From e334302af9cd73bd123b67eb1e695547c36eb9af Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Thu, 9 Apr 2026 12:56:01 -0500
Subject: [PATCH 1/2] Fix return code for PIN getter

Fix the return code of the PIN getter. The bug was not noticed since the
pkcs11 URI for the SoftHSM private key contains the pin-value (needed for
signing but also for testing whether signing is possible).

When UI_set_result() returns != 0 for failure, return 0 on the PIN getter,
1 otherwise.

From UI_method_set_reader man page:

"All of these functions are expected to return 0 on error, 1 on
 success..."

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 src/libimaevm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/libimaevm.c b/src/libimaevm.c
index 49bfb629..a2bcafbd 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -1068,7 +1068,9 @@ static EVP_PKEY *read_priv_pkey_engine(ENGINE * e __attribute__((unused)),
 #ifdef CONFIG_IMA_EVM_PROVIDER
 static int ui_get_pin(UI *ui, UI_STRING *uis)
 {
-	return UI_set_result(ui, uis, UI_get0_user_data(ui));
+	if (UI_set_result(ui, uis, UI_get0_user_data(ui)) != 0)
+		return 0;
+	return 1;
 }
 #endif
 

From 4f77f35302e667f3528621ffe36fa3bb090684af Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.ibm.com>
Date: Thu, 9 Apr 2026 15:16:51 -0400
Subject: [PATCH 2/2] tests: Strip PIN from PKCS11 URI to test PIN getter in
 evmctl

Test evmctl's PIN getter by stripping the PIN from the pkcs11 URI and
passing the PIN to evmctl using the --pass option. Since test-signing
with the PKCS11 URI also requires access to the key and therefore also
access to the PIN, append the PIN to the URI so that OpenSSL can use
the key without prompting for the PIN.

Upgrade some of the PKCS11 URI tests to use sha384 instead of outdated
sha1.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
---
 tests/sign_verify.test | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index a1ab6293..c7bb501d 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -166,7 +166,8 @@ check_sign() {
     fi
 
     # Can openssl sign with this digest and key?
-    cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -sign $key -hex $FILE"
+    # pkcs11: If 'PIN' was passed, append it to the key URI to avoid a prompt for the PIN
+    cmd="openssl dgst $OPENSSL_ENGINE $OPENSSL_KEYFORM -$ALG -sign $key${PIN:+?pin-value=${PIN}} -hex $FILE"
     echo - "$cmd"
     if ! $cmd >/dev/null; then
       echo "${CYAN}$ALG ($key) test is skipped (openssl is unable to sign)$NORM"
@@ -451,8 +452,16 @@ expect_fail \
 _softhsm_setup "${WORKDIR}"
 if [ -n "${PKCS11_KEYURI}" ]; then
   if evmctl --help 2>/dev/null | grep -q engine; then
-    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd" EVMCTL_ENGINE="--engine pkcs11"
-    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" ALG=sha1   PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd" EVMCTL_ENGINE="--engine pkcs11"
+    # strip PIN from URI and get PIN
+    pkcs11_keyuri_nopin=${PKCS11_KEYURI%\?*}
+    pin=${PKCS11_KEYURI#*pin-value=}
+
+    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${pkcs11_keyuri_nopin}" \
+       ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd --pass=${pin}" \
+       EVMCTL_ENGINE="--engine pkcs11" PIN="${PIN}"
+    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_KEYURI}" \
+       ALG=sha384 PREFIX=0x030205aabbccdd0100 OPTS="--keyid=aabbccdd" \
+       EVMCTL_ENGINE="--engine pkcs11"
   else
     __skip() { echo "pkcs11 test with engine is skipped since there is no engine support"; return "$SKIP"; }
     expect_pass __skip
@@ -463,9 +472,16 @@ if [ -n "${PKCS11_KEYURI}" ]; then
   if evmctl --help 2>/dev/null | grep -q provider && \
      openssl list -providers -provider pkcs11 2>/dev/null; then
     PKCS11_PRIVKEYURI=${PKCS11_KEYURI//type=public/type=private}
-
-    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd" EVMCTL_ENGINE="--provider pkcs11"
-    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" ALG=sha1   PREFIX=0x030202aabbccdd0100 OPTS="--keyid=aabbccdd" EVMCTL_ENGINE="--provider pkcs11"
+    # strip PIN from URI and get PIN
+    pkcs11_keyuri_nopin=${PKCS11_PRIVKEYURI%\?*}
+    pin=${PKCS11_PRIVKEYURI#*pin-value=}
+
+    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${pkcs11_keyuri_nopin}" \
+       ALG=sha256 PREFIX=0x030204aabbccdd0100 OPTS="--keyid=aabbccdd --pass=${pin}" \
+       EVMCTL_ENGINE="--provider pkcs11" PIN="${pin}"
+    expect_pass check_sign FILE=pkcs11test TYPE=ima KEY="${PKCS11_PRIVKEYURI}" \
+       ALG=sha384 PREFIX=0x030205aabbccdd0100 OPTS="--keyid=aabbccdd" \
+       EVMCTL_ENGINE="--provider pkcs11"
   else
     __skip() { echo "pkcs11 test with provider is skipped since no provider support or pkcs11 not installed"; return "$SKIP"; }
     expect_pass __skip