From: Justin M. Forbes <jforbes@xxxxxxxxxxxxxxxxx> Revert "Merge branch 'drop_engine_api' into 'os-build'" This reverts merge request !3223 diff --git a/certs/extract-cert.c b/certs/extract-cert.c index blahblah..blahblah 100644 --- a/certs/extract-cert.c +++ b/certs/extract-cert.c @@ -21,6 +21,7 @@ #include <openssl/bio.h> #include <openssl/pem.h> #include <openssl/err.h> +#include <openssl/engine.h> /* * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. @@ -121,8 +122,28 @@ int main(int argc, char **argv) fclose(f); exit(0); } else if (!strncmp(cert_src, "pkcs11:", 7)) { - fprintf(stderr, "Error: pkcs11 not implemented\n"); - exit(1); + ENGINE *e; + struct { + const char *cert_id; + X509 *cert; + } parms; + + parms.cert_id = cert_src; + parms.cert = NULL; + + ENGINE_load_builtin_engines(); + drain_openssl_errors(); + e = ENGINE_by_id("pkcs11"); + ERR(!e, "Load PKCS#11 ENGINE"); + if (ENGINE_init(e)) + drain_openssl_errors(); + else + ERR(1, "ENGINE_init"); + if (key_pass) + ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); + ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); + ERR(!parms.cert, "Get X.509 from PKCS#11"); + write_cert(parms.cert); } else { BIO *b; X509 *x509; diff --git a/scripts/sign-file.c b/scripts/sign-file.c index blahblah..blahblah 100644 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -27,6 +27,7 @@ #include <openssl/evp.h> #include <openssl/pem.h> #include <openssl/err.h> +#include <openssl/engine.h> /* * OpenSSL 3.0 deprecates the OpenSSL's ENGINE API. @@ -98,6 +99,16 @@ static void display_openssl_errors(int l) } } +static void drain_openssl_errors(void) +{ + const char *file; + int line; + + if (ERR_peek_error() == 0) + return; + while (ERR_get_error_line(&file, &line)) {} +} + #define ERR(cond, fmt, ...) \ do { \ bool __cond = (cond); \ @@ -133,8 +144,22 @@ static EVP_PKEY *read_private_key(const char *private_key_name) EVP_PKEY *private_key; if (!strncmp(private_key_name, "pkcs11:", 7)) { - fprintf(stderr, "Error: pkcs11 not implemented\n"); - exit(1); + ENGINE *e; + + ENGINE_load_builtin_engines(); + drain_openssl_errors(); + e = ENGINE_by_id("pkcs11"); + ERR(!e, "Load PKCS#11 ENGINE"); + if (ENGINE_init(e)) + drain_openssl_errors(); + else + ERR(1, "ENGINE_init"); + if (key_pass) + ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), + "Set PKCS#11 PIN"); + private_key = ENGINE_load_private_key(e, private_key_name, + NULL, NULL); + ERR(!private_key, "%s", private_key_name); } else { BIO *b; -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3409 -- _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue