[PATCH 1 of 1] add keyform option to SSL config to support loading private key from engine without exporting it to file

Tatiana Kondakova kondakova at cryptopro.ru
Tue Mar 25 12:45:47 UTC 2014


# HG changeset patch
# User Tatiana Kondakova <kondakova at cryptopro.ru>
# Date 1395663427 -14400
# Node ID 773a8762a7544e77d4790be8296c592b53314b0e
# Parent  345e4fd4bb64f1b3ad48a20b69f62bcd39a443c9
add keyform option to SSL config to support loading private key from engine without exporting it to file

diff -r 345e4fd4bb64 -r 773a8762a754 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Fri Mar 21 19:33:21 2014 +0400
+++ b/src/event/ngx_event_openssl.c	Mon Mar 24 16:17:07 2014 +0400
@@ -14,6 +14,11 @@
     ngx_uint_t  engine;   /* unsigned  engine:1; */
 } ngx_openssl_conf_t;
 
+typedef struct pw_cb_data
+       {
+       const void *password;
+       const char *prompt_info;
+       } PW_CB_DATA;
 
 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
@@ -253,7 +258,7 @@
 
 ngx_int_t
 ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
-    ngx_str_t *key)
+    ngx_str_t *key, ngx_str_t *keyform)
 {
     BIO     *bio;
     X509    *x509;
@@ -340,17 +345,44 @@
 
     BIO_free(bio);
 
-    if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
-        return NGX_ERROR;
+    if(keyform->len) {
+        PW_CB_DATA cb_data;
+        cb_data.password = NULL;
+        cb_data.prompt_info = key->data;
+
+        EVP_PKEY *pkey = 
+                 ENGINE_load_private_key(ENGINE_by_id(keyform->data), 
+                                         key->data,
+                                         UI_create_method("OpenSSL application"
+                                                          " user interface"), 
+                                         &cb_data);
+        if(!pkey)
+        {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "ENGINE_load_private_key(\"%s\") failed", key->data);
+            return NGX_ERROR;
+        }
+
+        if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0)
+        {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
+            return NGX_ERROR;
+        }
     }
-
-    if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
-                                    SSL_FILETYPE_PEM)
-        == 0)
-    {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
-        return NGX_ERROR;
+    else {
+        if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
+            return NGX_ERROR;
+        }
+
+        if (SSL_CTX_use_PrivateKey_file(ssl->ctx, 
+                                        (char *) key->data, SSL_FILETYPE_PEM) 
+            == 0)
+        {
+            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                       "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
+            return NGX_ERROR;
+        }
     }
 
     return NGX_OK;
diff -r 345e4fd4bb64 -r 773a8762a754 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Fri Mar 21 19:33:21 2014 +0400
+++ b/src/event/ngx_event_openssl.h	Mon Mar 24 16:17:07 2014 +0400
@@ -112,7 +112,7 @@
 ngx_int_t ngx_ssl_init(ngx_log_t *log);
 ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
 ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    ngx_str_t *cert, ngx_str_t *key);
+    ngx_str_t *cert, ngx_str_t *key, ngx_str_t *keyform);
 ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_str_t *cert, ngx_int_t depth);
 ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -r 345e4fd4bb64 -r 773a8762a754 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Fri Mar 21 19:33:21 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c	Mon Mar 24 16:17:07 2014 +0400
@@ -90,6 +90,13 @@
       NGX_HTTP_SRV_CONF_OFFSET,
       offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
       NULL },
+ 
+    { ngx_string("ssl_keyform_engine"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, certificate_keyform),
+      NULL },
 
     { ngx_string("ssl_dhparam"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
@@ -556,6 +563,8 @@
 
     ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
     ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
+    ngx_conf_merge_str_value(conf->certificate_keyform,
+                             prev->certificate_keyform, "");
 
     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
 
@@ -646,7 +655,7 @@
     cln->data = &conf->ssl;
 
     if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
-                            &conf->certificate_key)
+                            &conf->certificate_key, &conf->certificate_keyform)
         != NGX_OK)
     {
         return NGX_CONF_ERROR;
diff -r 345e4fd4bb64 -r 773a8762a754 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h	Fri Mar 21 19:33:21 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.h	Mon Mar 24 16:17:07 2014 +0400
@@ -34,6 +34,7 @@
 
     ngx_str_t                       certificate;
     ngx_str_t                       certificate_key;
+    ngx_str_t                       certificate_keyform;
     ngx_str_t                       dhparam;
     ngx_str_t                       ecdh_curve;
     ngx_str_t                       client_certificate;



More information about the nginx-devel mailing list