From: Anton Gerasimov <anton@advancedtelematic.com>
Date: Mon, 18 Sep 2017 14:29:27 +0000 (+0200)
Subject: Add support for pkcs11 URIs in TLS client key/certificate
X-Git-Tag: archive/raspbian/2022.1-3+rpi1~1^2~4^2~31^2~59
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=db10bf464fcf28e3c21724353ffd6168c9f77aae;p=ostree.git

Add support for pkcs11 URIs in TLS client key/certificate

Closes: #1183
Approved by: cgwalters
---

diff --git a/src/libostree/ostree-fetcher-curl.c b/src/libostree/ostree-fetcher-curl.c
index e3fd1a12..c22141ec 100644
--- a/src/libostree/ostree-fetcher-curl.c
+++ b/src/libostree/ostree-fetcher-curl.c
@@ -747,6 +747,24 @@ initiate_next_curl_request (FetcherRequest *req,
 
   if (self->tls_client_cert_path)
     {
+      /* Support for pkcs11:
+       * https://github.com/ostreedev/ostree/pull/1183
+       * This will be used by https://github.com/advancedtelematic/aktualizr
+       * at least to fetch certificates.  No test coverage at the moment
+       * though. See https://gitlab.com/gnutls/gnutls/tree/master/tests/pkcs11
+       * and https://github.com/opendnssec/SoftHSMv2 and
+       * https://github.com/p11-glue/p11-kit/tree/master/p11-kit for
+       * possible ideas there.
+       */
+      if (g_str_has_prefix (self->tls_client_key_path, "pkcs11:"))
+        {
+          curl_easy_setopt (req->easy, CURLOPT_SSLENGINE, "pkcs11");
+          curl_easy_setopt (req->easy, CURLOPT_SSLENGINE_DEFAULT, 1L);
+          curl_easy_setopt (req->easy, CURLOPT_SSLKEYTYPE, "ENG");
+        }
+      if (g_str_has_prefix (self->tls_client_cert_path, "pkcs11:"))
+        curl_easy_setopt (req->easy, CURLOPT_SSLCERTTYPE, "ENG");
+
       curl_easy_setopt (req->easy, CURLOPT_SSLCERT, self->tls_client_cert_path);
       curl_easy_setopt (req->easy, CURLOPT_SSLKEY, self->tls_client_key_path);
     }