[PATCH] Add PKCS#11 support to nginx http module
Thomas Calderon
thomas.calderon at ssi.gouv.fr
Mon Nov 3 16:53:55 UTC 2014
Hi,
This patch leverages PKCS#11 support in nginx http module using libp11.
This allows the private key to be stored in a dedicated hardware (or
software) component.
The following patch does not deal with the "configure" tools of nginx.
I wanted to get feedback prior to writing nginx "autoconf" scripts to
deal with multiple platforms.
To test, apply the patch, run configure (with http/ssl enabled), and
modify objs/Makefile to add "-lp11" to link the libp11 library.
To configure use the following parameters:
* ssl_pkcs11, on or off
* ssl_certificate, no change the server certificate is fetched on the disk
* ssl_certificate_key, string mapped to the PKCS#11 "label" attribute
* ssl_pkcs11_pin, string of the token PIN
* ssl_pkcs11_module, path to the PKCS#11 shared library
Instead of tweaking ngx_ssl_certificate function, I have added
the ngx_ssl_certificate_pkcs11 function which is used when ssl_pkcs11 is
enabled.
This approach could also be applied to the nginx mail module.
Feedback appreciated.
Regards,
--
Cordialement,
Thomas Calderon
Laboratoire architectures matérielles et logicielles
Sous-direction expertise
ANSSI
Tél: 01 71 75 88 55
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx-pkcs11-support-hg.patch
Type: text/x-patch
Size: 12805 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141103/afdbafc3/attachment.bin>
More information about the nginx-devel
mailing list