On 03/02/17 10:07, David Woodhouse wrote: > On Fri, 2017-02-03 at 02:31 +0100, Antony Vennard wrote: >> sign-file documentation on kernel.org advertises the fact that >> sign-file can use OpenSSL loadable engine support using pkcs#11 uri >> syntax (rfc 7512) for loading private keys from hardware tokens, if >> openssl loadable engine support is present. >> >> Unfortunately, if openssl configuration files are not loaded there is >> no way (to my knowledge) for openssl to load third party pkcs#11 >> libraries as specified by openssl configuration. > > ENGINE_pkcs11 should be configured to load p11-kit-proxy.so as its > default provider module. > > Any third party PKCS#11 module you want to use should be configured in > p11-kit properly, and it'll then be available to well-behaved > applications. Including sign-file. > > You should need any of the special OpenSSL config horridness.
Ah, I did not even know that was a thing. I do now. That looks like a much neater solution. Forget this patch then :)
