From 7a0a2e9fa132cba32f4a287d03c04e9ff78a44ec Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Mon, 2 Oct 2017 15:17:13 +0200
Subject: ssl: Add private key configuration for crypto engine

---
 lib/ssl/src/ssl.erl           |  3 ++-
 lib/ssl/src/ssl_config.erl    | 10 +++++++++-
 lib/ssl/src/ssl_handshake.erl | 12 +++++++++---
 lib/ssl/src/ssl_internal.hrl  | 13 +++++++++++--
 4 files changed, 31 insertions(+), 7 deletions(-)

(limited to 'lib/ssl/src')

diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 60118549e4..4007e44a83 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -896,7 +896,8 @@ validate_option(key, {KeyType, Value}) when is_binary(Value),
 					    KeyType == 'ECPrivateKey';
 					    KeyType == 'PrivateKeyInfo' ->
     {KeyType, Value};
-
+validate_option(key, #{algorithm := _} = Value) ->
+    Value;
 validate_option(keyfile, undefined) ->
    <<>>;
 validate_option(keyfile, Value) when is_binary(Value) ->
diff --git a/lib/ssl/src/ssl_config.erl b/lib/ssl/src/ssl_config.erl
index e4611995ec..022fb7eac0 100644
--- a/lib/ssl/src/ssl_config.erl
+++ b/lib/ssl/src/ssl_config.erl
@@ -91,7 +91,15 @@ init_certificates(undefined, #{pem_cache := PemCache} = Config, CertFile, server
     end;
 init_certificates(Cert, Config, _, _) ->
     {ok, Config#{own_certificate => Cert}}.
-        
+init_private_key(_, #{algorithm := Alg} = Key, <<>>, _Password, _Client) when Alg == ecdsa;
+                                                                              Alg == rsa;
+                                                                              Alg == dss ->
+    case maps:is_key(engine, Key) andalso maps:is_key(key_id, Key) of
+        true ->
+            Key;
+        false ->
+            throw({key, {invalid_key_id, Key}})
+    end;
 init_private_key(_, undefined, <<>>, _Password, _Client) ->
     undefined;
 init_private_key(DbHandle, undefined, KeyFile, Password, _) ->
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index 0ee9ee3322..b47a11dc0d 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1646,14 +1646,20 @@ digitally_signed(Version, Hashes, HashAlgo, PrivateKey) ->
 	error:badkey->
 	    throw(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE, bad_key(PrivateKey)))
     end.
-
+do_digitally_signed({3, Minor}, Hash, HashAlgo, #{algorithm := Alg} = Engine) 
+  when Minor >= 3 ->
+    crypto:sign(Alg, HashAlgo, {digest, Hash}, maps:remove(algorithm, Engine));
 do_digitally_signed({3, Minor}, Hash, HashAlgo, Key) when Minor >= 3 ->
     public_key:sign({digest, Hash}, HashAlgo, Key);
-do_digitally_signed(_Version, Hash, HashAlgo, #'DSAPrivateKey'{} = Key) ->
-    public_key:sign({digest, Hash}, HashAlgo, Key);
 do_digitally_signed(_Version, Hash, _HashAlgo, #'RSAPrivateKey'{} = Key) ->
     public_key:encrypt_private(Hash, Key,
 			       [{rsa_pad, rsa_pkcs1_padding}]);
+do_digitally_signed({3, _}, Hash, _, 
+                    #{algorithm := rsa} = Engine) ->
+    crypto:private_encrypt(rsa, Hash, maps:remove(algorithm, Engine),
+                           rsa_pkcs1_padding);
+do_digitally_signed({3, _}, Hash, HashAlgo, #{algorithm := Alg} = Engine) ->
+    crypto:sign(Alg, HashAlgo, {digest, Hash}, maps:remove(algorithm, Engine));
 do_digitally_signed(_Version, Hash, HashAlgo, Key) ->
     public_key:sign({digest, Hash}, HashAlgo, Key).
 
diff --git a/lib/ssl/src/ssl_internal.hrl b/lib/ssl/src/ssl_internal.hrl
index 24ac34653e..9bb1cbaeb0 100644
--- a/lib/ssl/src/ssl_internal.hrl
+++ b/lib/ssl/src/ssl_internal.hrl
@@ -95,7 +95,8 @@
 	  certfile             :: binary(),
 	  cert                 :: public_key:der_encoded() | secret_printout() | 'undefined',
 	  keyfile              :: binary(),
-	  key	               :: {'RSAPrivateKey' | 'DSAPrivateKey' | 'ECPrivateKey' | 'PrivateKeyInfo', public_key:der_encoded()} | secret_printout() | 'undefined',
+	  key	               :: {'RSAPrivateKey' | 'DSAPrivateKey' | 'ECPrivateKey' | 'PrivateKeyInfo', 
+                                   public_key:der_encoded()} | key_map() | secret_printout() | 'undefined',
 	  password	       :: string() | secret_printout() | 'undefined',
 	  cacerts              :: [public_key:der_encoded()] | secret_printout() | 'undefined',
 	  cacertfile           :: binary(),
@@ -164,7 +165,15 @@
 		 connection_cb
 		}).
 
-
+-type key_map()              :: #{algorithm := rsa | dss | ecdsa,
+                                  %% engine and key_id ought to 
+                                  %% be :=, but putting it in
+                                  %% the spec gives dialyzer warning
+                                  %% of correct code!
+                                  engine => crypto:engine_ref(),
+                                  key_id => crypto:key_id(),
+                                  password => crypto:password()
+                                 }.
 -type state_name()           :: hello | abbreviated | certify | cipher | connection.
 -type gen_fsm_state_return() :: {next_state, state_name(), term()} |
 				{next_state, state_name(), term(), timeout()} |
-- 
cgit v1.2.3