patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos nmav at
Mon Jun 22 09:06:02 UTC 2015

On Mon, 2015-06-22 at 04:11 +0300, Maxim Dounin wrote:
> > Hi,
> >  Yes, I've tried it. It would be specified as:
> > "engine:pkcs11:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin
> > -value=1234";
> > 
> > But doesn't work, because it doesn't initialize the pkcs11 engine.
> Shouldn't initialization of an engine be added to "engine:..." 
> handling then?

 I am not sure how the original engine approach was intended to work.
My understanding from the mail I quoted was that it required the engine
to be enabled via the openssl.cnf file. That's why I didn't touch that
part. I could update that part as well if you think it would be a nice

> (Just a side note: your patch has ENGINE_init() but no 
> ENGINE_finish().  It looks like a leak.)

I'm not very familiar with the nginx code base and that could be indeed
an issue. Where would that finish be called? The engine initialization
for pkcs11 should stay up for the lifetime of all connections.

> > Furthermore, the "engine:pkcs11:pkcs11:" approach defeats the 
> > purpose
> > of PKCS #11 URLs which is to use the same string to identify the 
> > same
> > keys on all applications.
> The goal of the "engine:..." syntax is to allow nginx to load keys 
> from arbitrary engines.  With this approach you can use PKCS #11 
> URLs as identifiers for engines which support them - though you 
> have to write a prefix "engine:<name>:" to instruct nginx to load 
> a key from a named engine rather than a file.  So I don't think 
> that the current approach "defeats the purpose" somehow - it's 
> just a bit more chatty than it can be assuming nginx knows for 
> sure that the only engine useable for PKCS #11 URLs is pkcs11.

Note that supporting the "pkcs11:" urls directly, has the advantage
that it doesn't make nginx dependent on any engine to support PKCS #11.
The current support relies on engine_pkcs11, which is a 3rd party
module (not in openssl distribution). It should be future-proof to have
a way to load PKCS #11 modules which is independent of the backend used
by nginx. So you could change the internal backend (for example to use
libp11 directly), without requiring all nginx users to change their
configuration files and remove the "engine:pkcs11:" part from their

It would of course be good to keep the engine support there for the
users that may need other modules than pkcs11, but for HSMs, all crypto
card providers do ship a PKCS #11 module. So I would expect that the
need for PKCS #11 support would overshadow the need for any other
engine supported by openssl.


More information about the nginx-devel mailing list