@@ -31,6 +31,7 @@
# define USE_PKCS11_PROVIDER
# include <openssl/provider.h>
# include <openssl/store.h>
+#include <openssl/ui.h>
#else
# if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
# define USE_PKCS11_ENGINE
@@ -107,19 +108,45 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
return pwlen;
}
+#ifdef USE_PKCS11_PROVIDER
+int ui_get_pin(UI *ui, UI_STRING *uis)
+{
+ const char *pin = (const char *)UI_get0_user_data(ui);
+
+ if (pin == NULL)
+ return -1;
+
+ int ret = UI_set_result(ui, uis, pin);
+
+ return (ret == 0) ? 1 : -1;
+}
+#endif
+
static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name)
{
EVP_PKEY *private_key = NULL;
#ifdef USE_PKCS11_PROVIDER
OSSL_STORE_CTX *store;
+ UI_METHOD *ui_method = NULL;
if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
if (!OSSL_PROVIDER_try_load(NULL, "default", true))
ERR(1, "OSSL_PROVIDER_try_load(default)");
-
- store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
- ERR(!store, "OSSL_STORE_open");
+ if (key_pass) {
+ ui_method = UI_create_method("PIN reader");
+ ERR(!ui_method, "UI_create_method");
+ if (UI_method_set_reader(ui_method, ui_get_pin) != 0)
+ ERR(1, "UI_method_set_reader");
+
+ store = OSSL_STORE_open_ex(private_key_name, NULL, NULL,
+ ui_method, (void *)key_pass,
+ NULL, NULL, NULL);
+ ERR(!store, "OSSL_STORE_open_ex");
+ } else {
+ store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
+ ERR(!store, "OSSL_STORE_open");
+ }
while (!OSSL_STORE_eof(store)) {
OSSL_STORE_INFO *info = OSSL_STORE_load(store);
in the same way as for PKCS11_ENGINE, add PKCS#11 token PIN injection for PKCS11_PROVIDER from key_pass environment variable if set. Signed-off-by: Ayoub Zaki <ayoub.zaki@embetrix.com> --- scripts/sign-file.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-)