From 6c2263baf931ea4596251180f79a1fb327e67c89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Wed, 12 Sep 2018 22:27:29 +0200
Subject: [PATCH] Engine allowed to use private keys without a PIN

Access control policies should be enforced by PKCS#11 modules,
and not by our engine or libp11.

Fixes #242
---
 NEWS           | 1 +
 src/eng_back.c | 4 ----
 2 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 13b4d565..b6e6f51d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 NEWS for Libp11 -- History of user visible changes
 
 New in 0.4.10; unreleased
+* Engine allowed to use private keys without a PIN (Michał Trojnara)
 
 New in 0.4.9; 2018-09-03; Michał Trojnara
 * Fixed EVP_PKEY ENGINE reference count with the EC EVP_PKEY_METHOD
diff --git a/src/eng_back.c b/src/eng_back.c
index 464c47b6..fb949343 100644
--- a/src/eng_back.c
+++ b/src/eng_back.c
@@ -750,10 +750,6 @@ static EVP_PKEY *ctx_load_key(ENGINE_CTX *ctx, const char *s_slot_key_id,
 	 * with some other (which ones?) PKCS#11 libraries */
 	if (!tok->initialized)
 		ctx_log(ctx, 0, "Found uninitialized token\n");
-	if (isPrivate && !tok->userPinSet && !tok->readOnly) {
-		ctx_log(ctx, 0, "Found slot without user PIN\n");
-		goto error;
-	}
 
 	ctx_log(ctx, 1, "Found slot:  %s\n", slot->description);
 	ctx_log(ctx, 1, "Found token: %s\n", slot->token->label);