android-mainline/REVISIT-ANDROID-extract-cert-omit-PKCS-11-support-if-building-against-BoringSSL.patch - kernel/common-patches - Git at Google

 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Matthias Maennich <maennich@google.com>
 Date: Thu, 26 Nov 2020 10:08:38 +0000
 Subject: REVISIT: ANDROID: extract-cert: omit PKCS#11 support if building
  against BoringSSL

 BoringSSL does not implement the ENGINE API. In Android we do not seem
 to rely on the PKCS#11 -> DER extraction. Hence, make this conditional
 on the SSL library used.

 [CPNOTE: 21/07/21] Lee: Androidness
 [CPNOTE: 06/10/21] Lee: If THE sign-file patch makes it into Mainline, this should bereworked/upstreamed

 Bug: 135570712
 Signed-off-by: Matthias Maennich <maennich@google.com>
 Change-Id: I84af6633dd470083497087c7dd1a2734480e2b0e
 ---
  scripts/extract-cert.c | 7 +++++++
  1 file changed, 7 insertions(+)

 diff --git a/scripts/extract-cert.c b/scripts/extract-cert.c
 --- a/scripts/extract-cert.c
 +++ b/scripts/extract-cert.c
 @@ -49,6 +49,7 @@ static void display_openssl_errors(int l)
  	}
  }

 +#ifndef OPENSSL_IS_BORINGSSL
  static void drain_openssl_errors(void)
  {
  	const char *file;
 @@ -58,6 +59,7 @@ static void drain_openssl_errors(void)
  		return;
  	while (ERR_get_error_line(&file, &line)) {}
  }
 +#endif

  #define ERR(cond, fmt, ...)				\
  	do {						\
 @@ -112,6 +114,10 @@ int main(int argc, char **argv)
  		fclose(f);
  		exit(0);
  	} else if (!strncmp(cert_src, "pkcs11:", 7)) {
 +#ifdef OPENSSL_IS_BORINGSSL
 +		ERR(1, "BoringSSL does not support extracting from PKCS#11");
 +		exit(1);
 +#else
  		ENGINE *e;
  		struct {
  			const char *cert_id;
 @@ -134,6 +140,7 @@ int main(int argc, char **argv)
  		ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
  		ERR(!parms.cert, "Get X.509 from PKCS#11");
  		write_cert(parms.cert);
 +#endif
  	} else {
  		BIO *b;
  		X509 *x509;
	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	From: Matthias Maennich <maennich@google.com>
	Date: Thu, 26 Nov 2020 10:08:38 +0000
	Subject: REVISIT: ANDROID: extract-cert: omit PKCS#11 support if building
	against BoringSSL

	BoringSSL does not implement the ENGINE API. In Android we do not seem
	to rely on the PKCS#11 -> DER extraction. Hence, make this conditional
	on the SSL library used.

	[CPNOTE: 21/07/21] Lee: Androidness
	[CPNOTE: 06/10/21] Lee: If THE sign-file patch makes it into Mainline, this should bereworked/upstreamed

	Bug: 135570712
	Signed-off-by: Matthias Maennich <maennich@google.com>
	Change-Id: I84af6633dd470083497087c7dd1a2734480e2b0e
	---
	scripts/extract-cert.c \| 7 +++++++
	1 file changed, 7 insertions(+)

	diff --git a/scripts/extract-cert.c b/scripts/extract-cert.c
	--- a/scripts/extract-cert.c
	+++ b/scripts/extract-cert.c
	@@ -49,6 +49,7 @@ static void display_openssl_errors(int l)
	}
	}

	+#ifndef OPENSSL_IS_BORINGSSL
	static void drain_openssl_errors(void)
	{
	const char *file;
	@@ -58,6 +59,7 @@ static void drain_openssl_errors(void)
	return;
	while (ERR_get_error_line(&file, &line)) {}
	}
	+#endif

	#define ERR(cond, fmt, ...) \
	do { \
	@@ -112,6 +114,10 @@ int main(int argc, char **argv)
	fclose(f);
	exit(0);
	} else if (!strncmp(cert_src, "pkcs11:", 7)) {
	+#ifdef OPENSSL_IS_BORINGSSL
	+ ERR(1, "BoringSSL does not support extracting from PKCS#11");
	+ exit(1);
	+#else
	ENGINE *e;
	struct {
	const char *cert_id;
	@@ -134,6 +140,7 @@ int main(int argc, char **argv)
	ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
	ERR(!parms.cert, "Get X.509 from PKCS#11");
	write_cert(parms.cert);
	+#endif
	} else {
	BIO *b;
	X509 *x509;