patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos nmav at redhat.com
Fri Jun 19 13:49:48 UTC 2015


Hello,
 The attached patch allows loading PKCS #11 URLs in the
ssl_certificate_key.

That is, one only needs to specify:
ssl_certificate_key "pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin
-value=1234"

to access a key in a HSM. That's the only step required.
That extends the previous approach which is generic, but tedious, and
requires modifying openssl config files shared with other apps.
See [0] for comparison.

This works with the latest engine_pkcs11, and p11-kit (which takes care
of module registration).

Note that PKCS #11 URLs, described in RFC7512, are becoming the way to
specify keys stored in PKCS #11 modules. engine_pkcs11 supports them
already, as well as gnutls natively. See also fedora's stance on them
[1].

regards,
Nikos

[0]. 
http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
[1]. https://fedoraproject.org/wiki/Packaging:SSLCertificateHandling
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx-pkcs11.patch
Type: text/x-patch
Size: 2174 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150619/55181c73/attachment.bin>


More information about the nginx-devel mailing list