[PATCH] allow to use engine keyform for server private key

Wed Dec 3 21:25:21 UTC 2014

Hello!

On Fri, Nov 21, 2014 at 04:09:01PM +0300, Maxim Dounin wrote:

> On Fri, Nov 21, 2014 at 08:22:13AM +0300, Dmitrii Pichulin wrote:
> 
> > Ping.
> > 
> > Patch:
> > http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html
> > 
> > Example:
> > http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
> 
> Thanks again and sorry, still no time.  I hope I'll be able to 
> look into it in the next week or so.

Below is the patch with some minor tweaking to better match nginx 
code style, please check if it looks ok for you.

And, BTW, thanks for the detailed usage example, it was really 
helpful even on FreeBSD (just one side note: "ssl_engine pkcs11" 
in nginx config isn't needed).

# HG changeset patch
# User Dmitrii Pichulin
# Date 1407135800 -14400
#      Mon Aug 04 11:03:20 2014 +0400
# Node ID 33d24b89fa274b7fdbfaec9c28f4b553ddc14712
# Parent  16be523be8e4541f45ba98c8071295f267ff14ff
SSL: loading certificate keys via ENGINE_load_private_key().

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -376,6 +376,67 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
 
     BIO_free(bio);
 
+    if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
+
+#ifndef OPENSSL_NO_ENGINE
+
+        u_char      *p, *last;
+        ENGINE      *engine;
+        EVP_PKEY    *pkey;
+
+        p = key->data + sizeof("engine:") - 1;
+        last = (u_char *) ngx_strchr(p, ':');
+
+        if (last == NULL) {
+            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                               "invalid syntax in \"%V\"", key);
+            return NGX_ERROR;
+        }
+
+        *last = '\0';
+
+        engine = ENGINE_by_id((char *) p);
+
+        if (engine == NULL) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "ENGINE_by_id(\"%s\") failed", p);
+            return NGX_ERROR;
+        }
+
+        *last++ = ':';
+
+        pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
+
+        if (pkey == NULL) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "ENGINE_load_private_key(\"%s\") failed", last);
+            ENGINE_free(engine);
+            return NGX_ERROR;
+        }
+
+        ENGINE_free(engine);
+
+        if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "SSL_CTX_use_PrivateKey(\"%s\") failed", last);
+            EVP_PKEY_free(pkey);
+            return NGX_ERROR;
+        }
+
+        EVP_PKEY_free(pkey);
+
+        return NGX_OK;
+
+#else
+
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                           "loading \"engine:...\" certificate keys "
+                           "is not supported");
+        return NGX_ERROR;
+
+#endif
+    }
+
     if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
         return NGX_ERROR;
     }


-- 
Maxim Dounin
http://nginx.org/

