[PATCH 1 of 1] allow to use engine keyform for server private key

Dmitrii Pichulin pdn at cryptopro.ru
Tue Jul 29 15:11:27 UTC 2014 

# HG changeset patch
# User Dmitrii Pichulin
# Date 1406644835 -14400
#      Tue Jul 29 18:40:35 2014 +0400
# Node ID b5f409eef2ed6832eead4c53855f91fb90ee099b
# Parent  d1bde5c3c5d21368de04a59506a06c1174353a19
allow to use engine keyform for server private key

diff -r d1bde5c3c5d2 -r b5f409eef2ed src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Mon Jul 28 18:30:19 2014 +0400
+++ b/src/event/ngx_event_openssl.c	Tue Jul 29 18:40:35 2014 +0400
@@ -265,8 +265,11 @@
 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
     ngx_str_t *key, ngx_array_t *passwords)
 {
+    char        *p, *last;
     BIO         *bio;
     X509        *x509;
+    ENGINE      *engine;
+    EVP_PKEY    *private_key;
     u_long       n;
     ngx_str_t   *pwd;
     ngx_uint_t   tries;
@@ -352,6 +355,54 @@
 
     BIO_free(bio);
 
+    if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
+
+        p = (char *) key->data + sizeof("engine:") - 1;
+        last = ngx_strchr(p, ':');
+
+        if (last == NULL) {
+            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid syntax: %V", key);
+            return NGX_ERROR;
+        }
+
+        p[last - p] = '\0';
+        last++;
+
+        engine = ENGINE_by_id(p);
+
+        if (engine == NULL) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "ENGINE_by_id(\"%s\") failed", p);
+            return NGX_ERROR;
+        }
+
+        private_key = ENGINE_load_private_key(engine, last, 0, 0);
+        
+        if (ENGINE_free(engine) == 0) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "ENGINE_free() failed");
+            if (private_key)
+                EVP_PKEY_free(private_key);
+            return NGX_ERROR;
+        }
+
+        if (private_key == NULL) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "ENGINE_load_private_key(\"%s\") failed", last);
+            return NGX_ERROR;
+        }
+
+        if (SSL_CTX_use_PrivateKey(ssl->ctx, private_key) == 0) {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                          "SSL_CTX_use_PrivateKey_file(\"%s\") failed", last);
+            EVP_PKEY_free(private_key);
+            return NGX_ERROR;
+        }
+
+        EVP_PKEY_free(private_key);
+
+        return NGX_OK;
+    }
+
     if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
         return NGX_ERROR;
     }

More information about the nginx-devel mailing list