Re: [PATCH 6.1&6.6 V3 3/3] sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3

[ Sasha's backport helper bot ]

Hi,

The upstream commit SHA1 provided is correct: 558bdc45dfb2669e1741384a0c80be9c82fa052c

WARNING: Author mismatch between patch and upstream commit: Backport author: Huacai Chenchenhuacai@loongson.cn Commit author: Jan Stancekjstancek@redhat.com

Status in newer kernel trees: 6.13.y | Present (exact SHA1) 6.12.y | Present (exact SHA1) 6.6.y | Not found

Note: The patch differs from the upstream commit: --- 1: 558bdc45dfb26 ! 1: 170b80ba5ce0b sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 @@ Metadata ## Commit message ## sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3

+ commit 558bdc45dfb2669e1741384a0c80be9c82fa052c upstream. + ENGINE API has been deprecated since OpenSSL version 3.0 [1]. Distros have started dropping support from headers and in future it will likely disappear also from library. @@ Commit message Tested-by: R Nageswara Sastry rnsastry@linux.ibm.com Reviewed-by: Neal Gompa neal@gompa.dev Signed-off-by: Jarkko Sakkinen jarkko@kernel.org + Signed-off-by: Huacai Chen chenhuacai@loongson.cn

## certs/extract-cert.c ## @@ @@ certs/extract-cert.c: static void write_cert(X509 *x509) fprintf(stderr, "Extracted cert: %s\n", buf); }

+-int main(int argc, char **argv) +static X509 *load_cert_pkcs11(const char *cert_src) -+{ + { +- char *cert_src; +- +- OpenSSL_add_all_algorithms(); +- ERR_load_crypto_strings(); +- ERR_clear_error(); + X509 *cert = NULL; +#ifdef USE_PKCS11_PROVIDER + OSSL_STORE_CTX *store; -+ + +- kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0"); + if (!OSSL_PROVIDER_try_load(NULL, "pkcs11", true)) + ERR(1, "OSSL_PROVIDER_try_load(pkcs11)"); + if (!OSSL_PROVIDER_try_load(NULL, "default", true)) + ERR(1, "OSSL_PROVIDER_try_load(default)"); -+ + +- key_pass = getenv("KBUILD_SIGN_PIN"); +- +- if (argc != 3) +- format(); + store = OSSL_STORE_open(cert_src, NULL, NULL, NULL, NULL); + ERR(!store, "OSSL_STORE_open"); -+ + +- cert_src = argv[1]; +- cert_dst = argv[2]; + while (!OSSL_STORE_eof(store)) { + OSSL_STORE_INFO *info = OSSL_STORE_load(store); -+ + +- if (!cert_src[0]) { +- /* Invoked with no input; create empty file */ +- FILE *f = fopen(cert_dst, "wb"); +- ERR(!f, "%s", cert_dst); +- fclose(f); +- exit(0); +- } else if (!strncmp(cert_src, "pkcs11:", 7)) { + if (!info) { + drain_openssl_errors(__LINE__, 0); + continue; @@ certs/extract-cert.c: static void write_cert(X509 *x509) + } + OSSL_STORE_close(store); +#elif defined(USE_PKCS11_ENGINE) -+ ENGINE *e; -+ struct { -+ const char *cert_id; -+ X509 *cert; -+ } parms; -+ -+ parms.cert_id = cert_src; -+ parms.cert = NULL; -+ -+ ENGINE_load_builtin_engines(); -+ drain_openssl_errors(__LINE__, 1); -+ e = ENGINE_by_id("pkcs11"); -+ ERR(!e, "Load PKCS#11 ENGINE"); -+ if (ENGINE_init(e)) -+ drain_openssl_errors(__LINE__, 1); -+ else -+ ERR(1, "ENGINE_init"); -+ if (key_pass) -+ ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); -+ ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); -+ ERR(!parms.cert, "Get X.509 from PKCS#11"); + ENGINE *e; + struct { + const char *cert_id; +@@ certs/extract-cert.c: int main(int argc, char **argv) + ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); + ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); + ERR(!parms.cert, "Get X.509 from PKCS#11"); +- write_cert(parms.cert); + cert = parms.cert; +#else + fprintf(stderr, "no pkcs11 engine/provider available\n"); @@ certs/extract-cert.c: static void write_cert(X509 *x509) + return cert; +} + - int main(int argc, char **argv) - { - char *cert_src; -@@ certs/extract-cert.c: int main(int argc, char **argv) - fclose(f); - exit(0); - } else if (!strncmp(cert_src, "pkcs11:", 7)) { -- ENGINE *e; -- struct { -- const char *cert_id; -- X509 *cert; -- } parms; ++int main(int argc, char **argv) ++{ ++ char *cert_src; ++ ++ OpenSSL_add_all_algorithms(); ++ ERR_load_crypto_strings(); ++ ERR_clear_error(); ++ ++ kbuild_verbose = atoi(getenv("KBUILD_VERBOSE")?:"0"); ++ ++ key_pass = getenv("KBUILD_SIGN_PIN"); ++ ++ if (argc != 3) ++ format(); ++ ++ cert_src = argv[1]; ++ cert_dst = argv[2]; ++ ++ if (!cert_src[0]) { ++ /* Invoked with no input; create empty file */ ++ FILE *f = fopen(cert_dst, "wb"); ++ ERR(!f, "%s", cert_dst); ++ fclose(f); ++ exit(0); ++ } else if (!strncmp(cert_src, "pkcs11:", 7)) { + X509 *cert = load_cert_pkcs11(cert_src); - -- parms.cert_id = cert_src; -- parms.cert = NULL; -- -- ENGINE_load_builtin_engines(); -- drain_openssl_errors(__LINE__, 1); -- e = ENGINE_by_id("pkcs11"); -- ERR(!e, "Load PKCS#11 ENGINE"); -- if (ENGINE_init(e)) -- drain_openssl_errors(__LINE__, 1); -- else -- ERR(1, "ENGINE_init"); -- if (key_pass) -- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN"); -- ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1); -- ERR(!parms.cert, "Get X.509 from PKCS#11"); -- write_cert(parms.cert); ++ + ERR(!cert, "load_cert_pkcs11 failed"); + write_cert(cert); } else { ---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | Current branch | Success | Success |