openssl-util: pass the UI callback for interactive PIN prompts

Observed with the tpm2 provider and the tpm2tss engine was that the auth process failed because the provider/engine could not ask for the PIN through the callback, resulting in: "Failed to load private key from ...: Input/output error" Apparently the default UI method is not enough and the key setup functions expect an explicit method. Pass the existing UI method through as callback for the key setup.
2026-06-30 19:57:29 +00:00 · 2026-02-19 16:01:06 +09:00
parent 8df975bb67
commit bad16f324a
1 changed files with 12 additions and 6 deletions
--- a/src/shared/openssl-util.c
+++ b/src/shared/openssl-util.c
@@ -1208,6 +1208,7 @@ int pkey_generate_volume_keys(
 static int load_key_from_provider(
                const char *provider,
                const char *private_key_uri,
+                UI_METHOD *ui_method,
                EVP_PKEY **ret) {

        assert(provider);
@@ -1223,8 +1224,8 @@ static int load_key_from_provider(

        _cleanup_(OSSL_STORE_closep) OSSL_STORE_CTX *store = OSSL_STORE_open(
                        private_key_uri,
-                        /* ui_method= */ NULL,
-                        /* ui_method= */ NULL,
+                        ui_method,
+                        /* ui_data= */ NULL,
                        /* post_process= */ NULL,
                        /* post_process_data= */ NULL);
        if (!store)
@@ -1246,7 +1247,7 @@ static int load_key_from_provider(
        return 0;
 }

-static int load_key_from_engine(const char *engine, const char *private_key_uri, EVP_PKEY **ret) {
+static int load_key_from_engine(const char *engine, const char *private_key_uri, UI_METHOD *ui_method, EVP_PKEY **ret) {
        assert(engine);
        assert(private_key_uri);
        assert(ret);
@@ -1260,7 +1261,7 @@ static int load_key_from_engine(const char *engine, const char *private_key_uri,
        if (ENGINE_init(e) == 0)
                return log_openssl_errors("Failed to initialize signing engine '%s'", engine);

-        _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = ENGINE_load_private_key(e, private_key_uri, /* ui_method= */ NULL, /* callback_data= */ NULL);
+        _cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = ENGINE_load_private_key(e, private_key_uri, ui_method, /* callback_data= */ NULL);
        if (!private_key)
                return log_openssl_errors("Failed to load private key from '%s'", private_key_uri);
        REENABLE_WARNING;
@@ -1533,13 +1534,18 @@ int openssl_load_private_key(
                if (r < 0)
                        return log_debug_errno(r, "Failed to allocate ask-password user interface: %m");

+                UI_METHOD *ui_method = NULL;
+#ifndef OPENSSL_NO_UI_CONSOLE
+                ui_method = ui->method;
+#endif
+
                switch (private_key_source_type) {

                case OPENSSL_KEY_SOURCE_ENGINE:
-                        r = load_key_from_engine(private_key_source, private_key, ret_private_key);
+                        r = load_key_from_engine(private_key_source, private_key, ui_method, ret_private_key);
                        break;
                case OPENSSL_KEY_SOURCE_PROVIDER:
-                        r = load_key_from_provider(private_key_source, private_key, ret_private_key);
+                        r = load_key_from_provider(private_key_source, private_key, ui_method, ret_private_key);
                        break;
                default:
                        assert_not_reached();