FIX pkcs11 uri with openssl backend

Stormshield-robinc · Stormshield-robinc · commit 51ee74fadb07 · 2025-06-02T10:39:36.000+02:00
diff --git a/http.c b/http.c
@@ -1024,6 +1024,11 @@ static int get_curl_http_version_opt(const char *version_string, long *opt)
 	return -1; /* not found */
 }
 
+static bool is_pkcs11_uri(const char *string)
+{
+	return string && strncasecmp(string, "pkcs11:", 7) == 0;
+}
+
 static CURL *get_curl_handle(void)
 {
 	CURL *result = curl_easy_init();
@@ -1109,16 +1114,26 @@ static CURL *get_curl_handle(void)
 		curl_easy_setopt(result, CURLOPT_SSL_CIPHER_LIST,
 				ssl_cipherlist);
 
-	if (ssl_cert)
-		curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert);
 	if (ssl_cert_type)
 		curl_easy_setopt(result, CURLOPT_SSLCERTTYPE, ssl_cert_type);
+	if (ssl_cert) {
+		curl_easy_setopt(result, CURLOPT_SSLCERT, ssl_cert);
+		if (is_pkcs11_uri(ssl_cert)) {
+			curl_easy_setopt(result, CURLOPT_SSLCERTTYPE, "ENG");
+			curl_easy_setopt(result, CURLOPT_SSLENGINE, "pkcs11");
+		}
+	}
 	if (has_cert_password())
 		curl_easy_setopt(result, CURLOPT_KEYPASSWD, cert_auth.password);
-	if (ssl_key)
-		curl_easy_setopt(result, CURLOPT_SSLKEY, ssl_key);
 	if (ssl_key_type)
 		curl_easy_setopt(result, CURLOPT_SSLKEYTYPE, ssl_key_type);
+	if (ssl_key) {
+		curl_easy_setopt(result, CURLOPT_SSLKEY, ssl_key);
+		if (is_pkcs11_uri(ssl_key)) {
+			curl_easy_setopt(result, CURLOPT_SSLKEYTYPE, "ENG");
+			curl_easy_setopt(result, CURLOPT_SSLENGINE, "pkcs11");
+		}
+	}
 	if (ssl_capath)
 		curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
 	if (ssl_pinnedkey)
