Re: svn commit: r1914365 - in /httpd/httpd/trunk: changes-entries/ssl-providers.txt docs/log-message-tags/next-number docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_p
On 13.12.2023 10:55, Joe Orton wrote: > On Wed, Dec 06, 2023 at 01:02:01PM +0100, Yann Ylavic wrote: >> Oh, scratch that. Actually the engine API requires a "SSLCryptoDevice >> pkcs11" too, so we wouldn't take the !mc->szCryptoDevice path. >> Sorry for the noise. > > Yes it should remain compatible like that, though you prompted me to > re-read that and it would break for a no-engine build: r1914622. Good catch! How would one compile without OpenSSL having the engine API ? At least currently, any supported OpenSSL version still does have the Engine API. > > I am not sure but we might want to add a new directive (yay) which loads > a named provider, or we could rely on users doing that in openssl.cnf > since configuring providers may be non-trivial (e.g. [1]). I would not try to load a named provider. While loading a named provider can be done using the OpenSSL provider API, it is not possible to supply configuration parameters to that provider after loading it. Most provider I know do need specific configuration settings, they won't work without them, especially the PKCS#11 providers. So we must rely on users doing that in openssl.cnf. > > Other thing a colleage mentioned was that we may want to expand the list > of URI schemes accepted here from just pkcs11://. Sure, the provider code in general should work for any kind of URIs, not only 'pkcs11:'. It would even work for the 'file:' URI, loading the keys/certs from PEM files (like the non-provider/non-engine code is doing already). Actually it would even work for file names without a scheme at all, since the default scheme is 'file:' anyway. So it could theoretically replace the non-provider/non-engine load key/cert code (not that I would suggests to change that as of today). > > [1] > https://github.com/tpm2-software/tpm2-openssl/blob/master/docs/initialization.md#tpm-command-transmission-interface-tcti > -- Ingo Franzki eMail: ifran...@linux.ibm.com Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 04.12.2023 15:32, Yann Ylavic wrote: > Hi; > > On Mon, Dec 4, 2023 at 8:53 AM Ingo Franzki wrote: >> >> On 02.12.2023 11:20, Graham Leggett via dev wrote: >>> On 27 Nov 2023, at 15:02, Ingo Franzki wrote: >>> >>>> The mod_ssl module has support for loading keys and certificates from >>>> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and >>>> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 >>>> (https://github.com/OpenSC/libp11). >>>> >>>> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new >>>> provider concept is used. >>>> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization >>>> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), >>>> and newer distributions all have OpenSSL 3.x included. >>>> Currently, engines do still work, bit since they are deprecated, they will >>>> at some point in time no longer be working. >>>> >>>> With OpenSSL 3.x providers one can implements loading of keys and >>>> certificates by implementing a STORE method. >>>> With this, keys and certificates can be loaded for example from PKCS#11 >>>> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. >>>> >>>> Please find below some code changes required to support loading the server >>>> private key and certificates from a PKCS#11 provider using OpenSSL STORE >>>> providers. >>> >>> Definite +1 in principle. > > +1, thanks for the patch! > >> >> Please see the patch file attached. >> I also fixed to minor bugs that I found during testing. >> >> You can also look at the patch here: >> https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931 >> >> If you want, I can even submit a pull request to >> https://github.com/apache/httpd. >> Let me know what you prefer. > > Yes please do this, it's easier to comment on the code and it also > gets tested by the ci. See https://github.com/apache/httpd/pull/397 > > > Regards; > Yann. -- Ingo Franzki eMail: ifran...@linux.ibm.com Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 02.12.2023 11:20, Graham Leggett via dev wrote:
> On 27 Nov 2023, at 15:02, Ingo Franzki wrote:
>
>> The mod_ssl module has support for loading keys and certificates from
>> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and
>> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11
>> (https://github.com/OpenSC/libp11).
>>
>> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new
>> provider concept is used.
>> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization
>> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/),
>> and newer distributions all have OpenSSL 3.x included.
>> Currently, engines do still work, bit since they are deprecated, they will
>> at some point in time no longer be working.
>>
>> With OpenSSL 3.x providers one can implements loading of keys and
>> certificates by implementing a STORE method.
>> With this, keys and certificates can be loaded for example from PKCS#11
>> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine.
>>
>> Please find below some code changes required to support loading the server
>> private key and certificates from a PKCS#11 provider using OpenSSL STORE
>> providers.
>
> Definite +1 in principle.
>
>> Index: docs/manual/mod/mod_ssl.html.en.utf8
>> ===
>> --- docs/manual/mod/mod_ssl.html.en.utf8 (revision 1914150)
>> +++ docs/manual/mod/mod_ssl.html.en.utf8 (working copy)
>> @@ -666,7 +666,7 @@
>
> Would it be possible to patch mod_ssl.xml instead of the html file, the html
> is autogenerated.
Sure, see updated patch attached.
>
>> Index: modules/ssl/ssl_engine_config.c
>> ===
>> --- modules/ssl/ssl_engine_config.c (revision 1914150)
>> +++ modules/ssl/ssl_engine_config.c (working copy)
>> @@ -689,6 +689,11 @@
>> if (strcEQ(arg, "builtin")) {
>> mc->szCryptoDevice = NULL;
>> }
>> +#if MODSSL_USE_OPENSSL_STORE
>> +else if (strcEQ(arg, "provider")) {
>> +mc->szCryptoDevice = arg;
>> +}
>> +#endif
>> #if MODSSL_HAVE_ENGINE_API
>
> This patch isn’t applying for me, looks like the leading spaces have been
> lost. Would it be possible to try attach it as a file?
Please see the patch file attached.
I also fixed to minor bugs that I found during testing.
You can also look at the patch here:
https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931
If you want, I can even submit a pull request to
https://github.com/apache/httpd.
Let me know what you prefer.
>
> Regards,
> Graham
> —
>
--
Ingo Franzki
eMail: ifran...@linux.ibm.com
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB
243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
Index: docs/manual/mod/mod_ssl.xml
===
--- docs/manual/mod/mod_ssl.xml (revision 1914150)
+++ docs/manual/mod/mod_ssl.xml (working copy)
@@ -955,7 +955,7 @@
stored in a token. Currently, only https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs are
recognized as certificate identifiers, and can be used in conjunction
-with the OpenSSL pkcs11 engine. If pkcs11 engine or provider. If SSLCertificateKeyFile is omitted, the
certificate and private key can be loaded through the single
identifier specified with https://tools.ietf.org/html/rfc7512;>PKCS#11
URIs are recognized as private key
identifiers, and can be used in conjunction with the OpenSSL
-pkcs11 engine.
+pkcs11 engine or provider.
Example
@@ -2442,6 +2442,14 @@
SSLCryptoDevice ubsec
+
+
+With OpenSSL 3.0 or later, specify provider to load keys and
+certificates from a provider using https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs.
+The provider to use must be defined and configured in the OpenSSL config file,
+and it must support the https://www.openssl.org/docs/man3.0/man7/provider-storemgmt.html;>STORE
method
+for https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs.
+
Index: modules/ssl/ssl_engine_config.c
===
--- modules/ssl/ssl_engine_config.c (revision 1914150)
+++ modules/ssl/ssl_engine_config.c (working copy)
@@ -689,6 +689,11 @@
if (strcEQ(arg, "builtin")) {
mc->szCryptoD
mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
"Init: OSSL_STORE_load failed for private key
identifier `%s'",
+ keyid);
+OSSL_STORE_close(sctx);
+return ssl_die(s);
+}
+
+switch (OSSL_STORE_INFO_get_type(info)) {
+case OSSL_STORE_INFO_PKEY:
+*privkey = OSSL_STORE_INFO_get1_PKEY(info);
+break;
+default:
+OSSL_STORE_INFO_free(info);
+continue;
+}
+
+OSSL_STORE_INFO_free(info);
+break;
+}
+
+OSSL_STORE_close(sctx);
+
+if (!*privkey) {
+ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
+ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key
identifier `%s'",
+ keyid);
+OSSL_STORE_close(sctx);
+return ssl_die(s);
+}
+
+if (certid) {
+*pubkey = NULL;
+
+sctx = OSSL_STORE_open(certid, ui_method, , NULL, NULL);
+if (!sctx) {
+ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
+ "Init: OSSL_STORE_open failed for certificate
identifier `%s'",
+ certid);
+return ssl_die(s);
+}
+
+while (!OSSL_STORE_eof(sctx)) {
+OSSL_STORE_INFO *info = OSSL_STORE_load(sctx);
+if (!info) {
+ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
+ "Init: OSSL_STORE_load failed for certificate
identifier `%s'",
+ certid);
+OSSL_STORE_close(sctx);
+return ssl_die(s);
+}
+
+switch (OSSL_STORE_INFO_get_type(info)) {
+case OSSL_STORE_INFO_CERT:
+*pubkey = OSSL_STORE_INFO_get0_CERT(info);
+break;
+default:
+OSSL_STORE_INFO_free(info);
+continue;
+}
+
+OSSL_STORE_INFO_free(info);
+break;
+}
+
+OSSL_STORE_close(sctx);
+
+if (!*pubkey) {
+ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
+ "Init: OSSL_STORE_INFO_PKEY lookup failed for certificate
identifier `%s'",
+ certid);
+return ssl_die(s);
+}
+}
+
+return APR_SUCCESS;
+}
+#endif
+
+apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
+const char *vhostid,
+const char *certid, const char *keyid,
+X509 **pubkey, EVP_PKEY **privkey)
+{
+#if MODSSL_USE_OPENSSL_STORE
+SSLModConfigRec *mc = myModConfig(s);
+
+if (strcEQ(mc->szCryptoDevice, "provider"))
+return modssl_load_keypair_store(s, p, vhostid, certid, keyid,
+ pubkey, privkey);
+#endif
+#if MODSSL_HAVE_ENGINE_API
+return modssl_load_keypair_engine(s, p, vhostid, certid, keyid,
+ pubkey, privkey);
#else
return APR_ENOTIMPL;
#endif
Index: modules/ssl/ssl_private.h
===
--- modules/ssl/ssl_private.h (revision 1914150)
+++ modules/ssl/ssl_private.h (working copy)
@@ -118,6 +118,13 @@
#define MODSSL_HAVE_ENGINE_API 0
#endif
+/* Use OpenSSL 3.x STORE for loading URI keys and certificates starting with
+ * OpenSSL 3.0
+ */
+#if OPENSSL_VERSION_NUMBER >= 0x3000
+#define MODSSL_USE_OPENSSL_STORE 1
+#endif
+
#if (OPENSSL_VERSION_NUMBER < 0x0090801f)
#error mod_ssl requires OpenSSL 0.9.8a or later
#endif
Index: modules/ssl/ssl_util.c
===
--- modules/ssl/ssl_util.c (revision 1914150)
+++ modules/ssl/ssl_util.c (working copy)
@@ -500,7 +500,7 @@
int modssl_is_engine_id(const char *name)
{
-#if MODSSL_USE_ENGINE_API
+#if MODSSL_USE_ENGINE_API || MODSSL_USE_OPENSSL_STORE
/* ### Can handle any other special ENGINE key names here? */
return strncmp(name, "pkcs11:", 7) == 0;
#else
--
Ingo Franzki
eMail: ifran...@linux.ibm.com
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB
243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
