patch to allow loading PKCS #11 URLs

Maxim Dounin mdounin at
Mon Jun 22 01:11:32 UTC 2015


On Fri, Jun 19, 2015 at 04:39:48PM +0200, Nikos Mavrogiannopoulos wrote:

> On Fri, 2015-06-19 at 17:07 +0300, Maxim Dounin wrote:
> > 
> > Have you tried
> > ssl_certificate_key 
> > "engine:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin-value=1234";
> > instead?
> > I don't see how it's different from the code you propose.
> Hi,
>  Yes, I've tried it. It would be specified as:
> "engine:pkcs11:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin
> -value=1234";
> But doesn't work, because it doesn't initialize the pkcs11 engine.

Shouldn't initialization of an engine be added to "engine:..." 
handling then?

(Just a side note: your patch has ENGINE_init() but no 
ENGINE_finish().  It looks like a leak.)

> Furthermore, the "engine:pkcs11:pkcs11:" approach defeats the purpose
> of PKCS #11 URLs which is to use the same string to identify the same
> keys on all applications.

The goal of the "engine:..." syntax is to allow nginx to load keys 
from arbitrary engines.  With this approach you can use PKCS #11 
URLs as identifiers for engines which support them - though you 
have to write a prefix "engine:<name>:" to instruct nginx to load 
a key from a named engine rather than a file.  So I don't think 
that the current approach "defeats the purpose" somehow - it's 
just a bit more chatty than it can be assuming nginx knows for 
sure that the only engine useable for PKCS #11 URLs is pkcs11.

Maxim Dounin

More information about the nginx-devel mailing list