diff options
| author | Anderson Toshiyuki Sasaki <ansasaki@redhat.com> | 2018-02-19 14:31:06 +0100 | 
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-08-08 09:46:01 +0200 | 
| commit | 298d2565e2a2f06a859b7f5a1cc24ba7c87a8ce2 (patch) | |
| tree | d6c7b12308a7d3617d6843297168c2e6a42d7578 /lib/vtls | |
| parent | c892795ea3601a6d210a325b2ac566b1c30d3334 (diff) | |
ssl: set engine implicitly when a PKCS#11 URI is provided
This allows the use of PKCS#11 URI for certificates and keys without
setting the corresponding type as "ENG" and the engine as "pkcs11"
explicitly. If a PKCS#11 URI is provided for certificate, key,
proxy_certificate or proxy_key, the corresponding type is set as "ENG"
if not provided and the engine is set to "pkcs11" if not provided.
Acked-by: Nikos Mavrogiannopoulos
Closes #2333
Diffstat (limited to 'lib/vtls')
| -rw-r--r-- | lib/vtls/openssl.c | 38 | 
1 files changed, 38 insertions, 0 deletions
| diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index d5b474771..9ce1ae5ab 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -558,8 +558,25 @@ static int ssl_ui_writer(UI *ui, UI_STRING *uis)    }    return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);  } + +/* + * Check if a given string is a PKCS#11 URI + */ +static bool is_pkcs11_uri(const char *string) +{ +  if(strncasecompare(string, "pkcs11:", 7)) { +    return TRUE; +  } +  else { +    return FALSE; +  } +} +  #endif +static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, +                                     const char *engine); +  static  int cert_stuff(struct connectdata *conn,                 SSL_CTX* ctx, @@ -622,6 +639,16 @@ int cert_stuff(struct connectdata *conn,      case SSL_FILETYPE_ENGINE:  #if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)        { +        /* Implicitly use pkcs11 engine if none was provided and the +         * cert_file is a PKCS#11 URI */ +        if(!data->state.engine) { +          if(is_pkcs11_uri(cert_file)) { +            if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { +              return 0; +            } +          } +        } +          if(data->state.engine) {            const char *cmd_name = "LOAD_CERT_CTRL";            struct { @@ -798,6 +825,17 @@ int cert_stuff(struct connectdata *conn,  #ifdef USE_OPENSSL_ENGINE        {                         /* XXXX still needs some work */          EVP_PKEY *priv_key = NULL; + +        /* Implicitly use pkcs11 engine if none was provided and the +         * key_file is a PKCS#11 URI */ +        if(!data->state.engine) { +          if(is_pkcs11_uri(key_file)) { +            if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { +              return 0; +            } +          } +        } +          if(data->state.engine) {            UI_METHOD *ui_method =              UI_create_method((char *)"curl user interface"); | 
