OpenSC · patzol768 · Jan 2, 2023 · Jan 2, 2023 · Jan 3, 2023 · Jan 3, 2023
diff --git a/.clang-format b/.clang-format
@@ -0,0 +1,35 @@
+---
+BasedOnStyle: WebKit
+AccessModifierOffset: '0'
+AlignAfterOpenBracket: Align
+AlignEscapedNewlines: Left
+AlignOperands: 'true'
+AlignTrailingComments: 'true'
+AlwaysBreakBeforeMultilineStrings: 'false'
+BreakBeforeBraces: Allman
+BreakBeforeTernaryOperators: 'true'
+ColumnLimit: '0'
+ConstructorInitializerIndentWidth: '0'
+ContinuationIndentWidth: '0'
+Cpp11BracedListStyle: 'true'
+FixNamespaceComments: 'true'
+IndentCaseLabels: 'true'
+IndentWidth: '4'
+Language: Cpp
+MaxEmptyLinesToKeep: '2'
+NamespaceIndentation: None
+PenaltyBreakBeforeFirstCallParameter: '100'
+PenaltyBreakComment: '100'
+PenaltyBreakFirstLessLess: '0'
+PenaltyBreakString: '100'
+PenaltyExcessCharacter: '1'
+PenaltyReturnTypeOnItsOwnLine: '20'
+ReflowComments: 'true'
+SeparateDefinitionBlocks: Always
+SpaceBeforeParens: ControlStatements
+SpacesBeforeTrailingComments: '1'
+Standard: Cpp11
+TabWidth: '4'
+UseTab: Never
+
+...
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,7 +15,9 @@ jobs:
       matrix:
         include:
           - os: 'ubuntu-22.04'
+            openssl: 'openssl@3'
           - os: 'ubuntu-20.04'
+            openssl: '[email protected]'
           - os: 'macOS-latest'
             openssl: 'openssl@3'
           - os: 'macOS-latest'
@@ -31,12 +33,12 @@ jobs:
 
     - name: Install apt dependencies (Linux)
       if: runner.os == 'Linux'
-      run: sudo apt-get install -y libssl-dev opensc softhsm
+      run: sudo apt-get install -y libssl-dev opensc softhsm libtool
 
     - name: Install brew dependencies (macOS)
       if: runner.os == 'macOS'
       run: |
-        brew install automake ${{matrix.openssl}} softhsm
+        brew install automake ${{matrix.openssl}} softhsm libtool
         brew install --cask opensc
         echo "/usr/local/opt/${{matrix.openssl}}/bin" >> $GITHUB_PATH
 

diff --git a/.gitignore b/.gitignore
@@ -46,11 +46,20 @@ stamp-h*
 *.pc
 *~
 *.gz
+*.tgz
 *.bz2
 *.out
 *.exp
 *.obj
 *.map
+*.csr
+*.so
+*.signature
+*.pem
+*.cer
+*.key
+*.encrypt
+*.decrypt
 
 m4/ltoptions.m4
 m4/ltsugar.m4
@@ -61,6 +70,8 @@ examples/auth
 examples/decrypt
 examples/getrandom
 examples/listkeys
+examples/listkeys_ext
+examples/mech
 
 test-driver
 tests/openssl_version
@@ -70,8 +81,16 @@ tests/evp-sign
 tests/fork-change-slot
 tests/rsa-oaep
 tests/rsa-pss-sign
+tests/check-privkey
+tests/dup-key
+tests/store-cert
 tests/*.log
 tests/*.trs
 tests/output.*
 
 doc/doxygen.conf
+/.project
+
+.vscode/*
+
+cov-int/*
diff --git a/README.md b/README.md
@@ -3,6 +3,10 @@
 [![Tests](https://github.com/OpenSC/libp11/actions/workflows/ci.yml/badge.svg)](https://github.com/OpenSC/libp11/actions/workflows/ci.yml)
 [![Coverity Scan Status](https://scan.coverity.com/projects/15472/badge.svg)](https://scan.coverity.com/projects/opensc-libp11)
 
+Fork state:
+[![Tests](https://github.com/patzol768/libp11/actions/workflows/ci.yml/badge.svg)](https://github.com/patzol768/libp11/actions/workflows/ci.yml)
+[![Coverity Scan Status](https://scan.coverity.com/projects/30601/badge.svg)](https://scan.coverity.com/projects/patzol768-libp11)
+
 
 # Overview
 
@@ -52,8 +56,11 @@ The p11-kit proxy module provides access to any configured PKCS #11 module
 in the system. See [the p11-kit web pages](http://p11-glue.freedesktop.org/p11-kit.html)
 for more information.
 
+## OpenSSL providers
+
+OpenSSL3 replaces engines with [providers](https://www.openssl.org/docs/manmaster/man7/provider.html).
 
-# PKCS #11 module configuration
+# PKCS #11 module configuration - OpenSSL engine
 
 ## Copying the engine shared object to the proper location
 
@@ -109,7 +116,6 @@ OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so
          -pre MODULE_PATH:opensc-pkcs11.so
 ```
 
-
 ## Testing the engine operation
 
 To verify that the engine is properly operating you can use the following example.
@@ -177,6 +183,84 @@ ENGINE_ctrl_cmd(engine, "MODULE_PATH",
 In systems with p11-kit, if this engine control is not called engine_pkcs11
 defaults to loading the p11-kit proxy module.
 
+# PKCS #11 module configuration - OpenSSL3 provider
+
+## Using the provider from the command line
+
+You need to configure OpenSSL to know about the provider.
+
+```
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = providers_sect
+
+[providers_sect]
+pkcs11 = pkcs11_sect
+#default = default_sect
+#legacy = legacy_sect
+
+[pkcs11_sect]
+# Check prov_front.c for supported parameters
+#
+# Some parameters could be overridden with environment variable value. See prov_front.c
+# Like: PKCS11MODULE, PKCS11VERBOSE, PKCS11FORCELOGIN, ...
+#
+# alternative name (if we were compiling the provider as pkcs11.so, we won't need this)
+identity = pkcs11prov
+# name of the libp11 pkcs11 provider
+module = pkcs11prov.so
+# like MODULE_PATH in case of the libp11 pkcs11 engine
+pkcs11module = libopencryptoki.so
+# libp11 log level (0 - off, >0 - on)
+verbose = 0
+# force login to the PKCS#11 module
+force_login = 1
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1
+```
+
+Some openssl command line examples to use the libp11 pkcs11 provider are listed below. Please check [prov-openssl.sh](tests/prov-openssl.sh) for further samples.
+
+```
+# check if provider loaded correctly
+openssl list -provider pkcs11prov -providers
+
+# make a hash
+openssl dgst -provider pkcs11prov -sha256 data.txt
+
+# create csr
+openssl req -provider pkcs11prov -provider default -new -subj "/C=HU/O=ACME/CN=test_cert" -sha256 -key "pkcs11://pkcs11:token=utl;id=%01" -out ./pkcs11_test.csr
+
+# sign
+openssl pkeyutl -provider pkcs11prov -sign -inkey "pkcs11://pkcs11:token=utl;id=%01" -in ./data.txt >./data.txt.rsa.signature
+
+# verify
+openssl pkeyutl -provider pkcs11prov -verify -inkey "pkcs11://pkcs11:token=utl;id=%01" -in ./data.txt -sigfile ./data.txt.rsa.signature
+```
+
+In case the uri after the "-key" does not begin with "<scheme>://", than OpenSSL would look
+for a file, hence one has to begin the key uri with "pkcs11://". As RFC7512 defines the
+pkcs11 uri scheme without the "//", it looked more straightforward to just simply add the
+real pkcs11 uri after the openssl related prefix. See the format above in the examples.
+
+## PKCS11 URI
+
+Supported URI params (same as for engine):
+* model
+* manufacturer
+* token
+* serial
+* object
+* id
+* pin-value
+* pin-source
+* type or object-type
+
 
 # Developer information
 

diff --git a/configure.ac b/configure.ac
@@ -29,6 +29,9 @@ AC_PROG_CC
 PKG_PROG_PKG_CONFIG
 AC_C_BIGENDIAN
 
+OSSL_PKG_VERSION=`$PKG_CONFIG --modversion --silence-errors libcrypto || \
+	$PKG_CONFIG --modversion openssl`
+
 # we need to set our soversion based on openssl's soversion to avoid
 # issues with applications linking to new openssl, old libp11, and vice versa
 opensslversion="$( \
@@ -38,18 +41,39 @@ opensslversion="$( \
 case "$opensslversion" in
 	3.*) # Engines directory prefix for OpenSSL 3.x
 	    LIBP11_LT_OLDEST="3"
+		LIBP11_OSSL_PROVIDER="yes"
 	    debian_ssl_prefix="engines-3";;
 	1.1.*) # Engines directory prefix for OpenSSL 1.1.x
 	    LIBP11_LT_OLDEST="3"
 	    debian_ssl_prefix="engines-1.1";;
 	1.0.*) # Engines directory prefix for OpenSSL 1.0.x
+		OSSL_VERSION="1.0.x"
 	    LIBP11_LT_OLDEST="2"
 	    debian_ssl_prefix="openssl-$opensslversion/engines";;
 	*) # Engines directory prefix for OpenSSL 0.9.x
+		OSSL_VERSION="0.9.x"
 	    LIBP11_LT_OLDEST="2"
 	    debian_ssl_prefix="ssl/engines";;
 esac
 
+# provider needs openssl >= 3.0.5
+case "$OSSL_PKG_VERSION" in
+	3.0.*) 
+		OSSL_SUB_VER=`echo $OSSL_PKG_VERSION | cut -d \. -f 3`
+		if test $OSSL_SUB_VER -gt 4 ;
+		then
+			LIBP11_OSSL_PROVIDER="yes"
+		else
+			AC_MSG_NOTICE([provider needs openssl >= 3.0.5])
+			LIBP11_OSSL_PROVIDER="no"
+		fi
+		;;
+	3.*) 
+		AC_MSG_NOTICE([3.*])
+		LIBP11_OSSL_PROVIDER="yes";;
+esac
+
+AM_CONDITIONAL([LIBP11_OSSL_PROVIDER], [test x$LIBP11_OSSL_PROVIDER = xyes])
 
 # LT Version numbers, remember to change them just *before* a release.
 #   (Code changed:                      REVISION++)
@@ -149,6 +173,28 @@ AC_ARG_WITH(
 	]
 )
 
+AC_ARG_WITH(
+	[providersdir],
+	[AS_HELP_STRING([--with-providersdir], [OpenSSL3 providers directory])],
+	[providersexecdir="${withval}"],
+	[
+		providersexecdir="`$PKG_CONFIG --variable=providersdir --silence-errors libcrypto`"
+		if test "${providersexecdir}" = ""; then
+		    libcryptodir="`$PKG_CONFIG --variable=libdir --silence-errors libcrypto || \
+			$PKG_CONFIG --variable=libdir openssl`"
+		    if test -d "$libcryptodir/$debian_ssl_prefix/ossl-modules"; then
+			# Debian-based OpenSSL package (for example Ubuntu)
+			providersexecdir="$libcryptodir/$debian_ssl_prefix/ossl-modules"
+		    else # Default OpenSSL providers directory
+			providersexecdir="$libcryptodir/ossl-modules"
+		    fi
+		    if test "${prefix}" != "NONE" -o "${exec_prefix}" != "NONE"; then
+			# Override the autodetected value with the default
+			providersexecdir="\$(libdir)"
+		    fi
+		fi
+	]
+)
 AC_ARG_WITH(
 	[pkcs11-module],
 	[AS_HELP_STRING([--with-pkcs11-module], [default PKCS11 module])],
@@ -224,6 +270,7 @@ pkgconfigdir="\$(libdir)/pkgconfig"
 AC_SUBST([pkgconfigdir])
 AC_SUBST([apidocdir])
 AC_SUBST([enginesexecdir])
+AC_SUBST([providersexecdir])
 AC_SUBST([LIBP11_VERSION_MAJOR])
 AC_SUBST([LIBP11_VERSION_MINOR])
 AC_SUBST([LIBP11_VERSION_FIX])
@@ -265,6 +312,7 @@ AC_CONFIG_FILES([
 	src/libp11.pc
 	src/libp11.rc
 	src/pkcs11.rc
+	src/pkcs11prov.rc
 	doc/Makefile
 	doc/doxygen.conf
 	examples/Makefile
@@ -292,6 +340,7 @@ libp11 has been configured with the following options:
 Version:                 ${PACKAGE_VERSION}
 libp11 directory:        $(eval eval eval echo "${libdir}")
 Engine directory:        ${enginesexecdir}
+Provider directory:      ${providersexecdir}
 Default PKCS11 module:   ${pkcs11_module}
 API doc support:         ${enable_api_doc}
 

diff --git a/examples/Makefile.am b/examples/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = -I$(srcdir) -I$(top_srcdir)/src \
 
 EXTRA_DIST = README
 
-noinst_PROGRAMS = auth decrypt getrandom listkeys listkeys_ext
+noinst_PROGRAMS = auth decrypt getrandom listkeys listkeys_ext mech
 
 LDADD = ../src/libp11.la $(OPENSSL_LIBS)