Refactored PKCS#11 loading

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>

diff --git a/ssl.c b/ssl.c
index 559c2529a0da50620577af4f8a182535eb11dd06..4110004a871e2d3b316cb44184398b6434485493 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -1993,32 +1993,22 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
          options->pkcs12_file_inline, !options->ca_file))
         goto err;
     }
-  else
-    {
-      /* Use seperate PEM files for key, cert and CA certs */
-
 #ifdef ENABLE_PKCS11
-      if (options->pkcs11_providers[0])
-        {
-         /* Load Certificate and Private Key */
-        if (!SSL_CTX_use_pkcs11 (ctx, options->pkcs11_id_management, options->pkcs11_id))
-          {
-            msg (M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface", options->pkcs11_id);
-            goto err;
-          }
-        }
-      else
+  else if (options->pkcs11_providers[0])
+    {
+      if (0 != tls_ctx_load_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
+         goto err;
+    }
 #endif
-
 #ifdef WIN32
-      if (options->cryptoapi_cert)
-       {
+  else if (options->cryptoapi_cert)
+    {
          /* Load Certificate and Private Key */
          if (!SSL_CTX_use_CryptoAPI_certificate (ctx, options->cryptoapi_cert))
            msg (M_SSLERR, "Cannot load certificate \"%s\" from Microsoft Certificate Store",
                 options->cryptoapi_cert);
-       }
-      else
+    }
+  else
 #endif
        {
          X509 *my_cert = NULL;
@@ -2088,7 +2078,6 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
                msg (M_SSLERR, "Private key does not match the certificate");
            }
        }
-    }
 
   if (options->ca_file || options->ca_path)
     {

diff --git a/ssl_backend.h b/ssl_backend.h
index 1bce80dc17c043464ce4a8483588c84622837645..027026bf8ca9ff620c7e2438a9340e6603d70822 100644 (file)
--- a/ssl_backend.h
+++ b/ssl_backend.h
@@ -150,6 +150,17 @@ int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
     bool load_ca_file
     );
 
+/*
+ * Load PKCS #11 information for key and cert, and add to library-specific TLS
+ * context.
+ *
+ * TODO: document
+ */
+#ifdef ENABLE_PKCS11
+int tls_ctx_load_pkcs11(struct tls_root_ctx *ctx,
+    bool pkcs11_id_management, const char *pkcs11_id);
+#endif /* ENABLE_PKCS11 */
+
 /**
  * Show the TLS ciphers that are available for us to use in the OpenSSL
  * library.

diff --git a/ssl_openssl.c b/ssl_openssl.c
index 1ba73ef43b8e09872ffd885de34bfc2b8a6c3d4f..8f5fa98eb39d3af1da23c089d36eb234bb916e1b 100644 (file)
--- a/ssl_openssl.c
+++ b/ssl_openssl.c
@@ -313,6 +313,23 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
   return 0;
 }
 
+#ifdef ENABLE_PKCS11
+int
+tls_ctx_load_pkcs11(struct tls_root_ctx *ctx, bool pkcs11_id_management,
+    const char *pkcs11_id)
+{
+  ASSERT(NULL != ctx);
+
+  /* Load Certificate and Private Key */
+  if (!SSL_CTX_use_pkcs11 (ctx->ctx, pkcs11_id_management, pkcs11_id))
+    {
+      msg (M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface", pkcs11_id);
+      return 1;
+    }
+  return 0;
+}
+#endif /* ENABLE_PKCS11 */
+
 void
 show_available_tls_ciphers ()
 {