>>>>> "Samuel" == Samuel Henrique <samuel...@debian.org> writes:
Samuel> This seems to be the biggest threat to the GnuTLS switch so
Samuel> far.
Samuel> In the meantime, if any of you could provide an easy
Samuel> reproducer, it would save us a bit of time.
So, for example with a yubikey with the PIV application configured, I
can log into vault using the following code on bookworm:
curl_args = []
if args.insecure: curl_args.append('-k')
curl_args.extend(['-E', args.pkcs11_url, '--key-type', 'eng'])
curl_args.extend(['--request', 'POST'])
if args.renew:
url ='v1/auth/token/renew-self'
curl_args.extend(['--header', f'x-vault-token: {args.renew}'])
else:
url = 'v1/auth/cert/login'
# sh has a bug where fd 0 is never considered a tty because 0 is falsy so
we dup fd 0
result = sh.curl(*curl_args, f'{args.vault}{url}', _err=2, _in=os.dup(0))
Where args .pkcs11_url is initialized to
parser.add_argument('--pkcs11-url', '--pkcs11-uri',
default = "pkcs11:manufacturer=piv_II",
