1. Patchew
  2. linux
  3. View series

[PATCH] sign-file: use KBUILD_SIGN_PIN in provider mode

Anton Lundin posted 1 patch 3 weeks, 5 days ago 
scripts/sign-file.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
[PATCH] sign-file: use KBUILD_SIGN_PIN in provider mode
Posted by Anton Lundin 3 weeks, 5 days ago 
This adds support for the documented KBUILD_SIGN_PIN functionality to
sign-file when built with USE_PKCS11_PROVIDER.

Signed-off-by: Anton Lundin <glance@ac2.se>
Fixes: 558bdc45dfb2 ("sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3")
Cc: stable@vger.kernel.org
---
 scripts/sign-file.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 73fbefd2e540..9ac89fea9d73 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -32,6 +32,7 @@
 # define USE_PKCS11_PROVIDER
 # include <openssl/provider.h>
 # include <openssl/store.h>
+# include <openssl/ui.h>
 #else
 # if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 #  define USE_PKCS11_ENGINE
@@ -90,13 +91,16 @@ static EVP_PKEY *read_private_key_pkcs11(const char *private_key_name)
 	EVP_PKEY *private_key = NULL;
 #ifdef USE_PKCS11_PROVIDER
 	OSSL_STORE_CTX *store;
+	UI_METHOD *ui_method = NULL;
 
 	if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true))
 		ERR(1, "OSSL_PROVIDER_try_load(pkcs11)");
 	if (!OSSL_PROVIDER_try_load(NULL, "default", true))
 		ERR(1, "OSSL_PROVIDER_try_load(default)");
 
-	store = OSSL_STORE_open(private_key_name, NULL, NULL, NULL, NULL);
+	if (key_pass)
+		ui_method = UI_UTIL_wrap_read_pem_callback(pem_pw_cb, 0);
+	store = OSSL_STORE_open(private_key_name, ui_method, NULL, NULL, NULL);
 	ERR(!store, "OSSL_STORE_open");
 
 	while (!OSSL_STORE_eof(store)) {
-- 
2.47.3

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.