Use keystore ENGINE for private key operations

Message ID	20131106004209.D226513FAD3@ushik.mtv.corp.google.com
State	Superseded
Headers	show Return-Path: <hostap-bounces@lists.shmoo.com> From: Kenny Root <kroot@google.com> Date: Tue, 20 Mar 2012 17:00:47 -0700 Subject: [PATCH] Use keystore ENGINE for private key operations To: hostap@lists.shmoo.com Message-Id: <20131106004209.D226513FAD3@ushik.mtv.corp.google.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: hostap-bounces@lists.shmoo.com Errors-To: hostap-bounces@lists.shmoo.com

Message ID

20131106004209.D226513FAD3@ushik.mtv.corp.google.com

State

Superseded

Headers

From: Kenny Root <kroot@google.com>
Date: Tue, 20 Mar 2012 17:00:47 -0700
Subject: [PATCH] Use keystore ENGINE for private key operations
To: hostap@lists.shmoo.com
Message-Id: <20131106004209.D226513FAD3@ushik.mtv.corp.google.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: hostap-bounces@lists.shmoo.com
Errors-To: hostap-bounces@lists.shmoo.com

Commit Message

Kenny Root March 21, 2012, midnight UTC

The new keystore ENGINE is usable to perform private key operations when
we can't get the actual private key data. This is the case when hardware
crypto is enabled: the private key never leaves the hardware.

Subsequently, we need to be able to talk to OpenSSL ENGINEs that aren't
PKCS#11 or OpenSC. This just changes a few #define variables to allow us
to talk to our keystore engine without having one of those enabled and
without using a PIN.

Change-Id: Iabab5077c3d167a1e13bc8ef8745dc59ad4d62f7
---
 src/crypto/tls_openssl.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 772f0b2..aaa920b 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -10,9 +10,11 @@ 
 
 #ifndef CONFIG_SMARTCARD
 #ifndef OPENSSL_NO_ENGINE
+#ifndef ANDROID
 #define OPENSSL_NO_ENGINE
 #endif
 #endif
+#endif
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -793,16 +795,21 @@  static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
 		wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
 		return -1;
 	}
+#ifndef ANDROID
 	if (pin == NULL) {
 		wpa_printf(MSG_ERROR, "ENGINE: Smartcard PIN not set");
 		return -1;
 	}
+#endif
 	if (key_id == NULL) {
 		wpa_printf(MSG_ERROR, "ENGINE: Key Id not set");
 		return -1;
 	}
 
 	ERR_clear_error();
+#ifdef ANDROID
+	ENGINE_load_dynamic();
+#endif
 	conn->engine = ENGINE_by_id(engine_id);
 	if (!conn->engine) {
 		wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]",
@@ -817,11 +824,13 @@  static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
 	}
 	wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
 
+#ifndef ANDROID
 	if (ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
 		wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
 			   ERR_error_string(ERR_get_error(), NULL));
 		goto err;
 	}
+#endif
 	/* load private key first in-case PIN is required for cert */
 	conn->private_key = ENGINE_load_private_key(conn->engine,
 						    key_id, NULL, NULL);

Use keystore ENGINE for private key operations

Commit Message

Patch