From dd9b81281fabe66e2df46d8c530707483332b9df Mon Sep 17 00:00:00 2001
From: olszomal <Malgorzata.Olszowka@stunnel.org>
Date: Tue, 3 Jun 2025 10:47:05 +0200
Subject: [PATCH] Support loading OpenSSL 3.0+ providers without -pkcs11module
 option (e.g., CNG)

---
 NEWS.md        | 4 +++-
 osslsigncode.c | 6 ++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/NEWS.md b/NEWS.md
index 13173f0..7962ba3 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -3,7 +3,9 @@
 ### 2.10 (unreleased)
 
 - added JavaScript signing
-- added PKCS#11 provider support (requires OpenSSL 3.0)
+- added PKCS#11 provider support (requires OpenSSL 3.0+)
+- added support for providers without specifying "-pkcs11module" option
+  (OpenSSL 3.0+, e.g., for the upcoming CNG provider)
 - added compatiblity with the CNG engine version 1.1 or later
 - added the "-engineCtrl" option to control hardware and CNG engines
 - added the '-blobFile' option to specify a file containing the blob content
diff --git a/osslsigncode.c b/osslsigncode.c
index d2d6d7b..70c0d7d 100644
--- a/osslsigncode.c
+++ b/osslsigncode.c
@@ -4317,6 +4317,12 @@ static int read_crypto_params(GLOBAL_OPTIONS *options)
     }
 #endif /* !defined(OPENSSL_NO_ENGINE) || OPENSSL_VERSION_NUMBER>=0x30000000L */
     else {
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+        if (options->provider) {
+            /* Attempt to load a provider without a PKCS#11 module (e.g., for the CNG provider) */
+            (void)provider_load(options->provider);
+        }
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
         /* Load the the private key ('-key' option) */
         load_objects_from_store(options->keyfile, options->pass, &options->pkey, NULL, NULL);
     }