On Wed, Mar 20, 2024 at 06:23:03AM +0000, PR Bot wrote: > Subject: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM > files > Dear list! > > Author: S-P Chan <shihping.c...@gmail.com> > Number of patches: 1 > > This is an automated relay of the Github pull request: > FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files > > Patch title(s): > FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files > > Link: > https://github.com/haproxy/haproxy/pull/2493 > > Edit locally: > wget https://github.com/haproxy/haproxy/pull/2493.patch && vi 2493.patch > > Apply locally: > curl https://github.com/haproxy/haproxy/pull/2493.patch | git am - > > Description: > With pkcs11-provider (https://github.com/latchset/pkcs11-provider) a > specially formatted PEM stanza can be used > to reference a PKCS#11 > URI to locate the private key. > > This PEM stanza can be used > inside the crt file so that there is no change to the HAProxy config > language. > > This works with OpenSSL 3 and pkcs11-provider after > https://github.com/latchset/pkcs11-provider/commit/0806c3665 which > added support for PKCS#11 URI-in-PEM. > > TODO: This PR works > without forking (i.e., not in master-worker mode) as PKCS#11 drivers > are fragile after fork. > To use PKCS#11 keys in master-worker mode, > we need to defer key loading to the child process. > > Format of > PEM stanza: > ``` > -----BEGIN PKCS#11 PROVIDER URI----- > MIHWGhlQS0NTIzExIFByb3ZpZGVyIFVSSSB2MS4wDIG4cGtjczExOm1vZGVsPU5T > UyUyMDM7bWFudWZhY3R1cmVyPU1vemlsbGElMjBGb3VuZGF0aW9uO3NlcmlhbD0w > MDAwMDAwMDAwMDAwMDAwO3Rva2VuPU5TUyUyMENlcnRpZmljYXRlJTIwREI7aWQ9 > JTczJTQ5JTU1JTFBJTMyJUFFJThDJUIwJTQ1JTQ5JTAzJURDJUE4JTA0JTg0JTlF > JUI0JTlGJTQxJUFFO3R5cGU9cHJpdmF0ZQ== > -----END PKCS#11 PROVIDER > URI----- > ``` > > Parsed ASN.1: > ``` > 0:d=0 hl=3 l= > 214 cons: SEQUENCE > 3:d=1 hl=2 l= 25 prim: VISIBLESTRING > :PKCS#11 Provider URI v1.0 > 30:d=1 hl=3 l= 184 prim: UTF8STRING > :pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000 > 000000000;token=NSS%20Certificate%20DB;id=%73%49%55%1A%32%AE%8C%B0%45% > 49%03%DC%A8%04%84%9E%B4%9F%41%AE;type=private > ``` > > Instructions: > This github pull request will be closed automatically; patch should be > reviewed on the haproxy mailing list (haproxy@formilux.org). Everyone is > invited to comment, even the patch's author. Please keep the author and > list CCed in replies. Please note that in absence of any response this > pull request will be lost. >
Hello, Thank you for your contribution, I'm surprised this is not already working with the current code. We made test in the past with the TPM2 provider which also uses a URI in the privatekey: https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#tpm2-provider Do you have any specific configuration for HAProxy? Regards, -- William Lallemand