[PATCH] Support loading server certificate from HW token

Maxim Dounin mdounin at mdounin.ru
Tue May 12 19:06:33 UTC 2020


Hello!

On Fri, May 08, 2020 at 07:53:18PM +0000, Пичулин Дмитрий Николаевич wrote:

> I dipped into the problem and came to the conclusion that this 
> proposal cannot be used as a general one.
> 
> First, although the ctrl number could be passed in the directive 
> itself, for example "engine:pkcs11:205:slot_0-id_00", where 205 
> corresponds to CMD_LOAD_CERT_CTRL (ENGINE_CMD_BASE + 5 = 200 + 
> 5), the argument "params" is too specific for this command, in 
> fact, it is a binding to a specific non-extensible interface of 
> a particular ENGINE command.
> 
> Secondly, this binding to a bad interface actually, which is not 
> able to return the certificate chain, CMD_LOAD_CERT_CTRL returns 
> only the leaf certificate.
> 
> Therefore, I do not see how this can be used outside of pkcs11 
> ENGINE and I do not see how this can be used in a production 
> without a certificate chain.

Thanks for the review, appreciated.

A possible use case might be to use it for proxy_ssl_certificate, 
but I agree that this looks very limited and at most optional.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list