[PATCH] allow to use engine keyform for server private key

Mon Aug 4 07:06:35 UTC 2014

# HG changeset patch
# User Dmitrii Pichulin
# Date 1407135800 -14400
#      Mon Aug 04 11:03:20 2014 +0400
# Node ID ea21759f209f468d2fd5035782691ff0d4d12cc6
# Parent  f8764e20fcd7f87d98fe97f82b2a8d0a77ed9097
allow to use engine keyform for server private key

diff -r f8764e20fcd7 -r ea21759f209f src/event/ngx_event_openssl.c

--- a/src/event/ngx_event_openssl.c	Fri Aug 01 20:39:22 2014 -0700
+++ b/src/event/ngx_event_openssl.c	Mon Aug 04 11:03:20 2014 +0400
@@ -275,6 +275,11 @@
     u_long       n;
     ngx_str_t   *pwd;
     ngx_uint_t   tries;
+#ifndef OPENSSL_NO_ENGINE
+    char        *p, *last;
+    ENGINE      *engine;
+    EVP_PKEY    *private_key;
+#endif
 
     if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
         return NGX_ERROR;
@@ -357,6 +362,62 @@
 
     BIO_free(bio);
 
+    if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
+
+#ifndef OPENSSL_NO_ENGINE
+
+        p = (char *) key->data + sizeof("engine:") - 1;
+        last = ngx_strchr(p, ':');
+
+        if (last == NULL) {
+            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid syntax: %V", key);
+            return NGX_ERROR;
+        }
+
+        p[last - p] = '\0';
+
+        engine = ENGINE_by_id(p);
+
+        if (engine == NULL) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "ENGINE_by_id(\"%s\") failed", p);
+            return NGX_ERROR;
+        }
+
+        p[last - p] = ':';
+        last++;
+
+        private_key = ENGINE_load_private_key(engine, last, 0, 0);
+
+        if (private_key == NULL) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "ENGINE_load_private_key(\"%s\") failed", last);
+            ENGINE_free(engine);
+            return NGX_ERROR;
+        }
+
+        ENGINE_free(engine);
+
+        if (SSL_CTX_use_PrivateKey(ssl->ctx, private_key) == 0) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "SSL_CTX_use_PrivateKey(\"%s\") failed", last);
+            EVP_PKEY_free(private_key);
+            return NGX_ERROR;
+        }
+
+        EVP_PKEY_free(private_key);
+
+        return NGX_OK;
+
+#else
+
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                           "\"engine\" is not supported: %V", key);
+        return NGX_ERROR;
+
+#endif
+    }
+
     if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
         return NGX_ERROR;
     }

