[PATCH 2/8] Use keystore ENGINE for private key operations

Kenny Root kroot
Thu Nov 7 15:13:21 PST 2013

The new keystore ENGINE is usable to perform private key operations when
we can't get the actual private key data. This is the case when hardware
crypto is enabled: the private key never leaves the hardware.

Subsequently, we need to be able to talk to OpenSSL ENGINEs that aren't
PKCS#11 or OpenSC. This just changes a few #define variables to allow us
to talk to our keystore engine without having one of those enabled and
without using a PIN.

Change-Id: Iabab5077c3d167a1e13bc8ef8745dc59ad4d62f7
Signed-off-by: Dmitry Shmidt <dimitrysh at google.com>
 src/crypto/tls_openssl.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 95c674a..2b7b010 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -10,9 +10,11 @@
+#ifndef ANDROID
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -858,16 +860,21 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
 		wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
 		return -1;
+#ifndef ANDROID
 	if (pin == NULL) {
 		wpa_printf(MSG_ERROR, "ENGINE: Smartcard PIN not set");
 		return -1;
 	if (key_id == NULL) {
 		wpa_printf(MSG_ERROR, "ENGINE: Key Id not set");
 		return -1;
+#ifdef ANDROID
+	ENGINE_load_dynamic();
 	conn->engine = ENGINE_by_id(engine_id);
 	if (!conn->engine) {
 		wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]",
@@ -882,11 +889,13 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
 	wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
+#ifndef ANDROID
 	if (ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
 		wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
 			   ERR_error_string(ERR_get_error(), NULL));
 		goto err;
 	/* load private key first in-case PIN is required for cert */
 	conn->private_key = ENGINE_load_private_key(conn->engine,
 						    key_id, NULL, NULL);

More information about the Hostap mailing list