On Wed, Dec 6, 2023 at 11:05 AM Yann Ylavic <ylavic....@gmail.com> wrote: > > On Tue, Dec 5, 2023 at 4:26 PM <jor...@apache.org> wrote: > > > > Author: jorton > > Date: Tue Dec 5 15:26:22 2023 > > New Revision: 1914365 > > > > URL: http://svn.apache.org/viewvc?rev=1914365&view=rev > > Log: > > mod_ssl: Add support for loading keys from OpenSSL 3.x providers via > > the STORE API. Separates compile-time support for the STORE API > > (supported in 3.x) from support for the ENGINE API (deprecated in > > 3.x). > > > > * modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for > > OpenSSL 3.0+. > > > > * modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri, > > modssl_load_keypair_store): New functions. > > (modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine. > > (modssl_load_engine_keypair): Reimplement to use new STORE-based > > functions if SSLCryptoDevice was not configured, or else old > > ENGINE implementation. > > > > * modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs > > also for the OpenSSL 3.x STORE API. > > > > * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log > > message on error paths for the provider/STORE case. > > > > Signed-off-by: Ingo Franzki <ifranzki linux.ibm.com> > > Submitted by: Ingo Franzki <ifranzki linux.ibm.com> > > Github: closes #397, closes #398 > > > [] > > > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c > > URL: > > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c?rev=1914365&r1=1914364&r2=1914365&view=diff > > ============================================================================== > > --- httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c (original) > > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c Tue Dec 5 15:26:22 > > 2023 > [] > > + > > +apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, > > + const char *vhostid, > > + const char *certid, const char > > *keyid, > > + X509 **pubkey, EVP_PKEY **privkey) > > +{ > > +#if MODSSL_HAVE_OPENSSL_STORE > > + SSLModConfigRec *mc = myModConfig(s); > > + > > + if (!mc->szCryptoDevice) > > + return modssl_load_keypair_store(s, p, vhostid, certid, keyid, > > + pubkey, privkey); > > +#endif > > +#if MODSSL_HAVE_ENGINE_API > > + return modssl_load_keypair_engine(s, p, vhostid, certid, keyid, > > + pubkey, privkey); > > #else > > return APR_ENOTIMPL; > > #endif > > Hm, it seems that with openssl-3+ we can handle/support pkcs#11 URIs > only via the store API now. > modssl_load_keypair_store() will fail/die if it can't find the > cert/key in the STORE, but couldn't modssl_load_keypair_engine() find > them if the OpenSSL configuration (and underlying lib, e.g. libp11) > still uses the legacy engine API? The engine API is still available in > openssl-3 and might still be used IIUC. > > So don't we need something like this: > > apr_status_t rv = APR_ENOTIMPL; > #if MODSSL_HAVE_OPENSSL_STORE > SSLModConfigRec *mc = myModConfig(s); > if (!mc->szCryptoDevice) > rv = modssl_load_keypair_store(s, p, vhostid, certid, keyid, > pubkey, privkey); > #endif > #if MODSSL_HAVE_ENGINE_API > if (rv == APR_ENOTIMPL) > rv = modssl_load_keypair_engine(s, p, vhostid, certid, keyid, > pubkey, privkey); > #endif > return rv; > > and somehow make modssl_load_keypair_store() return APR_ENOTIMPL when > there is no store to get the cert/key from?
Oh, scratch that. Actually the engine API requires a "SSLCryptoDevice pkcs11" too, so we wouldn't take the !mc->szCryptoDevice path. Sorry for the noise. Regards; Yann.