pkcs11: don't hardcode pkcs11 engine path - use -pkcs11engine + -pkcs11module args instead

2025-04-05 01:00:11 -05:00 · 2015-03-06 22:00:48 +01:00 · 2015-03-06 22:00:48 +01:00 · 50b66a1eb4
commit 50b66a1eb4
parent 67ef46984f
3 changed files with 40 additions and 35 deletions
--- a/misc/softhsm-example-token/README-PKCS11
+++ b/misc/softhsm-example-token/README-PKCS11
--- a/misc/softhsm-example-token/README
+++ b/misc/softhsm-example-token/README
@ -12,6 +12,7 @@ Type 'make' to generate a softhsm token with a test-key on id a1b2 with PIN-code
 directory):

 env SOFTHSM_CONF=`pwd`/softhsm.conf ../../osslsigncode sign \
-   -pkcs11 /usr/lib/softhsm/libsofthsm.so -key a1b2 -certs test.crt ...
+   -pkcs11engine /usr/lib/engines/engine_pkcs11.so \
+   -pkcs11module /usr/lib/softhsm/libsofthsm.so -key a1b2 -certs test.crt ...

 Use 'secret1' as the password at the prompt.
--- a/osslsigncode.c
+++ b/osslsigncode.c
@ -751,7 +751,8 @@ static void usage(const char *argv0)
 	fprintf(stderr,
 			"Usage: %s\n\n\t[ --version | -v ]\n\n"
 			"\t[ sign ]\n"
-			"\t\t( -certs <certfile> -key <keyfile> | -pkcs12 <pkcs12file> | -pkcs11 <module> -certs <certfile> -key <pkcs11 key id>)\n"
+			"\t\t( -certs <certfile> -key <keyfile> | -pkcs12 <pkcs12file> |\n"
+			"\t\t  -pkcs11engine <engine> -pkcs11module <module> -certs <certfile> -key <pkcs11 key id>)\n"
 			"\t\t[ -pass <password> ] "
 #ifdef PROVIDE_ASKPASS
 			"[ -askpass ]"
@ -2310,7 +2311,8 @@ int main(int argc, char **argv)

 	const char *argv0 = argv[0];
 	static char buf[64*1024];
-	char *xcertfile, *certfile, *keyfile, *pvkfile, *pkcs12file, *p11module, *infile, *outfile, *desc, *url, *indata;
+	char *xcertfile, *certfile, *keyfile, *pvkfile, *pkcs12file, *infile, *outfile, *desc, *url, *indata;
+	char *p11engine, *p11module;
 	char *pass = NULL, *readpass = NULL;
 	int askpass = 0;
 	char *leafhash = NULL;
@ -2349,7 +2351,7 @@ int main(int argc, char **argv)
 	int len_msiex = 0;
 #endif

-	xcertfile = certfile = keyfile = pvkfile = pkcs12file = p11module = infile = outfile = desc = url = NULL;
+	xcertfile = certfile = keyfile = pvkfile = pkcs12file = p11module = p11engine = infile = outfile = desc = url = NULL;
 	hash = outdata = NULL;

 	/* Set up OpenSSL */
@ -2404,8 +2406,11 @@ int main(int argc, char **argv)
 		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs12")) {
 			if (--argc < 1) usage(argv0);
 			pkcs12file = *(++argv);
-                } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11")) {
-           		if (--argc < 1) usage(argv0);
+		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11engine")) {
+			if (--argc < 1) usage(argv0);
+			p11engine = *(++argv);
+		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11module")) {
+			if (--argc < 1) usage(argv0);
 			p11module = *(++argv); 
 		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pass")) {
 			if (askpass || readpass) usage(argv0);
@ -2525,7 +2530,7 @@ int main(int argc, char **argv)

 	if (argc > 0 || (nturl && ntsurl) || !infile ||
 		(cmd != CMD_VERIFY && !outfile) ||
-		(cmd == CMD_SIGN && !((certfile && keyfile) || pkcs12file || p11module))) {
+		(cmd == CMD_SIGN && !((certfile && keyfile) || pkcs12file || (p11engine && p11module)))) {
 		if (failarg)
 			fprintf(stderr, "Unknown option: %s\n", failarg);
 		usage(argv0);
@ -2551,7 +2556,7 @@ int main(int argc, char **argv)

 	if (cmd == CMD_SIGN) {
 		/* Read certificate and key */
-		if (keyfile && !p11module && (btmp = BIO_new_file(keyfile, "rb")) != NULL) {
+		if (keyfile && !p11engine && (btmp = BIO_new_file(keyfile, "rb")) != NULL) {
 			unsigned char magic[4];
 			unsigned char pvkhdr[4] = { 0x1e, 0xf1, 0xb5, 0xb0 };
 			magic[0] = 0x00;
@ -2587,48 +2592,47 @@ int main(int argc, char **argv)
 #else
 			DO_EXIT_1("Can not read keys from PVK files, must compile against a newer version of OpenSSL: %s\n", pvkfile);
 #endif
-                } else if (p11module != NULL) {
-                        const int CMD_MANDATORY = 0;
+		} else if (p11engine != NULL && p11module != NULL) {
+			const int CMD_MANDATORY = 0;
 			ENGINE_load_dynamic();
-    			ENGINE * dyn = ENGINE_by_id( "dynamic" );
-    			if ( ! dyn )
-        			DO_EXIT_0( "Failed to load 'dynamic' engine");
-			const char *engine_pkcs11_so = "/usr/lib/engines/engine_pkcs11.so";
-			if ( 1 != ENGINE_ctrl_cmd_string( dyn, "SO_PATH", engine_pkcs11_so, CMD_MANDATORY ) )
-        			DO_EXIT_0( "Failed to set dyn SO_PATH to 'engine_pkcs11.so'" );
+			ENGINE * dyn = ENGINE_by_id( "dynamic" );
+			if ( ! dyn )
+				DO_EXIT_0( "Failed to load 'dynamic' engine");
+			if ( 1 != ENGINE_ctrl_cmd_string( dyn, "SO_PATH", p11engine, CMD_MANDATORY ) )
+				DO_EXIT_1( "Failed to set dyn SO_PATH to '%s'", p11engine);

-    			if ( 1 != ENGINE_ctrl_cmd_string( dyn, "ID", "pkcs11", CMD_MANDATORY ) )
-        			DO_EXIT_0( "Failed to set dyn ID to 'pkcs11'" );
+			if ( 1 != ENGINE_ctrl_cmd_string( dyn, "ID", "pkcs11", CMD_MANDATORY ) )
+				DO_EXIT_0( "Failed to set dyn ID to 'pkcs11'" );

-    			if ( 1 != ENGINE_ctrl_cmd( dyn, "LIST_ADD", 1, NULL, NULL, CMD_MANDATORY ) )
-        			DO_EXIT_0( "Failed to set dyn LIST_ADD to '1'" );
+			if ( 1 != ENGINE_ctrl_cmd( dyn, "LIST_ADD", 1, NULL, NULL, CMD_MANDATORY ) )
+				DO_EXIT_0( "Failed to set dyn LIST_ADD to '1'" );

-    			if ( 1 != ENGINE_ctrl_cmd( dyn, "LOAD", 1, NULL, NULL, CMD_MANDATORY ) )
-        			DO_EXIT_0( "Failed to set dyn LOAD to '1'" );
+			if ( 1 != ENGINE_ctrl_cmd( dyn, "LOAD", 1, NULL, NULL, CMD_MANDATORY ) )
+				DO_EXIT_0( "Failed to set dyn LOAD to '1'" );

-    			ENGINE * pkcs11 = ENGINE_by_id( "pkcs11" );
-    			if ( ! pkcs11 )
-        			DO_EXIT_0( "Failed to find and load pkcs11 engine" );
+			ENGINE * pkcs11 = ENGINE_by_id( "pkcs11" );
+			if ( ! pkcs11 )
+				DO_EXIT_0( "Failed to find and load pkcs11 engine" );

 			if ( 1 != ENGINE_ctrl_cmd_string( pkcs11, "MODULE_PATH", p11module, CMD_MANDATORY ) )
-        			DO_EXIT_1( "Failed to set pkcs11 engine MODULE_PATH to '%s'", p11module );
+				DO_EXIT_1( "Failed to set pkcs11 engine MODULE_PATH to '%s'", p11module );
 		
 			if (pass != NULL) {
-    				if ( 1 != ENGINE_ctrl_cmd_string( pkcs11, "PIN", pass, CMD_MANDATORY ) )
-        				DO_EXIT_0( "Failed to set pkcs11 PIN" );
+				if ( 1 != ENGINE_ctrl_cmd_string( pkcs11, "PIN", pass, CMD_MANDATORY ) )
+					DO_EXIT_0( "Failed to set pkcs11 PIN" );
 			}

-    			if ( 1 != ENGINE_init( pkcs11 ) )
-        			DO_EXIT_0( "Failed to initialized pkcs11 engine" );
+			if ( 1 != ENGINE_init( pkcs11 ) )
+				DO_EXIT_0( "Failed to initialized pkcs11 engine" );

 			pkey = ENGINE_load_private_key( pkcs11, keyfile, NULL, NULL );
 			if (pkey == NULL)
 				DO_EXIT_1("Failed to load private key %s", keyfile);
-                        if ((btmp = BIO_new_file(certfile, "rb")) == NULL ||
-                                ((p7 = d2i_PKCS7_bio(btmp, NULL)) == NULL &&
-                                 (certs = PEM_read_certs(btmp, "")) == NULL))
-                                DO_EXIT_1("Failed to read certificate file: %s\n", certfile);
-                        BIO_free(btmp);
+			if ((btmp = BIO_new_file(certfile, "rb")) == NULL ||
+				((p7 = d2i_PKCS7_bio(btmp, NULL)) == NULL &&
+				 (certs = PEM_read_certs(btmp, "")) == NULL))
+				DO_EXIT_1("Failed to read certificate file: %s\n", certfile);
+			BIO_free(btmp);
 		} else {
 			if ((btmp = BIO_new_file(certfile, "rb")) == NULL ||
 				((p7 = d2i_PKCS7_bio(btmp, NULL)) == NULL &&