client and server tls UPDATE add pkcs11 engine support

src/session_client_tls.c

@@ -27,6 +27,7 @@
 #include <openssl/err.h>
 #include <openssl/ossl_typ.h>
 #include <openssl/x509.h>
+#include <openssl/engine.h>
 
 #include "config.h"
 #include "log_p.h"
@@ -387,6 +388,9 @@ nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername)
     char *key;
     X509_LOOKUP *lookup;
     X509_VERIFY_PARAM *vpm = NULL;
+    EVP_PKEY *pkey = NULL;
+    ENGINE *pkcs11 = NULL;
+    const char* pin = getenv("DEFAULT_USER_PIN");
 
     if (!opts->tls_ctx || opts->tls_ctx_change) {
         SSL_CTX_free(opts->tls_ctx);
@@ -412,11 +416,54 @@ nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername)
         } else {
             key = opts->key_path;
         }
-        if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, key, SSL_FILETYPE_PEM) != 1) {
-            ERR(NULL, "Loading the client private key from \'%s\' failed (%s).", key,
-                    ERR_reason_error_string(ERR_get_error()));
-            rc = -1;
-            goto cleanup;
+
+        ENGINE_load_dynamic();
+        pkcs11 = ENGINE_by_id("pkcs11");
+        if (!pkcs11)
+        {
+            if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, key, SSL_FILETYPE_PEM) != 1) {
+                ERR(NULL, "Loading the client private key from \'%s\' failed (%s).", key,
+                        ERR_reason_error_string(ERR_get_error()));
+                rc = -1;
+                goto cleanup;
+            }
+        } else {
+            if (!pin) {
+                ERR(NULL, "DEFAULT_USER_PIN is not set. Loading private key using pkcs11 engine failed.");
+                rc -1;
+                goto cleanup;
+            }
+
+            if (!ENGINE_init(pkcs11))
+            {
+                ERR(NULL, "Initializing the pkcs11 engine failed (%s).", ERR_reason_error_string(ERR_get_error()));
+                rc = -1;
+                goto cleanup;
+            }
+
+            if (!ENGINE_ctrl_cmd_string(pkcs11, "PIN", pin, 0))
+            {
+                ERR(NULL, "Setting pin failed (%s).", ERR_reason_error_string(ERR_get_error()));
+                rc = -1;
+                goto cleanup;
+            }
+
+            /* load server key using pkcs11 engine*/
+            pkey = ENGINE_load_private_key(pkcs11, key, NULL, NULL);
+            if (!pkey)
+            {
+                ERR(NULL, "Reading the private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
+                rc = -1;
+                goto cleanup;
+            }
+
+            /* set server key */
+            if ((SSL_CTX_use_PrivateKey(opts->tls_ctx, pkey) != 1))
+            {
+                ERR(NULL, "Loading the client private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
+                rc = -1;
+                goto cleanup;
+            }
         }
 
         if (!SSL_CTX_load_verify_locations(opts->tls_ctx, opts->ca_file, opts->ca_dir)) {
@@ -481,6 +528,12 @@ nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername)
     }
 
 cleanup:
+    if (pkcs11) {
+        ENGINE_free(pkcs11);
+    }
+    if (pkey){
+        EVP_PKEY_free(pkey);
+    }
     X509_VERIFY_PARAM_free(vpm);
     return rc;
 }

src/session_server_tls.c

@@ -30,6 +30,7 @@
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include <openssl/engine.h>
 
 #include "compat.h"
 #include "config.h"
@@ -862,6 +863,9 @@ nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts
     NC_PRIVKEY_FORMAT privkey_type;
     X509 *cert = NULL;
     EVP_PKEY *pkey = NULL;
+    ENGINE *pkcs11 = NULL;
+    const char* uri = getenv("TOKEN_KEY_URI");
+    const char* pin = getenv("DEFAULT_USER_PIN");
 
     NC_CHECK_ARG_RET(NULL, tls_ctx, opts, -1);
 
@@ -896,12 +900,52 @@ nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts
         goto cleanup;
     }
 
-    /* load the private key */
-    pkey = base64der_to_privatekey(privkey_data, nc_privkey_format_to_str(privkey_type));
-    if (!pkey) {
-        ERR(NULL, "Converting private key data to private key format failed.");
-        ret = -1;
-        goto cleanup;
+    ENGINE_load_dynamic();
+    pkcs11 = ENGINE_by_id("pkcs11");
+    if (!pkcs11)
+    {
+        /* load the private key */
+        pkey = base64der_to_privatekey(privkey_data, nc_privkey_format_to_str(privkey_type));
+        if (!pkey) {
+            ERR(NULL, "Converting private key data to private key format failed.");
+            ret = -1;
+            goto cleanup;
+        }
+    } else {
+        if (!uri) {
+            ERR(NULL, "TOKEN_KEY_URI is not set. Loading private key using pkcs11 engine failed.");
+            ret = -1;
+            goto cleanup;
+        }
+
+        if (!pin) {
+            ERR(NULL, "DEFAULT_USER_PIN is not set. Loading private key using pkcs11 engine failed.");
+            ret = -1;
+            goto cleanup;
+        }
+
+        if (!ENGINE_init(pkcs11))
+        {
+            ERR(NULL, "Initializing the pkcs11 engine failed (%s).", ERR_reason_error_string(ERR_get_error()));
+            ret = -1;
+            goto cleanup;
+        }
+
+        if (!ENGINE_ctrl_cmd_string(pkcs11, "PIN", pin, 0))
+        {
+            ERR(NULL, "Setting pin failed (%s).", ERR_reason_error_string(ERR_get_error()));
+            ret = -1;
+            goto cleanup;
+        }
+
+        /* load server key using pkcs11 engine*/
+        pkey = ENGINE_load_private_key(pkcs11, uri, NULL, NULL);
+        if (!pkey)
+        {
+            ERR(NULL, "Reading the private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
+            ret = -1;
+            goto cleanup;
+        }
     }
 
     /* set server key */
@@ -917,6 +961,9 @@ nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts
 cleanup:
     X509_free(cert);
     EVP_PKEY_free(pkey);
+    if (pkcs11) {
+        ENGINE_free(pkcs11);
+    }
     return ret;
 }