* [PATCH] sign-file: add generic engine key support
@ 2018-02-12 16:29 James Bottomley
0 siblings, 0 replies; 2+ messages in thread
From: James Bottomley @ 2018-02-12 16:29 UTC (permalink / raw)
To: keyrings
The current engine code only supports a non-standard pkcs11 engine
module. Add code to support any standard engine key module, but leave
the non-standard code alone because it would likely fail to function
with the correct UI_method of collecting the password.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
scripts/sign-file.c | 39 +++++++++++++++++++++++++++++++++++++--
1 file changed, 37 insertions(+), 2 deletions(-)
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 49f1cf456254..de8d9bb5e657 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -28,6 +28,7 @@
#include <openssl/pem.h>
#include <openssl/err.h>
#include <openssl/engine.h>
+#include <openssl/conf.h>
/*
* Use CMS if we have openssl-1.0.0 or newer available - otherwise we have to
@@ -122,15 +123,29 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
return pwlen;
}
+static int ui_read(UI *ui, UI_STRING *uis)
+{
+ if (UI_get_string_type(uis) = UIT_PROMPT) {
+ char password[64];
+
+ pem_pw_cb(password, sizeof(password), 0, NULL);
+ UI_set_result(ui, uis, password);
+
+ return 1;
+ }
+ return 0;
+}
+
static EVP_PKEY *read_private_key(const char *private_key_name)
{
EVP_PKEY *private_key;
+ ENGINE_load_builtin_engines();
+ OPENSSL_config(NULL);
+ ERR_clear_error();
if (!strncmp(private_key_name, "pkcs11:", 7)) {
ENGINE *e;
- ENGINE_load_builtin_engines();
- ERR_clear_error();
e = ENGINE_by_id("pkcs11");
ERR(!e, "Load PKCS#11 ENGINE");
if (ENGINE_init(e))
@@ -145,11 +160,31 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
ERR(!private_key, "%s", private_key_name);
} else {
BIO *b;
+ ENGINE *e;
b = BIO_new_file(private_key_name, "rb");
ERR(!b, "%s", private_key_name);
private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
NULL);
+ for (e = ENGINE_get_first(); !private_key && e != NULL;
+ e = ENGINE_get_next(e)) {
+ UI_METHOD *ui;
+
+ if (!ENGINE_get_load_privkey_function(e))
+ continue;
+
+ ui = UI_create_method("sign-file");
+ if (!ui)
+ continue;
+
+ UI_method_set_reader(ui, ui_read);
+ private_key = ENGINE_load_private_key(e, private_key_name,
+ ui, NULL);
+ UI_destroy_method(ui);
+ if (private_key)
+ ERR_clear_error(); /* initial key read failed */
+ }
+
ERR(!private_key, "%s", private_key_name);
BIO_free(b);
}
--
2.12.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] sign-file: add generic engine key support
@ 2018-07-03 16:14 James Bottomley
0 siblings, 0 replies; 2+ messages in thread
From: James Bottomley @ 2018-07-03 16:14 UTC (permalink / raw)
To: keyrings
On Mon, 2018-02-12 at 08:29 -0800, James Bottomley wrote:
> The current engine code only supports a non-standard pkcs11 engine
> module. Add code to support any standard engine key module, but
> leave the non-standard code alone because it would likely fail to
> function with the correct UI_method of collecting the password.
Ping on this one also. I realise Red Hat uses the non standard token
interface, but I don't think I broke it and the rest of us use tokens
with standard engine interfaces, so we'd very much like this to be
included.
Thanks,
James
> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com
> >
> ---
> scripts/sign-file.c | 39 +++++++++++++++++++++++++++++++++++++--
> 1 file changed, 37 insertions(+), 2 deletions(-)
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 49f1cf456254..de8d9bb5e657 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -28,6 +28,7 @@
> #include <openssl/pem.h>
> #include <openssl/err.h>
> #include <openssl/engine.h>
> +#include <openssl/conf.h>
>
> /*
> * Use CMS if we have openssl-1.0.0 or newer available - otherwise
> we have to
> @@ -122,15 +123,29 @@ static int pem_pw_cb(char *buf, int len, int w,
> void *v)
> return pwlen;
> }
>
> +static int ui_read(UI *ui, UI_STRING *uis)
> +{
> + if (UI_get_string_type(uis) = UIT_PROMPT) {
> + char password[64];
> +
> + pem_pw_cb(password, sizeof(password), 0, NULL);
> + UI_set_result(ui, uis, password);
> +
> + return 1;
> + }
> + return 0;
> +}
> +
> static EVP_PKEY *read_private_key(const char *private_key_name)
> {
> EVP_PKEY *private_key;
>
> + ENGINE_load_builtin_engines();
> + OPENSSL_config(NULL);
> + ERR_clear_error();
> if (!strncmp(private_key_name, "pkcs11:", 7)) {
> ENGINE *e;
>
> - ENGINE_load_builtin_engines();
> - ERR_clear_error();
> e = ENGINE_by_id("pkcs11");
> ERR(!e, "Load PKCS#11 ENGINE");
> if (ENGINE_init(e))
> @@ -145,11 +160,31 @@ static EVP_PKEY *read_private_key(const char
> *private_key_name)
> ERR(!private_key, "%s", private_key_name);
> } else {
> BIO *b;
> + ENGINE *e;
>
> b = BIO_new_file(private_key_name, "rb");
> ERR(!b, "%s", private_key_name);
> private_key = PEM_read_bio_PrivateKey(b, NULL,
> pem_pw_cb,
> NULL);
> + for (e = ENGINE_get_first(); !private_key && e !> NULL;
> + e = ENGINE_get_next(e)) {
> + UI_METHOD *ui;
> +
> + if (!ENGINE_get_load_privkey_function(e))
> + continue;
> +
> + ui = UI_create_method("sign-file");
> + if (!ui)
> + continue;
> +
> + UI_method_set_reader(ui, ui_read);
> + private_key = ENGINE_load_private_key(e,
> private_key_name,
> + ui,
> NULL);
> + UI_destroy_method(ui);
> + if (private_key)
> + ERR_clear_error(); /* initial key
> read failed */
> + }
> +
> ERR(!private_key, "%s", private_key_name);
> BIO_free(b);
> }
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-03 16:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-12 16:29 [PATCH] sign-file: add generic engine key support James Bottomley
-- strict thread matches above, loose matches on Subject: below --
2018-07-03 16:14 James Bottomley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.