[PATCH 2/2] channel_curl: support OpenSSL provider for PKCS#11 URIs on curl >= 8.12.0
22 views
Skip to first unread message
Ayoub Zaki
Jun 11, 2026, 5:40:37 AMJun 11
to swup...@googlegroups.com, Ayoub Zaki
Signed-off-by: Ayoub Zaki <ayoub...@embetrix.com>
---
corelib/channel_curl.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/corelib/channel_curl.c b/corelib/channel_curl.c
index 39e730c7..759ea695 100644
--- a/corelib/channel_curl.c
+++ b/corelib/channel_curl.c
@@ -642,13 +642,22 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da
goto cleanup;
}
- /* Check if sslkey or sslcert strings contains a pkcs11 URI
- * and set curl engine and types accordingly
+ /* Check if sslkey or sslcert strings contain a pkcs11 URI and set
+ * curl engine/provider and types accordingly
+ * curl >= 8.12.0 supports loading PKCS#11 keys/certs through
+ * OpenSSL provider API ("PROV") which is the replacement for
+ * deprecated ENGINE interface ("ENG") on OpenSSL 3.0+
*/
bool keyUri = channel_data->sslkey ? strncasecmp(channel_data->sslkey, "pkcs11:", 7) == 0 : false;
bool certUri = channel_data->sslcert ? strncasecmp(channel_data->sslcert, "pkcs11:", 7) == 0 : false;
if (keyUri || certUri) {
+#if LIBCURL_VERSION_NUM >= 0x080c00 /* 8.12.0 */
+ const char *pkcs11_type = "PROV";
+#else
+ const char *pkcs11_type = "ENG";
+#endif
+
if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLENGINE, "pkcs11") != CURLE_OK) {
ERROR("Error %d setting CURLOPT_SSLENGINE", result);
result = CHANNEL_EINIT;
@@ -656,16 +665,16 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da
}
if (keyUri) {
- if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLKEYTYPE, "ENG") != CURLE_OK) {
- ERROR("Error %d setting CURLOPT_SSLKEYTYPE", result);
+ if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLKEYTYPE, pkcs11_type) != CURLE_OK) {
+ ERROR("Error %d setting CURLOPT_SSLKEYTYPE to %s", result, pkcs11_type);
result = CHANNEL_EINIT;
goto cleanup;
}
}
if (certUri) {
- if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLCERTTYPE, "ENG") != CURLE_OK) {
- ERROR("Error %d setting CURLOPT_SSLCERTTYPE", result);
+ if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLCERTTYPE, pkcs11_type) != CURLE_OK) {
+ ERROR("Error %d setting CURLOPT_SSLCERTTYPE to %s", result, pkcs11_type);
result = CHANNEL_EINIT;
goto cleanup;
}
--
2.43.0
---
corelib/channel_curl.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/corelib/channel_curl.c b/corelib/channel_curl.c
index 39e730c7..759ea695 100644
--- a/corelib/channel_curl.c
+++ b/corelib/channel_curl.c
@@ -642,13 +642,22 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da
goto cleanup;
}
- /* Check if sslkey or sslcert strings contains a pkcs11 URI
- * and set curl engine and types accordingly
+ /* Check if sslkey or sslcert strings contain a pkcs11 URI and set
+ * curl engine/provider and types accordingly
+ * curl >= 8.12.0 supports loading PKCS#11 keys/certs through
+ * OpenSSL provider API ("PROV") which is the replacement for
+ * deprecated ENGINE interface ("ENG") on OpenSSL 3.0+
*/
bool keyUri = channel_data->sslkey ? strncasecmp(channel_data->sslkey, "pkcs11:", 7) == 0 : false;
bool certUri = channel_data->sslcert ? strncasecmp(channel_data->sslcert, "pkcs11:", 7) == 0 : false;
if (keyUri || certUri) {
+#if LIBCURL_VERSION_NUM >= 0x080c00 /* 8.12.0 */
+ const char *pkcs11_type = "PROV";
+#else
+ const char *pkcs11_type = "ENG";
+#endif
+
if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLENGINE, "pkcs11") != CURLE_OK) {
ERROR("Error %d setting CURLOPT_SSLENGINE", result);
result = CHANNEL_EINIT;
@@ -656,16 +665,16 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da
}
if (keyUri) {
- if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLKEYTYPE, "ENG") != CURLE_OK) {
- ERROR("Error %d setting CURLOPT_SSLKEYTYPE", result);
+ if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLKEYTYPE, pkcs11_type) != CURLE_OK) {
+ ERROR("Error %d setting CURLOPT_SSLKEYTYPE to %s", result, pkcs11_type);
result = CHANNEL_EINIT;
goto cleanup;
}
}
if (certUri) {
- if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLCERTTYPE, "ENG") != CURLE_OK) {
- ERROR("Error %d setting CURLOPT_SSLCERTTYPE", result);
+ if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLCERTTYPE, pkcs11_type) != CURLE_OK) {
+ ERROR("Error %d setting CURLOPT_SSLCERTTYPE to %s", result, pkcs11_type);
result = CHANNEL_EINIT;
goto cleanup;
}
--
2.43.0
Ayoub Zaki
Jun 11, 2026, 6:12:22 AMJun 11
to swup...@googlegroups.com, Ayoub Zaki
corelib/channel_curl.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/corelib/channel_curl.c b/corelib/channel_curl.c
index 39e730c7..0296e7d5 100644
--- a/corelib/channel_curl.c
+++ b/corelib/channel_curl.c
@@ -642,30 +642,38 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da
}
+#endif
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/corelib/channel_curl.c b/corelib/channel_curl.c
index 39e730c7..0296e7d5 100644
--- a/corelib/channel_curl.c
+++ b/corelib/channel_curl.c
@@ -642,30 +642,38 @@ channel_op_res_t channel_set_options(channel_t *this, channel_data_t *channel_da
goto cleanup;
}
- /* Check if sslkey or sslcert strings contains a pkcs11 URI
- * and set curl engine and types accordingly
+ /* Check if sslkey or sslcert strings contain a pkcs11 URI and set
+ * curl engine/provider and types accordingly
+ * curl >= 8.12.0 supports loading PKCS#11 keys/certs through
+ * OpenSSL provider API ("PROV") which is the replacement for
+ * deprecated ENGINE interface ("ENG") on OpenSSL 3.0+
*/
bool keyUri = channel_data->sslkey ? strncasecmp(channel_data->sslkey, "pkcs11:", 7) == 0 : false;
bool certUri = channel_data->sslcert ? strncasecmp(channel_data->sslcert, "pkcs11:", 7) == 0 : false;
if (keyUri || certUri) {
+#if LIBCURL_VERSION_NUM >= 0x080c00 /* 8.12.0 */
+ const char *pkcs11_type = "PROV";
+#else
+ const char *pkcs11_type = "ENG";
}
- /* Check if sslkey or sslcert strings contains a pkcs11 URI
- * and set curl engine and types accordingly
+ /* Check if sslkey or sslcert strings contain a pkcs11 URI and set
+ * curl engine/provider and types accordingly
+ * curl >= 8.12.0 supports loading PKCS#11 keys/certs through
+ * OpenSSL provider API ("PROV") which is the replacement for
+ * deprecated ENGINE interface ("ENG") on OpenSSL 3.0+
*/
bool keyUri = channel_data->sslkey ? strncasecmp(channel_data->sslkey, "pkcs11:", 7) == 0 : false;
bool certUri = channel_data->sslcert ? strncasecmp(channel_data->sslcert, "pkcs11:", 7) == 0 : false;
if (keyUri || certUri) {
+#if LIBCURL_VERSION_NUM >= 0x080c00 /* 8.12.0 */
+ const char *pkcs11_type = "PROV";
+#else
+ const char *pkcs11_type = "ENG";
if (curl_easy_setopt(channel_curl->handle, CURLOPT_SSLENGINE, "pkcs11") != CURLE_OK) {
ERROR("Error %d setting CURLOPT_SSLENGINE", result);
result = CHANNEL_EINIT;
goto cleanup;
ERROR("Error %d setting CURLOPT_SSLENGINE", result);
result = CHANNEL_EINIT;
}
+#endif
Stefano Babic
Jun 11, 2026, 8:10:00 AMJun 11
to Ayoub Zaki, swup...@googlegroups.com
Hi Ayoub,
sure, switching to providers was on TODO. thanks for this.
Reviewed-by: Stefano Babic <stefan...@swupdate.org>
--
_______________________________________________________________________
Nabla Software Engineering GmbH
Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
E-Mail: sba...@nabladev.com
sure, switching to providers was on TODO. thanks for this.
--
_______________________________________________________________________
Nabla Software Engineering GmbH
Hirschstr. 111A | 86156 Augsburg | Tel: +49 821 45592596
Geschäftsführer : Stefano Babic | HRB 40522 Augsburg
E-Mail: sba...@nabladev.com
Reply all
Reply to author
Forward
0 new messages