|
19 | 19 | #include <cstdio> |
20 | 20 | #include <openssl/bio.h> |
21 | 21 | #include <openssl/crypto.h> |
| 22 | +#include <openssl/engine.h> |
22 | 23 | #include <openssl/err.h> |
23 | 24 | #include <openssl/ssl.h> |
24 | 25 | #include <openssl/opensslv.h> |
@@ -510,7 +511,7 @@ bool VerPaths(const char *cert, const char *pkey, |
510 | 511 | // If a private key is present than make sure it's a file and only the |
511 | 512 | // owner has access to it. |
512 | 513 | // |
513 | | - if (pkey && (emsg = XrdOucUtils::ValPath(pkey, pkey_mode, false))) |
| 514 | + if (pkey && pkey[0] == '/' && (emsg = XrdOucUtils::ValPath(pkey, pkey_mode, false))) |
514 | 515 | {eMsg = "Unable to use key file "; |
515 | 516 | eMsg += pkey; eMsg += "; "; eMsg += emsg; |
516 | 517 | return false; |
@@ -766,7 +767,27 @@ XrdTlsContext::XrdTlsContext(const char *cert, const char *key, |
766 | 767 |
|
767 | 768 | // Load the private key |
768 | 769 | // |
769 | | - if (SSL_CTX_use_PrivateKey_file(pImpl->ctx, key, SSL_FILETYPE_PEM) != 1 ) |
| 770 | + if (key[0] == 'p') { |
| 771 | + |
| 772 | + ENGINE *e = ENGINE_by_id("pkcs11"); |
| 773 | + if (e) { |
| 774 | + if(!ENGINE_init(e)) { |
| 775 | + ENGINE_free(e); |
| 776 | + FATAL_SSL("Unable to initialize pkcs11 engine"); |
| 777 | + } |
| 778 | + } else { |
| 779 | + FATAL_SSL("Unable to create pkcs11 engine"); |
| 780 | + } |
| 781 | + auto priv_key = ENGINE_load_private_key(e, key, nullptr, nullptr); |
| 782 | + |
| 783 | + if (!priv_key) { |
| 784 | + FATAL_SSL("Failed to load private key through engine"); |
| 785 | + } |
| 786 | + if (SSL_CTX_use_PrivateKey(pImpl->ctx, priv_key) != 1) |
| 787 | + FATAL_SSL("Failed to have SSL context use private key"); |
| 788 | + EVP_PKEY_free(priv_key); |
| 789 | + |
| 790 | + } else if (SSL_CTX_use_PrivateKey_file(pImpl->ctx, key, SSL_FILETYPE_PEM) != 1 ) |
770 | 791 | FATAL_SSL("Unable to create TLS context; invalid private key."); |
771 | 792 |
|
772 | 793 | // Make sure the key and certificate file match. |
|
0 commit comments