[PATCH 1 of 1] add keyform option to SSL config to support loading private key from engine without exporting it to file
Tatiana Kondakova
kondakova at cryptopro.ru
Tue Mar 25 12:45:47 UTC 2014
# HG changeset patch
# User Tatiana Kondakova <kondakova at cryptopro.ru>
# Date 1395663427 -14400
# Node ID 773a8762a7544e77d4790be8296c592b53314b0e
# Parent 345e4fd4bb64f1b3ad48a20b69f62bcd39a443c9
add keyform option to SSL config to support loading private key from engine without exporting it to file
diff -r 345e4fd4bb64 -r 773a8762a754 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Fri Mar 21 19:33:21 2014 +0400
+++ b/src/event/ngx_event_openssl.c Mon Mar 24 16:17:07 2014 +0400
@@ -14,6 +14,11 @@
ngx_uint_t engine; /* unsigned engine:1; */
} ngx_openssl_conf_t;
+typedef struct pw_cb_data
+ {
+ const void *password;
+ const char *prompt_info;
+ } PW_CB_DATA;
static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
@@ -253,7 +258,7 @@
ngx_int_t
ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
- ngx_str_t *key)
+ ngx_str_t *key, ngx_str_t *keyform)
{
BIO *bio;
X509 *x509;
@@ -340,17 +345,44 @@
BIO_free(bio);
- if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
- return NGX_ERROR;
+ if(keyform->len) {
+ PW_CB_DATA cb_data;
+ cb_data.password = NULL;
+ cb_data.prompt_info = key->data;
+
+ EVP_PKEY *pkey =
+ ENGINE_load_private_key(ENGINE_by_id(keyform->data),
+ key->data,
+ UI_create_method("OpenSSL application"
+ " user interface"),
+ &cb_data);
+ if(!pkey)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_load_private_key(\"%s\") failed", key->data);
+ return NGX_ERROR;
+ }
+
+ if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
+ return NGX_ERROR;
+ }
}
-
- if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
- SSL_FILETYPE_PEM)
- == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
- "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
- return NGX_ERROR;
+ else {
+ if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (SSL_CTX_use_PrivateKey_file(ssl->ctx,
+ (char *) key->data, SSL_FILETYPE_PEM)
+ == 0)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
+ return NGX_ERROR;
+ }
}
return NGX_OK;
diff -r 345e4fd4bb64 -r 773a8762a754 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Fri Mar 21 19:33:21 2014 +0400
+++ b/src/event/ngx_event_openssl.h Mon Mar 24 16:17:07 2014 +0400
@@ -112,7 +112,7 @@
ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
- ngx_str_t *cert, ngx_str_t *key);
+ ngx_str_t *cert, ngx_str_t *key, ngx_str_t *keyform);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -r 345e4fd4bb64 -r 773a8762a754 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Fri Mar 21 19:33:21 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c Mon Mar 24 16:17:07 2014 +0400
@@ -90,6 +90,13 @@
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
NULL },
+
+ { ngx_string("ssl_keyform_engine"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, certificate_keyform),
+ NULL },
{ ngx_string("ssl_dhparam"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
@@ -556,6 +563,8 @@
ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
+ ngx_conf_merge_str_value(conf->certificate_keyform,
+ prev->certificate_keyform, "");
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@@ -646,7 +655,7 @@
cln->data = &conf->ssl;
if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
- &conf->certificate_key)
+ &conf->certificate_key, &conf->certificate_keyform)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff -r 345e4fd4bb64 -r 773a8762a754 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Fri Mar 21 19:33:21 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.h Mon Mar 24 16:17:07 2014 +0400
@@ -34,6 +34,7 @@
ngx_str_t certificate;
ngx_str_t certificate_key;
+ ngx_str_t certificate_keyform;
ngx_str_t dhparam;
ngx_str_t ecdh_curve;
ngx_str_t client_certificate;
More information about the nginx-devel
mailing list