From 89af05898e76a3fefb84d1652edca1959eaf4c53 Mon Sep 17 00:00:00 2001
From: Leif Johansson <leifj@sunet.se>
Date: Thu, 26 Feb 2015 14:07:00 +0100
Subject: [PATCH] pkcs11 support - initial version

---
 osslsigncode.c | 55 +++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 50 insertions(+), 5 deletions(-)

diff --git a/osslsigncode.c b/osslsigncode.c
index 6b230ec..c6bb693 100644
--- a/osslsigncode.c
+++ b/osslsigncode.c
@@ -751,7 +751,7 @@ static void usage(const char *argv0)
 	fprintf(stderr,
 			"Usage: %s\n\n\t[ --version | -v ]\n\n"
 			"\t[ sign ]\n"
-			"\t\t( -certs <certfile> -key <keyfile> | -pkcs12 <pkcs12file> )\n"
+			"\t\t( -certs <certfile> -key <keyfile> | -pkcs12 <pkcs12file> | -pkcs11 <module> -certs <certfile> -key <pkcs11 key id>)\n"
 			"\t\t[ -pass <password> ] "
 #ifdef PROVIDE_ASKPASS
 			"[ -askpass ]"
@@ -2310,7 +2310,7 @@ int main(int argc, char **argv)
 
 	const char *argv0 = argv[0];
 	static char buf[64*1024];
-	char *xcertfile, *certfile, *keyfile, *pvkfile, *pkcs12file, *infile, *outfile, *desc, *url, *indata;
+	char *xcertfile, *certfile, *keyfile, *pvkfile, *pkcs12file, *p11module, *infile, *outfile, *desc, *url, *indata;
 	char *pass = NULL, *readpass = NULL;
 	int askpass = 0;
 	char *leafhash = NULL;
@@ -2349,7 +2349,7 @@ int main(int argc, char **argv)
 	int len_msiex = 0;
 #endif
 
-	xcertfile = certfile = keyfile = pvkfile = pkcs12file = infile = outfile = desc = url = NULL;
+	xcertfile = certfile = keyfile = pvkfile = pkcs12file = p11module = infile = outfile = desc = url = NULL;
 	hash = outdata = NULL;
 
 	/* Set up OpenSSL */
@@ -2404,6 +2404,9 @@ int main(int argc, char **argv)
 		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs12")) {
 			if (--argc < 1) usage(argv0);
 			pkcs12file = *(++argv);
+                } else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pkcs11")) {
+           		if (--argc < 1) usage(argv0);
+			p11module = *(++argv); 
 		} else if ((cmd == CMD_SIGN) && !strcmp(*argv, "-pass")) {
 			if (askpass || readpass) usage(argv0);
 			if (--argc < 1) usage(argv0);
@@ -2522,7 +2525,7 @@ int main(int argc, char **argv)
 
 	if (argc > 0 || (nturl && ntsurl) || !infile ||
 		(cmd != CMD_VERIFY && !outfile) ||
-		(cmd == CMD_SIGN && !((certfile && keyfile) || pkcs12file))) {
+		(cmd == CMD_SIGN && !((certfile && keyfile) || pkcs12file || p11module))) {
 		if (failarg)
 			fprintf(stderr, "Unknown option: %s\n", failarg);
 		usage(argv0);
@@ -2548,7 +2551,7 @@ int main(int argc, char **argv)
 
 	if (cmd == CMD_SIGN) {
 		/* Read certificate and key */
-		if (keyfile && (btmp = BIO_new_file(keyfile, "rb")) != NULL) {
+		if (keyfile && !p11module && (btmp = BIO_new_file(keyfile, "rb")) != NULL) {
 			unsigned char magic[4];
 			unsigned char pvkhdr[4] = { 0x1e, 0xf1, 0xb5, 0xb0 };
 			magic[0] = 0x00;
@@ -2584,6 +2587,48 @@ int main(int argc, char **argv)
 #else
 			DO_EXIT_1("Can not read keys from PVK files, must compile against a newer version of OpenSSL: %s\n", pvkfile);
 #endif
+                } else if (p11module != NULL) {
+                        const int CMD_MANDATORY = 0;
+			ENGINE_load_dynamic();
+    			ENGINE * dyn = ENGINE_by_id( "dynamic" );
+    			if ( ! dyn )
+        			DO_EXIT_0( "Failed to load 'dynamic' engine");
+			const char *engine_pkcs11_so = "/usr/lib/engines/engine_pkcs11.so";
+			if ( 1 != ENGINE_ctrl_cmd_string( dyn, "SO_PATH", engine_pkcs11_so, CMD_MANDATORY ) )
+        			DO_EXIT_0( "Failed to set dyn SO_PATH to 'engine_pkcs11.so'" );
+
+    			if ( 1 != ENGINE_ctrl_cmd_string( dyn, "ID", "pkcs11", CMD_MANDATORY ) )
+        			DO_EXIT_0( "Failed to set dyn ID to 'pkcs11'" );
+
+    			if ( 1 != ENGINE_ctrl_cmd( dyn, "LIST_ADD", 1, NULL, NULL, CMD_MANDATORY ) )
+        			DO_EXIT_0( "Failed to set dyn LIST_ADD to '1'" );
+
+    			if ( 1 != ENGINE_ctrl_cmd( dyn, "LOAD", 1, NULL, NULL, CMD_MANDATORY ) )
+        			DO_EXIT_0( "Failed to set dyn LOAD to '1'" );
+
+    			ENGINE * pkcs11 = ENGINE_by_id( "pkcs11" );
+    			if ( ! pkcs11 )
+        			DO_EXIT_0( "Failed to find and load pkcs11 engine" );
+
+			if ( 1 != ENGINE_ctrl_cmd_string( pkcs11, "MODULE_PATH", p11module, CMD_MANDATORY ) )
+        			DO_EXIT_1( "Failed to set pkcs11 engine MODULE_PATH to '%s'", p11module );
+		
+			if (pass != NULL) {
+    				if ( 1 != ENGINE_ctrl_cmd_string( pkcs11, "PIN", pass, CMD_MANDATORY ) )
+        				DO_EXIT_0( "Failed to set pkcs11 PIN" );
+			}
+
+    			if ( 1 != ENGINE_init( pkcs11 ) )
+        			DO_EXIT_0( "Failed to initialized pkcs11 engine" );
+
+			pkey = ENGINE_load_private_key( pkcs11, keyfile, NULL, NULL );
+			if (pkey == NULL)
+				DO_EXIT_1("Failed to load private key %s", keyfile);
+                        if ((btmp = BIO_new_file(certfile, "rb")) == NULL ||
+                                ((p7 = d2i_PKCS7_bio(btmp, NULL)) == NULL &&
+                                 (certs = PEM_read_certs(btmp, "")) == NULL))
+                                DO_EXIT_1("Failed to read certificate file: %s\n", certfile);
+                        BIO_free(btmp);
 		} else {
 			if ((btmp = BIO_new_file(certfile, "rb")) == NULL ||
 				((p7 = d2i_PKCS7_bio(btmp, NULL)) == NULL &&