[PATCH] Add PKCS#11 support to nginx http module
thomas.calderon at ssi.gouv.fr
Mon Nov 3 16:53:55 UTC 2014
This patch leverages PKCS#11 support in nginx http module using libp11.
This allows the private key to be stored in a dedicated hardware (or
The following patch does not deal with the "configure" tools of nginx.
I wanted to get feedback prior to writing nginx "autoconf" scripts to
deal with multiple platforms.
To test, apply the patch, run configure (with http/ssl enabled), and
modify objs/Makefile to add "-lp11" to link the libp11 library.
To configure use the following parameters:
* ssl_pkcs11, on or off
* ssl_certificate, no change the server certificate is fetched on the disk
* ssl_certificate_key, string mapped to the PKCS#11 "label" attribute
* ssl_pkcs11_pin, string of the token PIN
* ssl_pkcs11_module, path to the PKCS#11 shared library
Instead of tweaking ngx_ssl_certificate function, I have added
the ngx_ssl_certificate_pkcs11 function which is used when ssl_pkcs11 is
This approach could also be applied to the nginx mail module.
Laboratoire architectures matérielles et logicielles
Tél: 01 71 75 88 55
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 12805 bytes
Desc: not available
More information about the nginx-devel