details: http://freenginx.org/hg/nginx-tests/rev/a7221352da4f branches: changeset: 2030:a7221352da4f user: Maxim Dounin <[email protected]> date: Wed Oct 15 02:39:06 2025 +0300 description: Tests: loading keys from libp11 pkcs11prov provider.
diffstat: ssl_store_libp11.t | 65 ++++++++++++++++++++++++++++++++++------------------- 1 files changed, 41 insertions(+), 24 deletions(-) diffs (148 lines): diff --git a/ssl_engine_keys.t b/ssl_store_libp11.t copy from ssl_engine_keys.t copy to ssl_store_libp11.t --- a/ssl_engine_keys.t +++ b/ssl_store_libp11.t @@ -4,7 +4,8 @@ # (C) Sergey Kandaurov # (C) Nginx, Inc. -# Tests for http ssl module, loading "engine:..." keys. +# Tests for http ssl module, loading "store:..." certificates and keys +# from libp11 pkcs11prov OpenSSL provider (https://github.com/OpenSC/libp11). ############################################################################### @@ -32,7 +33,7 @@ my $t = Test::Nginx->new() ->has_daemon('softhsm2-util') ->has_daemon('pkcs11-tool'); -plan(skip_all => 'no engine:... keys') +plan(skip_all => 'no store:... keys') unless $t->has_module('OpenSSL') and !$t->has_module('BoringSSL'); $t->write_file_expand('nginx.conf', <<'EOF'); @@ -52,8 +53,8 @@ http { listen 127.0.0.1:8080; server_name localhost; - ssl_certificate localhost.crt; - ssl_certificate_key engine:pkcs11:id_00; + ssl_certificate store:pkcs11:object=cert-localhost; + ssl_certificate_key store:pkcs11:object=key0; location / { # index index.html by default @@ -74,8 +75,8 @@ http { listen 127.0.0.1:8082 ssl; server_name localhost; - ssl_certificate $ssl_server_name.crt; - ssl_certificate_key engine:pkcs11:id_00; + ssl_certificate store:pkcs11:object=cert-$ssl_server_name; + ssl_certificate_key store:pkcs11:object=key0; location / { # index index.html by default @@ -86,11 +87,15 @@ http { EOF # Create a SoftHSM token with a secret key, and configure OpenSSL -# to access it using the pkcs11 engine, see detailed example +# to access it using the libp11 pkcs11prov provider. See detailed example # posted by Dmitrii Pichulin here: # # http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html # +# Adapted to provider usage based on libp11 documentation, see here: +# +# https://github.com/OpenSC/libp11 +# # Note that library paths are different on different systems. We try # to detect some known ones. # @@ -98,12 +103,12 @@ EOF # building nginx, or the "openssl" tool in path, so everything will fail. # As such, this test is marked unsafe. -# Libraries on various systems: FreeBSD, Alpine, Ubuntu +# Libraries on various systems: FreeBSD, Alpine, Debian -my ($engine) = grep { -e $_ } qw! - /usr/local/lib/engines/pkcs11.so - /usr/lib/engines-3/pkcs11.so - /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so +my ($provider) = grep { -e $_ } qw! + /usr/local/lib/ossl-modules/pkcs11prov.so + /usr/lib/ossl-modules/pkcs11prov.so + /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11prov.so !; my ($softhsm) = grep { -e $_ } qw! @@ -112,24 +117,29 @@ my ($softhsm) = grep { -e $_ } qw! /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so !; -plan(skip_all => 'no libp11 pkcs11 engine') unless $engine; +plan(skip_all => 'no libp11 pkcs11prov provider') unless $provider; plan(skip_all => 'no softhsm2') unless $softhsm; $t->write_file('openssl.conf', <<EOF); openssl_conf = openssl_def [openssl_def] -engines = engine_section +providers = provider_sect -[engine_section] -pkcs11 = pkcs11_section +[provider_sect] +default = default_sect +pkcs11 = pkcs11_sect -[pkcs11_section] -engine_id = pkcs11 -dynamic_path = $engine -MODULE_PATH = $softhsm -init = 1 -PIN = 1234 +[default_sect] +activate = 1 + +[pkcs11_sect] +identity = pkcs11prov +module = $provider +pkcs11_module = $softhsm +debug_level = 2 +pin = 1234 +activate = 1 [ req ] default_bits = 2048 @@ -165,9 +175,16 @@ foreach my $name ('localhost') { system('openssl req -x509 -new ' . "-subj /CN=$name/ -out $d/$name.crt -text " - . "-engine pkcs11 -keyform engine -key id_00 " + . "-key pkcs11:object=key0 " . ">>$d/openssl.out 2>&1") == 0 or die "Can't create certificate for $name: $!\n"; + + system('pkcs11-tool ' + . "--module=$softhsm " + . '--token-label token0 --pin 1234 --login ' + . "--write-object $d/$name.crt --type cert --label cert-$name " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't store certificate to pkcs11 token: $!\n"; } $t->run()->plan(2); @@ -176,7 +193,7 @@ foreach my $name ('localhost') { ############################################################################### -like(http_get('/proxy'), qr/200 OK/, 'ssl engine keys'); +like(http_get('/proxy'), qr/200 OK/, 'ssl store libp11 pkcs11prov'); like(http_get('/var'), qr/200 OK/, 'ssl_certificate with variable'); ###############################################################################
