[PATCH 3/6] Automatically handle PKCS#11 URIs in private_key, ca_cert or client_cert
David Woodhouse
dwmw2
Thu Dec 18 07:09:32 PST 2014
If these start with "pkcs11:" then they are PKCS#11 URIs. These Just Work
in the normal private_key/ca_cert/client_cert configuration fields when
built with GnuTLS; make it work that way with OpenSSL too.
(Yes, you still need to explicitly set engine=1 and point to the engine,
but I'll work on that next...)
Signed-off-by: David Woodhouse <David.Woodhouse at intel.com>
---
src/crypto/tls_openssl.c | 30 +++++++++++++++++++++++-------
1 file changed, 23 insertions(+), 7 deletions(-)
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 3b91a8e..9dc7a33 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3204,10 +3204,27 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
{
int ret;
unsigned long err;
+ const char *key_id = params->key_id;
+ const char *cert_id = params->cert_id;
+ const char *ca_cert_id = params->ca_cert_id;
if (conn == NULL)
return -1;
+ /* If any of these three are actually a PKCS#11 URI, treat them
+ as _id fields for the ENGINE. */
+ if (!key_id && params->private_key &&
+ !strncmp(params->private_key, "pkcs11:", 7))
+ key_id = params->private_key;
+
+ if (!cert_id && params->client_cert &&
+ !strncmp(params->client_cert, "pkcs11:", 7))
+ cert_id = params->client_cert;
+
+ if (!ca_cert_id && params->ca_cert &&
+ !strncmp(params->ca_cert, "pkcs11:", 7))
+ ca_cert_id = params->ca_cert;
+
if (params->flags & TLS_CONN_EAP_FAST) {
wpa_printf(MSG_DEBUG,
"OpenSSL: Use TLSv1_method() for EAP-FAST");
@@ -3226,8 +3243,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
if (params->engine) {
wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine");
ret = tls_engine_init(conn, params->engine_id, params->pin,
- params->key_id, params->cert_id,
- params->ca_cert_id);
+ key_id, cert_id, ca_cert_id);
if (ret)
return ret;
}
@@ -3237,9 +3253,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
params->suffix_match))
return -1;
- if (params->engine && params->ca_cert_id) {
+ if (params->engine && ca_cert_id) {
if (tls_connection_engine_ca_cert(tls_ctx, conn,
- params->ca_cert_id))
+ ca_cert_id))
return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
} else if (tls_connection_ca_cert(tls_ctx, conn, params->ca_cert,
params->ca_cert_blob,
@@ -3247,15 +3263,15 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
params->ca_path))
return -1;
- if (params->engine && params->cert_id) {
- if (tls_connection_engine_client_cert(conn, params->cert_id))
+ if (params->engine && cert_id) {
+ if (tls_connection_engine_client_cert(conn, cert_id))
return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
} else if (tls_connection_client_cert(conn, params->client_cert,
params->client_cert_blob,
params->client_cert_blob_len))
return -1;
- if (params->engine && params->key_id) {
+ if (params->engine && key_id) {
wpa_printf(MSG_DEBUG, "TLS: Using private key from engine");
if (tls_connection_engine_private_key(conn))
return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
--
2.1.0
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20141218/1a47b42b/attachment.bin>
More information about the Hostap
mailing list