{"id":2225673,"url":"http://patchwork.ozlabs.org/api/patches/2225673/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/patch/20260421121418.3257226-1-Wojciech.Dubowik@mt.com/","project":{"id":18,"url":"http://patchwork.ozlabs.org/api/projects/18/?format=json","name":"U-Boot","link_name":"uboot","list_id":"u-boot.lists.denx.de","list_email":"u-boot@lists.denx.de","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260421121418.3257226-1-Wojciech.Dubowik@mt.com>","list_archive_url":null,"date":"2026-04-21T12:14:16","name":"[v3] tools: mkeficapsule: Rework pkcs11 support","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"a93e6428349896b2337a95ddce267c7a9c7a3189","submitter":{"id":90988,"url":"http://patchwork.ozlabs.org/api/people/90988/?format=json","name":"Wojciech Dubowik","email":"Wojciech.Dubowik@mt.com"},"delegate":{"id":3651,"url":"http://patchwork.ozlabs.org/api/users/3651/?format=json","username":"trini","first_name":"Tom","last_name":"Rini","email":"trini@ti.com"},"mbox":"http://patchwork.ozlabs.org/project/uboot/patch/20260421121418.3257226-1-Wojciech.Dubowik@mt.com/mbox/","series":[{"id":500788,"url":"http://patchwork.ozlabs.org/api/series/500788/?format=json","web_url":"http://patchwork.ozlabs.org/project/uboot/list/?series=500788","date":"2026-04-21T12:14:16","name":"[v3] tools: mkeficapsule: Rework pkcs11 support","version":3,"mbox":"http://patchwork.ozlabs.org/series/500788/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2225673/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2225673/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=mt.com header.i=@mt.com header.a=rsa-sha256\n header.s=selector2 header.b=ZVDYa43V;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=mt.com","phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de","phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=mt.com header.i=@mt.com header.b=\"ZVDYa43V\";\n\tdkim-atps=neutral","phobos.denx.de;\n dmarc=pass (p=reject dis=none) header.from=mt.com","phobos.denx.de;\n spf=fail smtp.mailfrom=Wojciech.Dubowik@mt.com","dkim=none (message not signed)\n header.d=none;dmarc=none action=none header.from=mt.com;"],"Received":["from phobos.denx.de (phobos.denx.de\n [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0Lrf1N2Cz1yGs\n\tfor ; Tue, 21 Apr 2026 22:14:42 +1000 (AEST)","from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 77D01805D7;\n\tTue, 21 Apr 2026 14:14:32 +0200 (CEST)","by phobos.denx.de (Postfix, from userid 109)\n id 9DBE483693; Tue, 21 Apr 2026 14:14:31 +0200 (CEST)","from MRWPR03CU001.outbound.protection.outlook.com\n (mail-francesouthazlp170110003.outbound.protection.outlook.com\n [IPv6:2a01:111:f403:c207::3])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id 6E838801A9\n for ; Tue, 21 Apr 2026 14:14:28 +0200 (CEST)","from DB9PR03MB7180.eurprd03.prod.outlook.com (2603:10a6:10:22d::13)\n by AS2PR03MB9877.eurprd03.prod.outlook.com (2603:10a6:20b:546::21)\n with Microsoft SMTP Server (version=TLS1_2,\n cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9818.33; Tue, 21 Apr\n 2026 12:14:23 +0000","from DB9PR03MB7180.eurprd03.prod.outlook.com\n ([fe80::6fd2:12a9:4423:8ddc]) by DB9PR03MB7180.eurprd03.prod.outlook.com\n ([fe80::6fd2:12a9:4423:8ddc%6]) with mapi id 15.20.9846.016; Tue, 21 Apr 2026\n 12:14:24 +0000"],"X-Spam-Checker-Version":"SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de","X-Spam-Level":"","X-Spam-Status":"No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS\n autolearn=ham autolearn_force=no version=3.4.2","ARC-Seal":"i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;\n b=I8IVpEqMWTvhLg6K2Gnxu2FhCDHNv5dZirBokTnB5e8/pjZu0gtmH/YLZ08hNtSlF5+dTaR6EdYSt1rvkXkXbVZpdoSLO8CfQn+GUR2Gz6w/TkSCda3kkdKRybZwBBWBOJ2Xy145EHlI9cYmY4m4njo1UpO9egEokZ5YpamrL0HUZ52UnbpoGnmsZOThdzt7t9AEz8b3++aAgEDdPf0kzWbkcPsfBWSc3C9YfCyDhW+eXRnBLd4jrCweipC7uJO8foE5PvEC1w3jwV6mGMELD94RMH6Omv2gUtEJXTgZ18N0TmtYNers9LRrgAURb/dfJOIZnQjKYcusRvi5XUu+bQ==","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;\n s=arcselector10001;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;\n bh=WWzX9p4wA5cRs0tEV1r1VbQXZUY31v7Ks3huRPHOQdg=;\n b=sTHiYMJ8tKgQt6u9lvB9QULrhESzn8oJNFzay9v9OVjLMhTH+6qZ8sLbFWKnnUjqey18McTbd8EkOip9qTvn8JLHrYyUN4qnsZGiTnABIxIWC9yMqVBScJUamgLF7OTpavyK4lbJdae+CBBjJEAUPGldbJEaq4muD/0HJLAWUiCSgeEGIcM1ZqvEEO6pUyh70X+hFSy1rFDRR1U2xlF3s7qkwa57Qs7P4XlLX4SuQM0lR86Vg+28Pn9vvGcxJI9pjU92TrRAq1qPZkEcMtIXrZlO7jEmbBqdEm5W+AQD4Ai0nfn0PZqkVcjcFchWVbKItvxRP/R62rIDZJSs6X3WCw==","ARC-Authentication-Results":"i=1; mx.microsoft.com 1; spf=pass\n smtp.mailfrom=mt.com; dmarc=pass action=none header.from=mt.com; dkim=pass\n header.d=mt.com; arc=none","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=mt.com; s=selector2;\n h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;\n bh=WWzX9p4wA5cRs0tEV1r1VbQXZUY31v7Ks3huRPHOQdg=;\n b=ZVDYa43V+2a8w+L2pjK8HaKs+F/uVYC3JDKt/y/NlVL10A+rHHJTFUTXU4IRCJmoPE16+4XT4a8tgOZepK1xBhhFITlyI4TJ25sS7oRxQ7YryaEv9JHQoa6DJYSBmYW28lztEiySqt6OPIVWJFb9E/plHlgMy8aALv11hqTYtqNEaKN1KEbbmNZHYbqJYmkBwFCniIzCRkmyFNjrNgRlWHnkFEWdB0bwaApjU4YIvnY/n0Y58kT+63bvWKovLfHLdresQHrcUleH3/BgBgbV3TYMVsHM38/hAsrDQWKQpUcGgzVk84iJtEcY4Cy7tXpvbh1Ya9iknbuyFi0IJHw0nA==","From":"Wojciech Dubowik ","To":"u-boot@lists.denx.de","Cc":"Wojciech Dubowik ,\n Franz Schnyder , trini@konsulko.com,\n \"openembedded-core @ lists . openembedded . org\"\n ,\n Francesco Dolcini , Simon Glass ,\n Quentin Schulz ,\n David Lechner ","Subject":"[PATCH v3] tools: mkeficapsule: Rework pkcs11 support","Date":"Tue, 21 Apr 2026 14:14:16 +0200","Message-ID":"<20260421121418.3257226-1-Wojciech.Dubowik@mt.com>","X-Mailer":"git-send-email 2.47.3","Content-Transfer-Encoding":"8bit","Content-Type":"text/plain","X-ClientProxiedBy":"ZR1PEPF000077DC.CHEP278.PROD.OUTLOOK.COM\n (2603:10a6:918::41a) To DB9PR03MB7180.eurprd03.prod.outlook.com\n (2603:10a6:10:22d::13)","MIME-Version":"1.0","X-MS-PublicTrafficType":"Email","X-MS-TrafficTypeDiagnostic":"DB9PR03MB7180:EE_|AS2PR03MB9877:EE_","X-MS-Office365-Filtering-Correlation-Id":"e48f0e2f-a003-4bd5-7e63-08de9f9f8693","X-MS-Exchange-SenderADCheck":"1","X-MS-Exchange-AntiSpam-Relay":"0","X-Microsoft-Antispam":"BCL:0;\n ARA:13230040|19092799006|366016|376014|52116014|1800799024|38350700014|56012099003|18002099003;","X-Microsoft-Antispam-Message-Info":"\n I7f+2/XKfN7W5HgsXkSb6Cq81e5tILYb0nX7PfGSg/wlcdx3FJekffk6qA4hGSx5OhNKG1fCjzNo4TtFv41sYgX/bjJZ6ZJCtnL1IGlewoFuA034Bgx/z3MrhU9hCAYyZJkXUTZkYOl9/oqoj87UyLHwauV5gsWwm1Wavc7qwhGYMNqOns8rz5PeaiwkBrpKeL9bggb4MOhNOj+93uZGpRZSAS+12oY6QLtFKopf9JWLGMEeKEs7nXtoh4KbnZcreLDByNW2NQRxT619ujhnrjklpl9M48rpW6thVSY9FeYyOGi3WsxBnSaHuGFlJdE9m29bIbMgn3+bt1g36X/bub0Zt16qYQ2h5NquA+qmH0yP9mxG82TehIpgUrzTvQKP4nIGrJwpA/1JPQQSF+f+rPER0euNqCAoS9H8E0XTzhG7YdJbsruKfBKFvsmNRIbmFaCoCycQvJZTAF76+GLj7A0kM56uqFU6WWeme59wYjfDJFzqkssoEpIpGCFYkhctoxwZgAJs5DpOfjs6l5dLJbzB94nXRvPgV29dIuLNZw+HJ/2FKrOyIU/horG1vwWT7cil9H1snMhUxDeEuFs2jcB+CoYnN5TPAH5oCtVGAfBvEC0BanIeMN5DhpcS8Enh1eb5gp75wNeooS/A4RVul7mSEZear/EsWuxUwzAZTVHdC2T6OTiatvB/iccShgkDOfIsut81C8jfycbvTWcvmHyUjZ3KaU/o5sUEJI3P1d/vwOubWwuXkKQK23q4hMP9wmEAveMvKN0JphRTz0wHaT9uFjItuAoCSZ2JvgyDEQg=","X-Forefront-Antispam-Report":"CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;\n IPV:NLI; SFV:NSPM; H:DB9PR03MB7180.eurprd03.prod.outlook.com; PTR:; CAT:NONE;\n SFS:(13230040)(19092799006)(366016)(376014)(52116014)(1800799024)(38350700014)(56012099003)(18002099003);\n DIR:OUT; SFP:1101;","X-MS-Exchange-AntiSpam-MessageData-ChunkCount":"1","X-MS-Exchange-AntiSpam-MessageData-0":"\n Uc7hOJvPRs1EFcGgOt3MP35Oi+ZfEvT+j/KDkuuNnX5AJUL5XVqeegmOYnesbgPCYci5HnR3BqI9cOOcIM9IPbyOO2K++dCZnR/Oph9QuGYM4CT0C1Q0k0TDBLKqzyf4gHhjKmrk6OU66W5PNElWc0tL3K+odVY8F7gq/+PdYF9lo/PIb/QZh6xpKx9n8CiAIWjMFS7Dvdq+Vz/W7K4ci5BQ4l1bk8hn6EJz5APwQuFTfN/GCjax8hTOkp1lbMQYWypAhadTqcKDj419vgcdIl7D7yV8xU/LBY0l4c5/k3CvlDRXCL7Qny9/zMZFFX2Or+2EsZfDKvJqDmSejH1YWz+QRy7266NgBMLpA55wWrO5tAt7afS66pueFhcpXcuU1V8EZQwsKEb2GUOgtIhK3PvYxLy2qRM6bZTuncAtsDd/XwFgCBBUf1hzSDp54aMsJGY/Lh2bsCDAPN3mWI1D70ePCuD3YeOqHMLCrNPOVLxvUSp7tkdXgrley3RHxlnVqEd7yvL4x4YxNVe3h7ZNsF0Q5iuvYQZVsZzGfIEEVdnpJHUo7jhKroR2THvMRjCcKdM6hdTjJnsTmZWBruWQC65nUSG1G3ow2cWXO7+WtW8GoFrhUwFThGJl1GM2mAthiq3/275ZwJOP56fMlR8TIGu5hZv8SB49hwDbauFGNly8a0YggjaqaJG+mZDBthEPlnfw3WnN0i422uk0a/IptXxt6Bc5rtPGhWfkZJ5j5NzZODmju2/GSo3LGU666WbUZzRkv/5wDa522Zvcf8XuFIrOR3q8TSUeA5XWlztcx0fflS30ASX8hKXKsa+PhyJWgh+pXJ3UDXIXhHiRr5VQZFLtTqj9+zWJKcBo4uHqlox+dP1ZuZ5wTlPz9xJIWW1mK+m8ya7u1wyPG+Qt9OizSTksFv8vsMeqCYihLXEE5nkMVry2OvtWUUuYblkmc17QlIlqVwXbwjMkZTXZvhcvsaF9SIuY1LgugTPcr0VRJUKfWZqu2TDYAi80p1SoU8mE7wVnpqPSHooDYL8C+tyFe/YV4vJyVOTVlR7cSdHws2ogVp7TkvUBc4Ho/WXSetxTlVK+UGzbPk4zQ6DW+48pFRdYAUzc0LX5xRhHzx9B4F/Uqtyo5Ol8WPleFkL8fwT/ZHurhaJ9OYExgXfqX82cMFhzCm7xYOM2Dgy1hWUTiEYwVPVDSa/Bl9js2jTltce+lBkRenbOay4rFK6FHYbL9vgnp0A9QO6ZUauDRALnaUJruMU4/ZuMKHJLejONrGNLr45Woznmxpnh2VS0iDkMUCq33wugqB9HA/kLEmydpq82SAKdCtXiI27mZMDjkBG9g+xoIylqf4BYtJVYbD+s8iJIdj+SfeVTnb9UtXY+WqiNWNKJYQpwNzRjAmxPgsICvoXWGP+FHUTnMT8i6okaXo2pNXDE8USoF5TUlcU1zPe0ge/dmasT89njZQjGsFDFvJjo2q0K1bRXS9jeywIqTisxgFKhgU668BI9gHwsf0Y+hcZiDsqjWpowNv2XkT10tRtM82IkXkDKlk8YU7oVrj6/MTJwSax4FfedOAzKCMwE6tF/Zauj2OwxpRThIYC0tF3DzsNr+oAkalpqYAIvwfMPMSRR9+j18UoVEJD0BKIbTs1mfjot5uJcVRB6Z898AVtLGk29HF15QEaIWMX16EhPlD77zeeIPZlL5ricek/bwxEMleCSuODOuRNTuFZR82rMnfHqDGxCF6f1jxzIow==","X-OriginatorOrg":"mt.com","X-MS-Exchange-CrossTenant-Network-Message-Id":"\n e48f0e2f-a003-4bd5-7e63-08de9f9f8693","X-MS-Exchange-CrossTenant-AuthSource":"DB9PR03MB7180.eurprd03.prod.outlook.com","X-MS-Exchange-CrossTenant-AuthAs":"Internal","X-MS-Exchange-CrossTenant-OriginalArrivalTime":"21 Apr 2026 12:14:24.0989 (UTC)","X-MS-Exchange-CrossTenant-FromEntityHeader":"Hosted","X-MS-Exchange-CrossTenant-Id":"fb4c0aee-6cd2-482f-a1a5-717e7c02496b","X-MS-Exchange-CrossTenant-MailboxType":"HOSTED","X-MS-Exchange-CrossTenant-UserPrincipalName":"\n 1QGrJlYncIXKRtes37/HQwLHaoWJk/7FFhrGTzwQGlk8uJfqr9FD6XjNxWzNYGhFmnblrSbirKo/IYn9Ynt0og==","X-MS-Exchange-Transport-CrossTenantHeadersStamped":"AS2PR03MB9877","X-BeenThere":"u-boot@lists.denx.de","X-Mailman-Version":"2.1.39","Precedence":"list","List-Id":"U-Boot discussion ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"u-boot-bounces@lists.denx.de","Sender":"\"U-Boot\" ","X-Virus-Scanned":"clamav-milter 0.103.8 at phobos.denx.de","X-Virus-Status":"Clean"},"content":"Some distros like OpenEmbedded are using gnutls library\nwithout pkcs11 support and linking of mkeficapsule will fail.\nIt would make maintenance of default configs a hurdle.\nAdd detection of pkcs11 support in gnutls so it's enabled\nwhen available and doesn't need to be set explicitly.\n\nChanges:\n* remove config option for pkcs11 support and add auto\n detection in Makefile\n* reduce amount of ifdefs by abstracting import pkcs11\n functions\n* add missing free and deinit functions\n\nSuggested-by: Tom Rini \nCc: Franz Schnyder \nSigned-off-by: Wojciech Dubowik \n---\nChanges in v3:\n- remove config option for pkcs11 support and add auto\n detection in Makefile\n- reduce amount of ifdefs by abstracting import pkcs11\n functions\n- add missing free and deinit functions\nChanges in v2:\n- make use of stderr more consistent\n- add missing ifndef around pkcs11 deinit functions\n---\n tools/Makefile | 5 ++\n tools/mkeficapsule.c | 117 ++++++++++++++++++++++++++++---------------\n 2 files changed, 81 insertions(+), 41 deletions(-)","diff":"diff --git a/tools/Makefile b/tools/Makefile\nindex 1a5f425ecdaa..e85f5a354b81 100644\n--- a/tools/Makefile\n+++ b/tools/Makefile\n@@ -271,6 +271,11 @@ mkeficapsule-objs := generated/lib/uuid.o \\\n \t$(LIBFDT_OBJS) \\\n \tmkeficapsule.o\n hostprogs-always-$(CONFIG_TOOLS_MKEFICAPSULE) += mkeficapsule\n+GNUTLS_SUPPORTS_P11KIT = $(shell pkg-config --libs gnutls --print-requires-private \\\n+\t\t\t 2> /dev/null | grep p11-kit-1)\n+ifeq ($(GNUTLS_SUPPORTS_P11KIT),p11-kit-1)\n+HOSTCFLAGS_mkeficapsule.o += -DMKEFICAPSULE_PKCS11\n+endif\n \n include tools/fwumdata_src/fwumdata.mk\n \ndiff --git a/tools/mkeficapsule.c b/tools/mkeficapsule.c\nindex ec640c57e8a5..747431bce8fe 100644\n--- a/tools/mkeficapsule.c\n+++ b/tools/mkeficapsule.c\n@@ -207,6 +207,45 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)\n \treturn 0;\n }\n \n+#ifdef MKEFICAPSULE_PKCS11\n+static int import_pkcs11_crt(gnutls_x509_crt_t *x509, struct auth_context *ctx)\n+{\n+\tgnutls_pkcs11_obj_t *obj_list;\n+\tunsigned int obj_list_size = 0;\n+\tint i, ret;\n+\n+\tret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,\n+\t\t\t\t\t\t ctx->cert_file, 0);\n+\tif (ret < 0 || obj_list_size == 0)\n+\t\treturn ret;\n+\n+\tret = gnutls_x509_crt_import_pkcs11(*x509, obj_list[0]);\n+\n+\tfor (i = 0; i < obj_list_size; i++)\n+ gnutls_pkcs11_obj_deinit(obj_list[i]);\n+\tgnutls_free(obj_list);\n+\n+\treturn ret;\n+}\n+\n+static int import_pkcs11_key(gnutls_privkey_t *pkey, struct auth_context *ctx)\n+{\n+\treturn gnutls_privkey_import_pkcs11_url(*pkey, ctx->key_file);\n+}\n+#else\n+static int import_pkcs11_crt(gnutls_x509_crt_t *x509, struct auth_context *ctx)\n+{\n+\tfprintf(stderr, \"Pkcs11 support is disabled\\n\");\n+\treturn -1;\n+}\n+\n+static int import_pkcs11_key(gnutls_privkey_t *pkey, struct auth_context *ctx)\n+{\n+\tfprintf(stderr, \"Pkcs11 support is disabled\\n\");\n+\treturn -1;\n+}\n+#endif\n+\n /**\n * create_auth_data - compose authentication data in capsule\n * @auth_context:\tPointer to authentication context\n@@ -221,17 +260,14 @@ static int write_capsule_file(FILE *f, void *data, size_t size, const char *msg)\n */\n static int create_auth_data(struct auth_context *ctx)\n {\n-\tgnutls_datum_t cert;\n-\tgnutls_datum_t key;\n+\tgnutls_datum_t cert = { NULL, 0 };\n+\tgnutls_datum_t key = { NULL, 0 };\n \toff_t file_size;\n-\tgnutls_privkey_t pkey;\n+\tgnutls_privkey_t pkey = NULL;\n \tgnutls_x509_crt_t x509;\n \tgnutls_pkcs7_t pkcs7;\n-\tgnutls_datum_t data;\n-\tgnutls_datum_t signature;\n-\tgnutls_pkcs11_obj_t *obj_list;\n-\tunsigned int obj_list_size = 0;\n-\tconst char *lib;\n+\tgnutls_datum_t data = { NULL, 0 };\n+\tgnutls_datum_t signature = { NULL, 0 };\n \tint ret;\n \tbool pkcs11_cert = false;\n \tbool pkcs11_key = false;\n@@ -242,10 +278,12 @@ static int create_auth_data(struct auth_context *ctx)\n \tif (!strncmp(ctx->key_file, \"pkcs11:\", strlen(\"pkcs11:\")))\n \t\tpkcs11_key = true;\n \n+#ifdef MKEFICAPSULE_PKCS11\n \tif (pkcs11_cert || pkcs11_key) {\n+\t\tconst char *lib;\n \t\tlib = getenv(\"PKCS11_MODULE_PATH\");\n \t\tif (!lib) {\n-\t\t\tfprintf(stdout,\n+\t\t\tfprintf(stderr,\n \t\t\t\t\"PKCS11_MODULE_PATH not set in the environment\\n\");\n \t\t\treturn -1;\n \t\t}\n@@ -255,10 +293,11 @@ static int create_auth_data(struct auth_context *ctx)\n \n \t\tret = gnutls_pkcs11_add_provider(lib, \"trusted\");\n \t\tif (ret < 0) {\n-\t\t\tfprintf(stdout, \"Failed to add pkcs11 provider\\n\");\n+\t\t\tfprintf(stderr, \"Failed to add pkcs11 provider\\n\");\n \t\t\treturn -1;\n \t\t}\n \t}\n+#endif\n \n \tif (!pkcs11_cert) {\n \t\tret = read_bin_file(ctx->cert_file, &cert.data, &file_size);\n@@ -296,35 +335,33 @@ static int create_auth_data(struct auth_context *ctx)\n \tif (ret < 0) {\n \t\tfprintf(stderr, \"error in gnutls_x509_crt_init(): %s\\n\",\n \t\t\tgnutls_strerror(ret));\n-\t\treturn -1;\n+\t\tgoto cleanup;\n \t}\n \n \t/* load x509 certificate */\n \tif (pkcs11_cert) {\n-\t\tret = gnutls_pkcs11_obj_list_import_url4(&obj_list, &obj_list_size,\n-\t\t\t\t\t\t\t ctx->cert_file, 0);\n-\t\tif (ret < 0 || obj_list_size == 0) {\n-\t\t\tfprintf(stdout, \"Failed to import crt_file URI objects\\n\");\n-\t\t\treturn -1;\n+\t\tret = import_pkcs11_crt(&x509, ctx);\n+\t\tif (ret < 0) {\n+\t\t\tfprintf(stderr, \"error in import_pkcs11_crt(): %s\\n\",\n+\t\t\t\tgnutls_strerror(ret));\n+\t\t\tgoto cleanup;\n \t\t}\n-\n-\t\tgnutls_x509_crt_import_pkcs11(x509, obj_list[0]);\n \t} else {\n \t\tret = gnutls_x509_crt_import(x509, &cert, GNUTLS_X509_FMT_PEM);\n \t\tif (ret < 0) {\n \t\t\tfprintf(stderr, \"error in gnutls_x509_crt_import(): %s\\n\",\n \t\t\t\tgnutls_strerror(ret));\n-\t\t\treturn -1;\n+\t\t\tgoto cleanup;\n \t\t}\n \t}\n \n \t/* load a private key */\n \tif (pkcs11_key) {\n-\t\tret = gnutls_privkey_import_pkcs11_url(pkey, ctx->key_file);\n+\t\tret = import_pkcs11_key(&pkey, ctx);\n \t\tif (ret < 0) {\n-\t\t\tfprintf(stderr, \"error in %d: %s\\n\", __LINE__,\n+\t\t\tfprintf(stderr,\t\"error in import_pkcs11_key(): %s\\n\",\n \t\t\t\tgnutls_strerror(ret));\n-\t\t\treturn -1;\n+\t\t\tgoto cleanup;\n \t\t}\n \t} else {\n \t\tret = gnutls_privkey_import_x509_raw(pkey, &key, GNUTLS_X509_FMT_PEM,\n@@ -333,7 +370,7 @@ static int create_auth_data(struct auth_context *ctx)\n \t\t\tfprintf(stderr,\n \t\t\t\t\"error in gnutls_privkey_import_x509_raw(): %s\\n\",\n \t\t\t\tgnutls_strerror(ret));\n-\t\t\treturn -1;\n+\t\t\tgoto cleanup;\n \t\t}\n \t}\n \n@@ -342,7 +379,7 @@ static int create_auth_data(struct auth_context *ctx)\n \tif (ret < 0) {\n \t\tfprintf(stderr, \"error in gnutls_pkcs7_init(): %s\\n\",\n \t\t\tgnutls_strerror(ret));\n-\t\treturn -1;\n+\t\tgoto cleanup;\n \t}\n \n \t/* sign */\n@@ -357,7 +394,7 @@ static int create_auth_data(struct auth_context *ctx)\n \tdata.data = malloc(data.size);\n \tif (!data.data) {\n \t\tfprintf(stderr, \"allocating memory (0x%x) failed\\n\", data.size);\n-\t\treturn -1;\n+\t\tgoto cleanup;\n \t}\n \tmemcpy(data.data, ctx->image_data, ctx->image_size);\n \tmemcpy(data.data + ctx->image_size, &ctx->auth.monotonic_count,\n@@ -371,7 +408,7 @@ static int create_auth_data(struct auth_context *ctx)\n \tif (ret < 0) {\n \t\tfprintf(stderr, \"error in gnutls_pkcs7)sign(): %s\\n\",\n \t\t\tgnutls_strerror(ret));\n-\t\treturn -1;\n+\t\tgoto cleanup;\n \t}\n \n \t/* export */\n@@ -379,7 +416,8 @@ static int create_auth_data(struct auth_context *ctx)\n \tif (ret < 0) {\n \t\tfprintf(stderr, \"error in gnutls_pkcs7_export2: %s\\n\",\n \t\t\tgnutls_strerror(ret));\n-\t\treturn -1;\n+\t\tgnutls_free(signature.data);\n+\t\tgoto cleanup;\n \t}\n \tctx->sig_data = signature.data;\n \tctx->sig_size = signature.size;\n@@ -391,24 +429,21 @@ static int create_auth_data(struct auth_context *ctx)\n \tctx->auth.auth_info.hdr.wCertificateType = WIN_CERT_TYPE_EFI_GUID;\n \tmemcpy(&ctx->auth.auth_info.cert_type, &efi_guid_cert_type_pkcs7,\n \t sizeof(efi_guid_cert_type_pkcs7));\n-\n-\t/*\n-\t * For better clean-ups,\n-\t * gnutls_pkcs7_deinit(pkcs7);\n-\t * gnutls_privkey_deinit(pkey);\n-\t * gnutls_x509_crt_deinit(x509);\n-\t * free(cert.data);\n-\t * free(key.data);\n-\t * if error\n-\t * gnutls_free(signature.data);\n-\t */\n-\n+cleanup:\n+\tgnutls_x509_crt_deinit(x509);\n+\tif (pkey)\n+ gnutls_privkey_deinit(pkey);\n+\tgnutls_pkcs7_deinit(pkcs7);\n+\tgnutls_free(cert.data);\n+\tgnutls_free(key.data);\n+\tgnutls_free(data.data);\n+#ifdef MKEFICAPSULE_PKCS11\n \tif (pkcs11_cert || pkcs11_key) {\n \t\tgnutls_global_deinit();\n \t\tgnutls_pkcs11_deinit();\n \t}\n-\n-\treturn 0;\n+#endif\n+\treturn ret;\n }\n \n /**\n","prefixes":["v3"]}