ssh-agent pkcs11 uri to select certificate
I have two hardware tokens (Thales/Safenet eToken 5110cc) that both contains certificates for various uses.
I'd like to add only one specific certificate to ssh-agent, however I'm struggling to find the correct PKCS11 URI (described in rfc7512)
For test purposes both tokens use the same pin code, as with every try if the pin code is different, the one for which it is incorrect will increment the tentative counter on the token thus ending locking it.
(I'm using ssh-add through p11-kit-proxy.so for now as I've not been able to use directly the pkcs11 uri - not sure if that matters).
Here are the devices/certificates available:
$ p11tool --list-all-certs
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=ABCDEF1234567890;token=bar
I've tried various simple filters such as 'token', 'serial' as well as the whole path, as well as escaping the ';', to no avail:
$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo
All certificates end up being added to ssh-agent:
$ ssh-add -L
ssh-rsa AAAAB3<snip> foo
ssh-rsa AAAAC5<snip> bar
Is this because of the use of p11-kit-proxy, or something else I've missed?
