From: Ayoub Zaki <ayoub.zaki@embetrix.com>
To: linux-kernel@vger.kernel.org
Cc: dhowells@redhat.com, dwmw2@infradead.org,
keyrings@vger.kernel.org, Ayoub Zaki <ayoub.zaki@embetrix.com>
Subject: [PATCH] sign-file,read_private_key_pkcs11: add pkcs11 provider PIN setting
Date: Fri, 21 Mar 2025 14:39:56 +0100 [thread overview]
Message-ID: <20250321133956.154597-1-ayoub.zaki@embetrix.com> (raw)
in the same way as for PKCS11_ENGINE, add PKCS#11 token PIN injection
for PKCS11_PROVIDER from key_pass environment variable if set.
Signed-off-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
---
scripts/sign-file.c | 33 ++++++++++++++++++++++++++++++---
1 file changed, 30 insertions(+), 3 deletions(-)
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 7070245edfc1..bdd26e438ff6 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -31,6 +31,7 @@
# define USE_PKCS11_PROVIDER
# include <openssl/provider.h>
# include <openssl/store.h>
+#include <openssl/ui.h>
#else
# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
# define USE_PKCS11_ENGINE
@@ -107,19 +108,45 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
return pwlen;
}
+#ifdef USE_PKCS11_PROVIDER
+int ui_get_pin(UI *ui, UI_STRING *uis)
+{
+ const char *pin = (const char *)UI_get0_user_data(ui);
+
+ if (pin == NULL)
+ return -1;
+
+ int ret = UI_set_result(ui, uis, pin);
+
+ return (ret == 0) ? 1 : -1;
+}
+#endif
+
static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name)
{
EVP_PKEY *private_key = NULL;
#ifdef USE_PKCS11_PROVIDER
OSSL_STORE_CTX *store;
+ UI_METHOD *ui_method = NULL;
if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
if (!OSSL_PROVIDER_try_load(NULL, "default", true))
ERR(1, "OSSL_PROVIDER_try_load(default)");
-
- store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
- ERR(!store, "OSSL_STORE_open");
+ if (key_pass) {
+ ui_method = UI_create_method("PIN reader");
+ ERR(!ui_method, "UI_create_method");
+ if (UI_method_set_reader(ui_method, ui_get_pin) != 0)
+ ERR(1, "UI_method_set_reader");
+
+ store = OSSL_STORE_open_ex(private_key_name, NULL, NULL,
+ ui_method, (void *)key_pass,
+ NULL, NULL, NULL);
+ ERR(!store, "OSSL_STORE_open_ex");
+ } else {
+ store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
+ ERR(!store, "OSSL_STORE_open");
+ }
while (!OSSL_STORE_eof(store)) {
OSSL_STORE_INFO *info = OSSL_STORE_load(store);
--
2.43.0
reply other threads:[~2025-03-21 13:41 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250321133956.154597-1-ayoub.zaki@embetrix.com \
--to=ayoub.zaki@embetrix.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).