[PATCH 4/4] modsign: Allow signing key to be PKCS#11
From: David Woodhouse
Date: Fri May 15 2015 - 12:54:11 EST
This is only the key; the corresponding *cert* still needs to be in
$(topdir)/signing_key.x509
Signed-off-by: David Woodhouse <David.Woodhouse@xxxxxxxxx>
---
scripts/sign-file.c | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 9a54acc..3a923e4 100755
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -22,6 +22,7 @@
#include <openssl/pem.h>
#include <openssl/pkcs7.h>
#include <openssl/err.h>
+#include <openssl/engine.h>
struct module_signature {
uint8_t algo; /* Public-key crypto algorithm [0] */
@@ -166,11 +167,29 @@ int main(int argc, char **argv)
/* Read the private key and the X.509 cert the PKCS#7 message
* will point to.
*/
- b = BIO_new_file(private_key_name, "rb");
- ERR(!b, "%s", private_key_name);
- private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
- ERR(!private_key, "%s", private_key_name);
- BIO_free(b);
+ if (!strncmp(private_key_name, "pkcs11:", 7)) {
+ ENGINE *e;
+
+ ENGINE_load_builtin_engines();
+ drain_openssl_errors();
+ e = ENGINE_by_id("pkcs11");
+ ERR(!e, "Load PKCS#11 ENGINE");
+ if (ENGINE_init(e))
+ drain_openssl_errors();
+ else
+ ERR(1, "ENGINE_init");
+ if (key_pass)
+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
+ private_key = ENGINE_load_private_key(e, private_key_name, NULL,
+ NULL);
+ ERR(!private_key, "%s", private_key_name);
+ } else {
+ b = BIO_new_file(private_key_name, "rb");
+ ERR(!b, "%s", private_key_name);
+ private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, NULL);
+ ERR(!private_key, "%s", private_key_name);
+ BIO_free(b);
+ }
b = BIO_new_file(x509_name, "rb");
ERR(!b, "%s", x509_name);
--
2.4.0
--
David Woodhouse Open Source Technology Centre
David.Woodhouse@xxxxxxxxx Intel Corporation
Attachment:
smime.p7s
Description: S/MIME cryptographic signature