Hello! On Fri, Nov 21, 2014 at 04:09:01PM +0300, Maxim Dounin wrote:
> On Fri, Nov 21, 2014 at 08:22:13AM +0300, Dmitrii Pichulin wrote: > > > Ping. > > > > Patch: > > http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html > > > > Example: > > http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html > > Thanks again and sorry, still no time. I hope I'll be able to > look into it in the next week or so. Below is the patch with some minor tweaking to better match nginx code style, please check if it looks ok for you. And, BTW, thanks for the detailed usage example, it was really helpful even on FreeBSD (just one side note: "ssl_engine pkcs11" in nginx config isn't needed). # HG changeset patch # User Dmitrii Pichulin # Date 1407135800 -14400 # Mon Aug 04 11:03:20 2014 +0400 # Node ID 33d24b89fa274b7fdbfaec9c28f4b553ddc14712 # Parent 16be523be8e4541f45ba98c8071295f267ff14ff SSL: loading certificate keys via ENGINE_load_private_key(). diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -376,6 +376,67 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ BIO_free(bio); + if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { + +#ifndef OPENSSL_NO_ENGINE + + u_char *p, *last; + ENGINE *engine; + EVP_PKEY *pkey; + + p = key->data + sizeof("engine:") - 1; + last = (u_char *) ngx_strchr(p, ':'); + + if (last == NULL) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid syntax in \"%V\"", key); + return NGX_ERROR; + } + + *last = '\0'; + + engine = ENGINE_by_id((char *) p); + + if (engine == NULL) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "ENGINE_by_id(\"%s\") failed", p); + return NGX_ERROR; + } + + *last++ = ':'; + + pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); + + if (pkey == NULL) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "ENGINE_load_private_key(\"%s\") failed", last); + ENGINE_free(engine); + return NGX_ERROR; + } + + ENGINE_free(engine); + + if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_use_PrivateKey(\"%s\") failed", last); + EVP_PKEY_free(pkey); + return NGX_ERROR; + } + + EVP_PKEY_free(pkey); + + return NGX_OK; + +#else + + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "loading \"engine:...\" certificate keys " + "is not supported"); + return NGX_ERROR; + +#endif + } + if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) { return NGX_ERROR; } -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
