Support loading OpenSSL 3.0+ providers without -pkcs11module option (e.g., CNG)

NEWS.md

@@ -3,7 +3,9 @@
 ### 2.10 (unreleased)
 
 - added JavaScript signing
-- added PKCS#11 provider support (requires OpenSSL 3.0)
+- added PKCS#11 provider support (requires OpenSSL 3.0+)
+- added support for providers without specifying "-pkcs11module" option
+  (OpenSSL 3.0+, e.g., for the upcoming CNG provider)
 - added compatiblity with the CNG engine version 1.1 or later
 - added the "-engineCtrl" option to control hardware and CNG engines
 - added the '-blobFile' option to specify a file containing the blob content

osslsigncode.c

@@ -4317,6 +4317,12 @@ static int read_crypto_params(GLOBAL_OPTIONS *options)
     }
 #endif /* !defined(OPENSSL_NO_ENGINE) || OPENSSL_VERSION_NUMBER>=0x30000000L */
     else {
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+        if (options->provider) {
+            /* Attempt to load a provider without a PKCS#11 module (e.g., for the CNG provider) */
+            (void)provider_load(options->provider);
+        }
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
         /* Load the the private key ('-key' option) */
         load_objects_from_store(options->keyfile, options->pass, &options->pkey, NULL, NULL);
     }