Re: svn commit: r1914365 - in /httpd/httpd/trunk: changes-entries/ssl-providers.txt docs/log-message-tags/next-number docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_p
On 13.12.2023 10:55, Joe Orton wrote: > On Wed, Dec 06, 2023 at 01:02:01PM +0100, Yann Ylavic wrote: >> Oh, scratch that. Actually the engine API requires a "SSLCryptoDevice >> pkcs11" too, so we wouldn't take the !mc->szCryptoDevice path. >> Sorry for the noise. > > Yes it should remain compatible like that, though you prompted me to > re-read that and it would break for a no-engine build: r1914622. Good catch! How would one compile without OpenSSL having the engine API ? At least currently, any supported OpenSSL version still does have the Engine API. > > I am not sure but we might want to add a new directive (yay) which loads > a named provider, or we could rely on users doing that in openssl.cnf > since configuring providers may be non-trivial (e.g. [1]). I would not try to load a named provider. While loading a named provider can be done using the OpenSSL provider API, it is not possible to supply configuration parameters to that provider after loading it. Most provider I know do need specific configuration settings, they won't work without them, especially the PKCS#11 providers. So we must rely on users doing that in openssl.cnf. > > Other thing a colleage mentioned was that we may want to expand the list > of URI schemes accepted here from just pkcs11://. Sure, the provider code in general should work for any kind of URIs, not only 'pkcs11:'. It would even work for the 'file:' URI, loading the keys/certs from PEM files (like the non-provider/non-engine code is doing already). Actually it would even work for file names without a scheme at all, since the default scheme is 'file:' anyway. So it could theoretically replace the non-provider/non-engine load key/cert code (not that I would suggests to change that as of today). > > [1] > https://github.com/tpm2-software/tpm2-openssl/blob/master/docs/initialization.md#tpm-command-transmission-interface-tcti > -- Ingo Franzki eMail: ifran...@linux.ibm.com Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 04.12.2023 15:32, Yann Ylavic wrote: > Hi; > > On Mon, Dec 4, 2023 at 8:53 AM Ingo Franzki wrote: >> >> On 02.12.2023 11:20, Graham Leggett via dev wrote: >>> On 27 Nov 2023, at 15:02, Ingo Franzki wrote: >>> >>>> The mod_ssl module has support for loading keys and certificates from >>>> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and >>>> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 >>>> (https://github.com/OpenSC/libp11). >>>> >>>> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new >>>> provider concept is used. >>>> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization >>>> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), >>>> and newer distributions all have OpenSSL 3.x included. >>>> Currently, engines do still work, bit since they are deprecated, they will >>>> at some point in time no longer be working. >>>> >>>> With OpenSSL 3.x providers one can implements loading of keys and >>>> certificates by implementing a STORE method. >>>> With this, keys and certificates can be loaded for example from PKCS#11 >>>> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. >>>> >>>> Please find below some code changes required to support loading the server >>>> private key and certificates from a PKCS#11 provider using OpenSSL STORE >>>> providers. >>> >>> Definite +1 in principle. > > +1, thanks for the patch! > >> >> Please see the patch file attached. >> I also fixed to minor bugs that I found during testing. >> >> You can also look at the patch here: >> https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931 >> >> If you want, I can even submit a pull request to >> https://github.com/apache/httpd. >> Let me know what you prefer. > > Yes please do this, it's easier to comment on the code and it also > gets tested by the ci. See https://github.com/apache/httpd/pull/397 > > > Regards; > Yann. -- Ingo Franzki eMail: ifran...@linux.ibm.com Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 02.12.2023 11:20, Graham Leggett via dev wrote: > On 27 Nov 2023, at 15:02, Ingo Franzki wrote: > >> The mod_ssl module has support for loading keys and certificates from >> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and >> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 >> (https://github.com/OpenSC/libp11). >> >> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new >> provider concept is used. >> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization >> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), >> and newer distributions all have OpenSSL 3.x included. >> Currently, engines do still work, bit since they are deprecated, they will >> at some point in time no longer be working. >> >> With OpenSSL 3.x providers one can implements loading of keys and >> certificates by implementing a STORE method. >> With this, keys and certificates can be loaded for example from PKCS#11 >> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. >> >> Please find below some code changes required to support loading the server >> private key and certificates from a PKCS#11 provider using OpenSSL STORE >> providers. > > Definite +1 in principle. > >> Index: docs/manual/mod/mod_ssl.html.en.utf8 >> === >> --- docs/manual/mod/mod_ssl.html.en.utf8 (revision 1914150) >> +++ docs/manual/mod/mod_ssl.html.en.utf8 (working copy) >> @@ -666,7 +666,7 @@ > > Would it be possible to patch mod_ssl.xml instead of the html file, the html > is autogenerated. Sure, see updated patch attached. > >> Index: modules/ssl/ssl_engine_config.c >> === >> --- modules/ssl/ssl_engine_config.c (revision 1914150) >> +++ modules/ssl/ssl_engine_config.c (working copy) >> @@ -689,6 +689,11 @@ >> if (strcEQ(arg, "builtin")) { >> mc->szCryptoDevice = NULL; >> } >> +#if MODSSL_USE_OPENSSL_STORE >> +else if (strcEQ(arg, "provider")) { >> +mc->szCryptoDevice = arg; >> +} >> +#endif >> #if MODSSL_HAVE_ENGINE_API > > This patch isn’t applying for me, looks like the leading spaces have been > lost. Would it be possible to try attach it as a file? Please see the patch file attached. I also fixed to minor bugs that I found during testing. You can also look at the patch here: https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931 If you want, I can even submit a pull request to https://github.com/apache/httpd. Let me know what you prefer. > > Regards, > Graham > — > -- Ingo Franzki eMail: ifran...@linux.ibm.com Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/ Index: docs/manual/mod/mod_ssl.xml === --- docs/manual/mod/mod_ssl.xml (revision 1914150) +++ docs/manual/mod/mod_ssl.xml (working copy) @@ -955,7 +955,7 @@ stored in a token. Currently, only https://tools.ietf.org/html/rfc7512";>PKCS#11 URIs are recognized as certificate identifiers, and can be used in conjunction -with the OpenSSL pkcs11 engine. If pkcs11 engine or provider. If SSLCertificateKeyFile is omitted, the certificate and private key can be loaded through the single identifier specified with https://tools.ietf.org/html/rfc7512";>PKCS#11 URIs are recognized as private key identifiers, and can be used in conjunction with the OpenSSL -pkcs11 engine. +pkcs11 engine or provider. Example @@ -2442,6 +2442,14 @@ SSLCryptoDevice ubsec + + +With OpenSSL 3.0 or later, specify provider to load keys and +certificates from a provider using https://tools.ietf.org/html/rfc7512";>PKCS#11 URIs. +The provider to use must be defined and configured in the OpenSSL config file, +and it must support the https://www.openssl.org/docs/man3.0/man7/provider-storemgmt.html";>STORE method +for https://tools.ietf.org/html/rfc7512";>PKCS#11 URIs. + Index: modules/ssl/ssl_engine_config.c === --- modules/ssl/ssl_engine_config.c (revision 1914150) +++ modules/ssl/ssl_engine_config.c (working copy) @@ -689,6 +689,11 @@ if (strcEQ(arg, "builtin")) { mc
mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
if (!info) { +ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131) + "Init: OSSL_STORE_load failed for private key identifier `%s'", + keyid); +OSSL_STORE_close(sctx); +return ssl_die(s); +} + +switch (OSSL_STORE_INFO_get_type(info)) { +case OSSL_STORE_INFO_PKEY: +*privkey = OSSL_STORE_INFO_get1_PKEY(info); +break; +default: +OSSL_STORE_INFO_free(info); +continue; +} + +OSSL_STORE_INFO_free(info); +break; +} + +OSSL_STORE_close(sctx); + +if (!*privkey) { +ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131) + "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'", + keyid); +OSSL_STORE_close(sctx); +return ssl_die(s); +} + +if (certid) { +*pubkey = NULL; + +sctx = OSSL_STORE_open(certid, ui_method, &ppcb, NULL, NULL); +if (!sctx) { +ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131) + "Init: OSSL_STORE_open failed for certificate identifier `%s'", + certid); +return ssl_die(s); +} + +while (!OSSL_STORE_eof(sctx)) { +OSSL_STORE_INFO *info = OSSL_STORE_load(sctx); +if (!info) { +ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131) + "Init: OSSL_STORE_load failed for certificate identifier `%s'", + certid); +OSSL_STORE_close(sctx); +return ssl_die(s); +} + +switch (OSSL_STORE_INFO_get_type(info)) { +case OSSL_STORE_INFO_CERT: +*pubkey = OSSL_STORE_INFO_get0_CERT(info); +break; +default: +OSSL_STORE_INFO_free(info); +continue; +} + +OSSL_STORE_INFO_free(info); +break; +} + +OSSL_STORE_close(sctx); + +if (!*pubkey) { +ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131) + "Init: OSSL_STORE_INFO_PKEY lookup failed for certificate identifier `%s'", + certid); +return ssl_die(s); +} +} + +return APR_SUCCESS; +} +#endif + +apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, +const char *vhostid, +const char *certid, const char *keyid, +X509 **pubkey, EVP_PKEY **privkey) +{ +#if MODSSL_USE_OPENSSL_STORE +SSLModConfigRec *mc = myModConfig(s); + +if (strcEQ(mc->szCryptoDevice, "provider")) +return modssl_load_keypair_store(s, p, vhostid, certid, keyid, + pubkey, privkey); +#endif +#if MODSSL_HAVE_ENGINE_API +return modssl_load_keypair_engine(s, p, vhostid, certid, keyid, + pubkey, privkey); #else return APR_ENOTIMPL; #endif Index: modules/ssl/ssl_private.h === --- modules/ssl/ssl_private.h (revision 1914150) +++ modules/ssl/ssl_private.h (working copy) @@ -118,6 +118,13 @@ #define MODSSL_HAVE_ENGINE_API 0 #endif +/* Use OpenSSL 3.x STORE for loading URI keys and certificates starting with + * OpenSSL 3.0 + */ +#if OPENSSL_VERSION_NUMBER >= 0x3000 +#define MODSSL_USE_OPENSSL_STORE 1 +#endif + #if (OPENSSL_VERSION_NUMBER < 0x0090801f) #error mod_ssl requires OpenSSL 0.9.8a or later #endif Index: modules/ssl/ssl_util.c ======= --- modules/ssl/ssl_util.c (revision 1914150) +++ modules/ssl/ssl_util.c (working copy) @@ -500,7 +500,7 @@ int modssl_is_engine_id(const char *name) { -#if MODSSL_USE_ENGINE_API +#if MODSSL_USE_ENGINE_API || MODSSL_USE_OPENSSL_STORE /* ### Can handle any other special ENGINE key names here? */ return strncmp(name, "pkcs11:", 7) == 0; #else -- Ingo Franzki eMail: ifran...@linux.ibm.com Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/