[PATCH 3/6] Automatically handle PKCS#11 URIs in private_key, ca_cert or client_cert

David Woodhouse dwmw2
Thu Dec 18 07:09:32 PST 2014


If these start with "pkcs11:" then they are PKCS#11 URIs. These Just Work
in the normal private_key/ca_cert/client_cert configuration fields when
built with GnuTLS; make it work that way with OpenSSL too.

(Yes, you still need to explicitly set engine=1 and point to the engine,
but I'll work on that next...)

Signed-off-by: David Woodhouse <David.Woodhouse at intel.com>
---
 src/crypto/tls_openssl.c | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 3b91a8e..9dc7a33 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3204,10 +3204,27 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 {
 	int ret;
 	unsigned long err;
+	const char *key_id = params->key_id;
+	const char *cert_id = params->cert_id;
+	const char *ca_cert_id = params->ca_cert_id;
 
 	if (conn == NULL)
 		return -1;
 
+	/* If any of these three are actually a PKCS#11 URI, treat them
+	   as _id fields for the ENGINE. */
+	if (!key_id && params->private_key &&
+	    !strncmp(params->private_key, "pkcs11:", 7))
+		key_id = params->private_key;
+
+	if (!cert_id && params->client_cert &&
+	    !strncmp(params->client_cert, "pkcs11:", 7))
+		cert_id = params->client_cert;
+
+	if (!ca_cert_id && params->ca_cert &&
+	    !strncmp(params->ca_cert, "pkcs11:", 7))
+		ca_cert_id = params->ca_cert;
+
 	if (params->flags & TLS_CONN_EAP_FAST) {
 		wpa_printf(MSG_DEBUG,
 			   "OpenSSL: Use TLSv1_method() for EAP-FAST");
@@ -3226,8 +3243,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 	if (params->engine) {
 		wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine");
 		ret = tls_engine_init(conn, params->engine_id, params->pin,
-				      params->key_id, params->cert_id,
-				      params->ca_cert_id);
+				      key_id, cert_id, ca_cert_id);
 		if (ret)
 			return ret;
 	}
@@ -3237,9 +3253,9 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 					     params->suffix_match))
 		return -1;
 
-	if (params->engine && params->ca_cert_id) {
+	if (params->engine && ca_cert_id) {
 		if (tls_connection_engine_ca_cert(tls_ctx, conn,
-						  params->ca_cert_id))
+						  ca_cert_id))
 			return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
 	} else if (tls_connection_ca_cert(tls_ctx, conn, params->ca_cert,
 					  params->ca_cert_blob,
@@ -3247,15 +3263,15 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
 					  params->ca_path))
 		return -1;
 
-	if (params->engine && params->cert_id) {
-		if (tls_connection_engine_client_cert(conn, params->cert_id))
+	if (params->engine && cert_id) {
+		if (tls_connection_engine_client_cert(conn, cert_id))
 			return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
 	} else if (tls_connection_client_cert(conn, params->client_cert,
 					      params->client_cert_blob,
 					      params->client_cert_blob_len))
 		return -1;
 
-	if (params->engine && params->key_id) {
+	if (params->engine && key_id) {
 		wpa_printf(MSG_DEBUG, "TLS: Using private key from engine");
 		if (tls_connection_engine_private_key(conn))
 			return TLS_SET_PARAMS_ENGINE_PRV_VERIFY_FAILED;
-- 
2.1.0


-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20141218/1a47b42b/attachment.bin>



More information about the Hostap mailing list