Currently the version of a key is only included in the id (CKA_ID), while the object (CKA_LABEL) is only set to the key name. So a URL like pkcs11:object=some-key would select multiple versions of the key which seems to often confuse libraries like the OpenSSL Engine of libp11. It would be nice if there was some other attribute there that can allow selecting a key by using object, and the key version (Not sure how possible is this using the PKCS#11 interface), or maybe just adding the version to the object part, possibly with a config key. As IDs are expected to be percent encoded in such URLs and have a 100 character limit in some libraries which can be annoying.
Currently the version of a key is only included in the
id(CKA_ID), while theobject(CKA_LABEL) is only set to the key name. So a URL likepkcs11:object=some-keywould select multiple versions of the key which seems to often confuse libraries like the OpenSSL Engine of libp11. It would be nice if there was some other attribute there that can allow selecting a key by usingobject, and the key version (Not sure how possible is this using the PKCS#11 interface), or maybe just adding the version to theobjectpart, possibly with a config key. As IDs are expected to be percent encoded in such URLs and have a 100 character limit in some libraries which can be annoying.