OpenSSL: Do not require private key to come from PKCS#11

There's no reason I shouldn't be able to use PKCS#11 for just the CA cert,
or even the client cert, while the private key is still from a file.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
This commit is contained in:
David Woodhouse 2014-12-18 15:09:23 +00:00 committed by Jouni Malinen
parent 5c8ab0d49c
commit 3d268b8d19

View file

@ -903,10 +903,6 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
return -1; return -1;
} }
#endif #endif
if (key_id == NULL) {
wpa_printf(MSG_ERROR, "ENGINE: Key Id not set");
return -1;
}
ERR_clear_error(); ERR_clear_error();
#ifdef ANDROID #ifdef ANDROID
@ -933,15 +929,18 @@ static int tls_engine_init(struct tls_connection *conn, const char *engine_id,
goto err; goto err;
} }
#endif #endif
/* load private key first in-case PIN is required for cert */ if (key_id) {
conn->private_key = ENGINE_load_private_key(conn->engine, /* load private key first in-case PIN is required for cert */
key_id, NULL, NULL); conn->private_key = ENGINE_load_private_key(conn->engine,
if (!conn->private_key) { key_id, NULL, NULL);
wpa_printf(MSG_ERROR, "ENGINE: cannot load private key with id" if (!conn->private_key) {
" '%s' [%s]", key_id, wpa_printf(MSG_ERROR,
ERR_error_string(ERR_get_error(), NULL)); "ENGINE: cannot load private key with id '%s' [%s]",
ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED; key_id,
goto err; ERR_error_string(ERR_get_error(), NULL));
ret = TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED;
goto err;
}
} }
/* handle a certificate and/or CA certificate */ /* handle a certificate and/or CA certificate */