From: Justin M. Forbes <jforbes@xxxxxxxxxxxxxxxxx>
Revert "Merge branch 'drop_engine_api' into 'os-build'"
This reverts merge request !3223
diff --git a/certs/extract-cert.c b/certs/extract-cert.c
index blahblah..blahblah 100644
--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
@@ -21,6 +21,7 @@
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/err.h>
+#include <openssl/engine.h>
/*
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
@@ -121,8 +122,28 @@ int main(int argc, char **argv)
fclose(f);
exit(0);
} else if (!strncmp(cert_src, "pkcs11:", 7)) {
- fprintf(stderr, "Error: pkcs11 not implemented\n");
- exit(1);
+ ENGINE *e;
+ struct {
+ const char *cert_id;
+ X509 *cert;
+ } parms;
+
+ parms.cert_id = cert_src;
+ parms.cert = NULL;
+
+ ENGINE_load_builtin_engines();
+ drain_openssl_errors();
+ e = ENGINE_by_id("pkcs11");
+ ERR(!e, "Load PKCS#11 ENGINE");
+ if (ENGINE_init(e))
+ drain_openssl_errors();
+ else
+ ERR(1, "ENGINE_init");
+ if (key_pass)
+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
+ ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
+ ERR(!parms.cert, "Get X.509 from PKCS#11");
+ write_cert(parms.cert);
} else {
BIO *b;
X509 *x509;
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index blahblah..blahblah 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -27,6 +27,7 @@
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/err.h>
+#include <openssl/engine.h>
/*
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
@@ -98,6 +99,16 @@ static void display_openssl_errors(int l)
}
}
+static void drain_openssl_errors(void)
+{
+ const char *file;
+ int line;
+
+ if (ERR_peek_error() == 0)
+ return;
+ while (ERR_get_error_line(&file, &line)) {}
+}
+
#define ERR(cond, fmt, ...) \
do { \
bool __cond = (cond); \
@@ -133,8 +144,22 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
EVP_PKEY *private_key;
if (!strncmp(private_key_name, "pkcs11:", 7)) {
- fprintf(stderr, "Error: pkcs11 not implemented\n");
- exit(1);
+ ENGINE *e;
+
+ ENGINE_load_builtin_engines();
+ drain_openssl_errors();
+ e = ENGINE_by_id("pkcs11");
+ ERR(!e, "Load PKCS#11 ENGINE");
+ if (ENGINE_init(e))
+ drain_openssl_errors();
+ else
+ ERR(1, "ENGINE_init");
+ if (key_pass)
+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
+ "Set PKCS#11 PIN");
+ private_key = ENGINE_load_private_key(e, private_key_name,
+ NULL, NULL);
+ ERR(!private_key, "%s", private_key_name);
} else {
BIO *b;
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3409
--
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
