[PATCHv2] sign-file,extract-cert: use KBUILD_SIGN_PIN in provider mode

[PATCHv2] sign-file,extract-cert: use KBUILD_SIGN_PIN in provider mode

[Anton Lundin]

This adds support for the documented KBUILD_SIGN_PIN functionality to
sign-file and extract-cert when built with USE_PKCS11_PROVIDER.

Signed-off-by: Anton Lundin <glance@ac2.se>
Fixes: 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3")
Cc: stable@vger.kernel.org
---
 certs/extract-cert.c | 27 ++++++++++++++++++++++++++-
 scripts/sign-file.c  |  6 +++++-
 2 files changed, 31 insertions(+), 2 deletions(-)

v2: Added the corresponding fix to extract-cert to

diff --git a/certs/extract-cert.c b/certs/extract-cert.c
index 7d6d468ed612..30afdc296fff 100644
--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
@@ -25,6 +25,7 @@
 # define USE_PKCS11_PROVIDER
 # include <openssl/provider.h>
 # include <openssl/store.h>
+# include <openssl/ui.h>
 #else
 # if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 #  define USE_PKCS11_ENGINE
@@ -62,18 +63,42 @@ static void write_cert(X509 *x509)
 		fprintf(stderr, "Extracted cert: %s\n", buf);
 }
 
+#ifdef USE_PKCS11_PROVIDER
+static int pem_pw_cb(char *buf, int len, int w, void *v)
+{
+	int pwlen;
+
+	if (!key_pass)
+		return -1;
+
+	pwlen = strlen(key_pass);
+	if (pwlen >= len)
+		return -1;
+
+	strcpy(buf, key_pass);
+
+	/* If it's wrong, don't keep trying it. */
+	key_pass = NULL;
+
+	return pwlen;
+}
+#endif
+
 static X509 *load_cert_pkcs11(const char *cert_src)
 {
 	X509 *cert = NULL;
 #ifdef USE_PKCS11_PROVIDER
 	OSSL_STORE_CTX *store;
+	UI_METHOD *ui_method = NULL;
 
 	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
 		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
 	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
 		ERR(1, "OSSL_PROVIDER_try_load(default)");
 
-	store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL);
+	if (key_pass)
+		ui_method = UI_UTIL_wrap_read_pem_callback(pem_pw_cb, 0);
+	store = OSSL_STORE_open(cert_src, ui_method, NULL, NULL, NULL);
 	ERR(!store, "OSSL_STORE_open");
 
 	while (!OSSL_STORE_eof(store)) {
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 73fbefd2e540..9ac89fea9d73 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -32,6 +32,7 @@
 # define USE_PKCS11_PROVIDER
 # include <openssl/provider.h>
 # include <openssl/store.h>
+# include <openssl/ui.h>
 #else
 # if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 #  define USE_PKCS11_ENGINE
@@ -90,13 +91,16 @@ static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name)
 	EVP_PKEY *private_key = NULL;
 #ifdef USE_PKCS11_PROVIDER
 	OSSL_STORE_CTX *store;
+	UI_METHOD *ui_method = NULL;
 
 	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
 		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
 	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
 		ERR(1, "OSSL_PROVIDER_try_load(default)");
 
-	store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
+	if (key_pass)
+		ui_method = UI_UTIL_wrap_read_pem_callback(pem_pw_cb, 0);
+	store = OSSL_STORE_open(private_key_name, ui_method, NULL, NULL, NULL);
 	ERR(!store, "OSSL_STORE_open");
 
 	while (!OSSL_STORE_eof(store)) {
-- 
2.47.3

Re: [PATCHv2] sign-file,extract-cert: use KBUILD_SIGN_PIN in provider mode

[James Bottomley]

On Wed, 2026-03-18 at 10:02 +0100, Anton Lundin wrote:
> This adds support for the documented KBUILD_SIGN_PIN functionality to
> sign-file and extract-cert when built with USE_PKCS11_PROVIDER.

Why would you do this?  It's going to pop up a prompt for a password
for every module you have ... that can be hundreds to thousands in a
distribution kernel, so it's unscalable.  The usual way we do this is
to put the password into an environment variable (insecure but
scalable) but I suppose if you have a more secure solution there might
be interest.

Regards,

James

Re: [PATCHv2] sign-file,extract-cert: use KBUILD_SIGN_PIN in provider mode

[James Bottomley]

On Wed, 2026-03-18 at 10:44 -0400, James Bottomley wrote:
> On Wed, 2026-03-18 at 10:02 +0100, Anton Lundin wrote:
> > This adds support for the documented KBUILD_SIGN_PIN functionality
> > to
> > sign-file and extract-cert when built with USE_PKCS11_PROVIDER.
> 
> Why would you do this?  It's going to pop up a prompt for a password
> for every module you have ... that can be hundreds to thousands in a
> distribution kernel, so it's unscalable.  The usual way we do this is
> to put the password into an environment variable (insecure but
> scalable) but I suppose if you have a more secure solution there
> might
> be interest.

Sorry, ignore me.  I didn't read enough to see this is only plumbing
our current environment variable method into the new store open API we
use for providers which didn't pick up a password method.  However, the
thought does occur: if the pkcs11 engine does this by an engine
parameter, wouldn't the provider have an equivalent provider parameter?

Regards,

James

Re: [PATCHv2] sign-file,extract-cert: use KBUILD_SIGN_PIN in provider mode

[Anton Lundin]

On 18 March, 2026 - James Bottomley wrote:

> On Wed, 2026-03-18 at 10:44 -0400, James Bottomley wrote:
> > On Wed, 2026-03-18 at 10:02 +0100, Anton Lundin wrote:
> > > This adds support for the documented KBUILD_SIGN_PIN functionality
> > > to
> > > sign-file and extract-cert when built with USE_PKCS11_PROVIDER.
> > 
> > Why would you do this?  It's going to pop up a prompt for a password
> > for every module you have ... that can be hundreds to thousands in a
> > distribution kernel, so it's unscalable.  The usual way we do this is
> > to put the password into an environment variable (insecure but
> > scalable) but I suppose if you have a more secure solution there
> > might
> > be interest.
> 
> Sorry, ignore me.  I didn't read enough to see this is only plumbing
> our current environment variable method into the new store open API we
> use for providers which didn't pick up a password method.  However, the
> thought does occur: if the pkcs11 engine does this by an engine
> parameter, wouldn't the provider have an equivalent provider parameter?

There are OSSL_PROVIDER_add_conf_parameter, which are from OpenSSL 3.5,
which can set pkcs11-module-token-pin.

This code path has been activated from OpenSSL 3.0 and even when testing
with my local OpenSSL 3.5.5 I haven't gotten that to work.


Until recently I've had a patch in our local trees which just disables
the openssl provider parts and uses the engine api instead. In debian
bookworm the pkcs11-provider was too old to get anything working anyway,
and because of reasons that patch stuck around until now.


//Anton