Hello,
The attached patch allows loading PKCS #11 URLs in the
ssl_certificate_key.
That is, one only needs to specify:
ssl_certificate_key "pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin
-value=1234"
to access a key in a HSM. That's the only step required.
That extends the previous approach which is generic, but tedious, and
requires modifying openssl config files shared with other apps.
See [0] for comparison.
This works with the latest engine_pkcs11, and p11-kit (which takes care
of module registration).
Note that PKCS #11 URLs, described in RFC7512, are becoming the way to
specify keys stored in PKCS #11 modules. engine_pkcs11 supports them
already, as well as gnutls natively. See also fedora's stance on them
[1].
regards,
Nikos
[0].
http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
[1]. https://fedoraproject.org/wiki/Packaging:SSLCertificateHandling
# HG changeset patch
# User Nikos Mavrogiannopoulos <n...@redhat.com>
# Date 1434720898 -7200
# Fri Jun 19 15:34:58 2015 +0200
# Branch pkcs11
# Node ID 0870b441d666234edd95578ae740f24554179b68
# Parent 311d232ad803c8580c498763710005b91d30b748
Allow loading a PKCS #11 URL (RFC7512) from ssl_certificate_key
That requires the URL to be quoted because of the ';' chars. Such
URLs couldn't be loaded via the current engine interface. That
approach also automatically loads the pkcs11 module, and thus
requires no changes in openssl global configuration files.
diff -r 311d232ad803 -r 0870b441d666 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Jun 16 00:43:00 2015 +0300
+++ b/src/event/ngx_event_openssl.c Fri Jun 19 15:34:58 2015 +0200
@@ -439,6 +439,46 @@
return NGX_OK;
+ } else if (ngx_strncmp(key->data, "pkcs11:", sizeof("pkcs11:") - 1) == 0) {
+ ENGINE *engine;
+ EVP_PKEY *pkey;
+
+ engine = ENGINE_by_id("pkcs11");
+ if (engine == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_by_id(pkcs11) failed");
+ return NGX_ERROR;
+ }
+
+ if (ENGINE_init(engine) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_init(pkcs11) failed");
+ ENGINE_free(engine);
+ return NGX_ERROR;
+ }
+
+ pkey = ENGINE_load_private_key(engine, (char *) key->data, 0, 0);
+
+ if (pkey == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_load_private_key(\"%s\") failed", key->data);
+ ENGINE_free(engine);
+ return NGX_ERROR;
+ }
+
+ ENGINE_free(engine);
+
+ if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_use_PrivateKey(\"%s\") failed", key->data);
+ EVP_PKEY_free(pkey);
+ return NGX_ERROR;
+ }
+
+ EVP_PKEY_free(pkey);
+
+ return NGX_OK;
+ } else {
#else
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
