On 17 Jan 2022, at 19:17, Ruediger Pluem <[email protected]> wrote:
>> I see. Thanks for the clarification. Did not really now about that
>> interface. Then I see no pressing point in adding an additional API, indeed.
>
> I haven't looked deeply in this, but based on the pointers from Joe I guess
> this can be done with
>
> - p11-kit
> - softhsm
> - Some configuration on OpenSSL side to use the p11-kit client as pkcs11
> provider for accessing the p11-kit server over a Unix
> domain socket
>
> p11-kit and softhsm seem to be readily available at least on later versions
> of Ubuntu and RedHat.
>
> As the pkcs11 engine requires some configuration it could be nice adding a
> feature to mod_ssl that allows to load a different
> configuration file than the standard Openssl configuration file.
No need - as of recently this has been simplified and is available in v2.4.
Start by passing pkcs11 URLs into mod_ssl as follows:
SSLCertificateFile
pkcs11:token=Local%20Tokens;id=%B0%90%5A%36%1A%E0%2F%DA%13%14%81%FC%E1%DE%9D%86%9E%30%8F%AE;type=cert
SSLCertificateKeyFile
pkcs11:token=Local%20Tokens;id=%B0%90%5A%36%1A%E0%2F%DA%13%14%81%FC%E1%DE%9D%86%9E%30%8F%AE;object=;type=private?pin-value=1111
The pkcs11 URL prefix is enough to get mod_ssl to tell openssl it wants the
pkcs11 engine, provided by the openssl-pkcs11 RPM package on Redhat derivatives
(native package is called https://github.com/OpenSC/libp11). No need to mess
about with manual engine configs, mod_ssl handles the details for you.
In turn, if p11-kit is installed then all pkcs11 driver packages should “just
work” on installation. I have had the most success with the opencryptoki-swtok
package, a software HSM made by IBM.
The softhsm package by Redhat is packaged in such a way that it cannot be used
by anything other than opendnssec, which is a shame.
If you want to store more than one certificate in your HSM / on your token, you
need this fix: https://github.com/OpenSC/libp11/pull/433
Regards,
Graham
—
