Android: Use keystore ENGINE for private key operations
The new keystore ENGINE is usable to perform private key operations when we can't get the actual private key data. This is the case when hardware crypto is enabled: the private key never leaves the hardware. Subsequently, we need to be able to talk to OpenSSL ENGINEs that aren't PKCS#11 or OpenSC. This just changes a few #define variables to allow us to talk to our keystore engine without having one of those enabled and without using a PIN. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This commit is contained in:
parent
6dc94a635c
commit
1176ab6dd4
1 changed files with 9 additions and 0 deletions
|
@ -10,9 +10,11 @@
|
||||||
|
|
||||||
#ifndef CONFIG_SMARTCARD
|
#ifndef CONFIG_SMARTCARD
|
||||||
#ifndef OPENSSL_NO_ENGINE
|
#ifndef OPENSSL_NO_ENGINE
|
||||||
|
#ifndef ANDROID
|
||||||
#define OPENSSL_NO_ENGINE
|
#define OPENSSL_NO_ENGINE
|
||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
#include <openssl/ssl.h>
|
#include <openssl/ssl.h>
|
||||||
#include <openssl/err.h>
|
#include <openssl/err.h>
|
||||||
|
@ -858,16 +860,21 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
|
||||||
wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
|
wpa_printf(MSG_ERROR, "ENGINE: Engine ID not set");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
#ifndef ANDROID
|
||||||
if (pin == NULL) {
|
if (pin == NULL) {
|
||||||
wpa_printf(MSG_ERROR, "ENGINE: Smartcard PIN not set");
|
wpa_printf(MSG_ERROR, "ENGINE: Smartcard PIN not set");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
if (key_id == NULL) {
|
if (key_id == NULL) {
|
||||||
wpa_printf(MSG_ERROR, "ENGINE: Key Id not set");
|
wpa_printf(MSG_ERROR, "ENGINE: Key Id not set");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
ERR_clear_error();
|
ERR_clear_error();
|
||||||
|
#ifdef ANDROID
|
||||||
|
ENGINE_load_dynamic();
|
||||||
|
#endif
|
||||||
conn->engine = ENGINE_by_id(engine_id);
|
conn->engine = ENGINE_by_id(engine_id);
|
||||||
if (!conn->engine) {
|
if (!conn->engine) {
|
||||||
wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]",
|
wpa_printf(MSG_ERROR, "ENGINE: engine %s not available [%s]",
|
||||||
|
@ -882,11 +889,13 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
|
||||||
}
|
}
|
||||||
wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
|
wpa_printf(MSG_DEBUG, "ENGINE: engine initialized");
|
||||||
|
|
||||||
|
#ifndef ANDROID
|
||||||
if (ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
|
if (ENGINE_ctrl_cmd_string(conn->engine, "PIN", pin, 0) == 0) {
|
||||||
wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
|
wpa_printf(MSG_ERROR, "ENGINE: cannot set pin [%s]",
|
||||||
ERR_error_string(ERR_get_error(), NULL));
|
ERR_error_string(ERR_get_error(), NULL));
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
/* load private key first in-case PIN is required for cert */
|
/* load private key first in-case PIN is required for cert */
|
||||||
conn->private_key = ENGINE_load_private_key(conn->engine,
|
conn->private_key = ENGINE_load_private_key(conn->engine,
|
||||||
key_id, NULL, NULL);
|
key_id, NULL, NULL);
|
||||||
|
|
Loading…
Reference in a new issue