From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: Huacai Chen <chenhuacai@loongson.cn>, Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 6.1&6.6 V4 3/3] sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
Date: Tue, 22 Apr 2025 15:17:43 -0400 [thread overview]
Message-ID: <20250422133404-d8be794238d2c214@stable.kernel.org> (raw)
In-Reply-To: <20250422123135.1784083-4-chenhuacai@loongson.cn>
[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected.
No action required from the submitter.
The upstream commit SHA1 provided is correct: 558bdc45dfb2669e1741384a0c80be9c82fa052c
WARNING: Author mismatch between patch and upstream commit:
Backport author: Huacai Chen<chenhuacai@loongson.cn>
Commit author: Jan Stancek<jstancek@redhat.com>
Status in newer kernel trees:
6.14.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Not found
Note: The patch differs from the upstream commit:
---
1: 558bdc45dfb26 ! 1: 0870c1cd7c207 sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
@@ Metadata
## Commit message ##
sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
+ commit 558bdc45dfb2669e1741384a0c80be9c82fa052c upstream.
+
ENGINE API has been deprecated since OpenSSL version 3.0 [1].
Distros have started dropping support from headers and in future
it will likely disappear also from library.
@@ Commit message
Tested-by: R Nageswara Sastry <rnsastry@linux.ibm.com>
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+ Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
## certs/extract-cert.c ##
@@
@@ certs/extract-cert.c: static void write_cert(X509 *x509)
fprintf(stderr, "Extracted cert: %s\n", buf);
}
+-int main(int argc, char **argv)
+static X509 *load_cert_pkcs11(const char *cert_src)
-+{
+ {
+- char *cert_src;
+-
+- OpenSSL_add_all_algorithms();
+- ERR_load_crypto_strings();
+- ERR_clear_error();
+ X509 *cert = NULL;
+#ifdef USE_PKCS11_PROVIDER
+ OSSL_STORE_CTX *store;
-+
+
+- kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0");
+ if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
+ ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
+ if (!OSSL_PROVIDER_try_load(NULL, "default", true))
+ ERR(1, "OSSL_PROVIDER_try_load(default)");
-+
+
+- key_pass = getenv("KBUILD_SIGN_PIN");
+-
+- if (argc != 3)
+- format();
+ store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL);
+ ERR(!store, "OSSL_STORE_open");
-+
+
+- cert_src = argv[1];
+- cert_dst = argv[2];
+ while (!OSSL_STORE_eof(store)) {
+ OSSL_STORE_INFO *info = OSSL_STORE_load(store);
-+
+
+- if (!cert_src[0]) {
+- /* Invoked with no input; create empty file */
+- FILE *f = fopen(cert_dst, "wb");
+- ERR(!f, "%s", cert_dst);
+- fclose(f);
+- exit(0);
+- } else if (!strncmp(cert_src, "pkcs11:", 7)) {
+ if (!info) {
+ drain_openssl_errors(__LINE__, 0);
+ continue;
@@ certs/extract-cert.c: static void write_cert(X509 *x509)
+ }
+ OSSL_STORE_close(store);
+#elif defined(USE_PKCS11_ENGINE)
-+ ENGINE *e;
-+ struct {
-+ const char *cert_id;
-+ X509 *cert;
-+ } parms;
-+
-+ parms.cert_id = cert_src;
-+ parms.cert = NULL;
-+
-+ ENGINE_load_builtin_engines();
-+ drain_openssl_errors(__LINE__, 1);
-+ e = ENGINE_by_id("pkcs11");
-+ ERR(!e, "Load PKCS#11 ENGINE");
-+ if (ENGINE_init(e))
-+ drain_openssl_errors(__LINE__, 1);
-+ else
-+ ERR(1, "ENGINE_init");
-+ if (key_pass)
-+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
-+ ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
-+ ERR(!parms.cert, "Get X.509 from PKCS#11");
+ ENGINE *e;
+ struct {
+ const char *cert_id;
+@@ certs/extract-cert.c: int main(int argc, char **argv)
+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
+ ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
+ ERR(!parms.cert, "Get X.509 from PKCS#11");
+- write_cert(parms.cert);
+ cert = parms.cert;
+#else
+ fprintf(stderr, "no pkcs11 engine/provider available\n");
@@ certs/extract-cert.c: static void write_cert(X509 *x509)
+ return cert;
+}
+
- int main(int argc, char **argv)
- {
- char *cert_src;
-@@ certs/extract-cert.c: int main(int argc, char **argv)
- fclose(f);
- exit(0);
- } else if (!strncmp(cert_src, "pkcs11:", 7)) {
-- ENGINE *e;
-- struct {
-- const char *cert_id;
-- X509 *cert;
-- } parms;
++int main(int argc, char **argv)
++{
++ char *cert_src;
++
++ OpenSSL_add_all_algorithms();
++ ERR_load_crypto_strings();
++ ERR_clear_error();
++
++ kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0");
++
++ key_pass = getenv("KBUILD_SIGN_PIN");
++
++ if (argc != 3)
++ format();
++
++ cert_src = argv[1];
++ cert_dst = argv[2];
++
++ if (!cert_src[0]) {
++ /* Invoked with no input; create empty file */
++ FILE *f = fopen(cert_dst, "wb");
++ ERR(!f, "%s", cert_dst);
++ fclose(f);
++ exit(0);
++ } else if (!strncmp(cert_src, "pkcs11:", 7)) {
+ X509 *cert = load_cert_pkcs11(cert_src);
-
-- parms.cert_id = cert_src;
-- parms.cert = NULL;
--
-- ENGINE_load_builtin_engines();
-- drain_openssl_errors(__LINE__, 1);
-- e = ENGINE_by_id("pkcs11");
-- ERR(!e, "Load PKCS#11 ENGINE");
-- if (ENGINE_init(e))
-- drain_openssl_errors(__LINE__, 1);
-- else
-- ERR(1, "ENGINE_init");
-- if (key_pass)
-- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
-- ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
-- ERR(!parms.cert, "Get X.509 from PKCS#11");
-- write_cert(parms.cert);
++
+ ERR(!cert, "load_cert_pkcs11 failed");
+ write_cert(cert);
} else {
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y | Success | Success |
prev parent reply other threads:[~2025-04-22 19:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-22 12:31 [PATCH 6.1&6.6 V4 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0 Huacai Chen
2025-04-22 12:31 ` [PATCH 6.1&6.6 V4 1/3] sign-file,extract-cert: move common SSL helper functions to a header Huacai Chen
2025-04-22 19:17 ` Sasha Levin
2025-04-22 12:31 ` [PATCH 6.1&6.6 V4 2/3] sign-file,extract-cert: avoid using deprecated ERR_get_error_line() Huacai Chen
2025-04-22 19:17 ` Sasha Levin
2025-04-22 12:31 ` [PATCH 6.1&6.6 V4 3/3] sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 Huacai Chen
2025-04-22 19:17 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250422133404-d8be794238d2c214@stable.kernel.org \
--to=sashal@kernel.org \
--cc=chenhuacai@loongson.cn \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox