[PATCH] Add PKCS#11 support to nginx http module

Thomas Calderon thomas.calderon at ssi.gouv.fr
Mon Nov 3 16:53:55 UTC 2014


This patch leverages PKCS#11 support in nginx http module using libp11.
This allows the private key to be stored in a dedicated hardware (or
software) component.

The following patch does not deal with the "configure" tools of nginx.
I wanted to get feedback prior to writing nginx "autoconf" scripts to
deal with multiple platforms.

To test, apply the patch, run configure (with http/ssl enabled), and
modify objs/Makefile to add "-lp11" to link the libp11 library.

To configure use the following parameters:
  * ssl_pkcs11, on or off
  * ssl_certificate, no change the server certificate is fetched on the disk
  * ssl_certificate_key, string mapped to the PKCS#11 "label" attribute
  * ssl_pkcs11_pin, string of the token PIN
  * ssl_pkcs11_module, path to the PKCS#11 shared library

Instead of tweaking ngx_ssl_certificate function, I have added
the ngx_ssl_certificate_pkcs11 function which is used when ssl_pkcs11 is

This approach could also be applied to the nginx mail module.

Feedback appreciated.



Thomas Calderon
Laboratoire architectures matérielles et logicielles
Sous-direction expertise
Tél: 01 71 75 88 55
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx-pkcs11-support-hg.patch
Type: text/x-patch
Size: 12805 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141103/afdbafc3/attachment.bin>

More information about the nginx-devel mailing list