Hi all, now that OpenSSL 3.0 support is available, I would like to ask if there are any plans to support loading OpenSSL provider-based keys similar to loading Engine-based keys from an URI.
When using an OpenSSL PKCS#11 engine, one can specify a PKCS#11 URL with SSLCertificateKeyFile to have the engine load the server's private key. When looking at the code it seems that this only work with Engines. The code in ssl_init_server_certs() checks via modssl_is_engine_id() if the key is an URI starting with 'pkcs11:', and if so, it loads the key via modssl_load_engine_keypair() which load the key via ENGINE_load_private_key() and friends. So this code is Engine-specific, and won't work with providers. The other code paths all expect the server private key to be in PEM format. What I am looking for is a way to load the private key using a PKCS#11 URL, not using Engines, but a PKCS#11 provider (such a provider might not exist at the moment, but lets assume that one exists). That would require that mod_ssl loads the private key via OSSL_STORE_open() / OSSL_STORE_load() and friends, so that a PKCS#11 provider that was configured to be loaded is fetched for the 'pkcs11'-type URI and can in turn load the PKCS#11 key. The ultimate goal is to allow httpd to use an HSM based private key via a PKCS#11 provider, so that the servers private key is never exposed in clear. This is already possible when using the libp11 Engine from https://github.com/OpenSC/libp11, but given that Engines are deprecated and will go away at some point in time, I would like to be able to do the same with a (still to be implemented) PKCS#11 provider. Are there any plans to implement such provider-based key loading in httpd? -- Ingo Franzki eMail: ifran...@linux.ibm.com Tel: ++49 (0)7031-16-4648 Fax: ++49 (0)7031-16-3456 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: Matthias Hartmann Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
