/c-cpp.yml

OpenSC sets up a virtual PIV token https://github.com/OpenSC/OpenSC/blob/master/.github/test-piv.sh
and virtual OpenPGP token. https://github.com/OpenSC/OpenSC/blob/master/.github/test-openpgp.sh
Could also use SoftHSM

@Jakuje is familiar with the OpenSC actions. I only look at them if something fails.

[simo5]

@Jakuje I did what I could using just openssl storeutl as a proxy to probe URIs.

Perhaps in future we'll be able to add more complete unit tests, but it looks fine for nopw, and this test will catch simple regressions.

[simo5]

I think I am happy with this the way it is for now