[PATCH] SSL: Add ENGINE_init() calls before using engines.

Anderson Sasaki ansasaki at redhat.com
Wed Apr 25 16:10:28 UTC 2018


Hello,

Following there is a test using the engine_pkcs11 [0] and softhsm [1].
The key is referenced in the device using PKCS#11 URI [2].

The test was based on an existing test, ssl_engine_keys.t

[0] https://github.com/OpenSC/libp11
[1] https://github.com/opendnssec/SoftHSMv2
[2] https://tools.ietf.org/html/rfc7512

Best regards,
Anderson

# HG changeset patch
# User Anderson Toshiyuki Sasaki <ansasaki at redhat.com>
# Date 1524668496 -7200
#      Wed Apr 25 17:01:36 2018 +0200
# Node ID 84d417fa2dda58b027184ca3e34479e1aa7cbd9c
# Parent  d6daf03478adb5fe7523eab0b87c9372261422d7
Tests: Add a SSL test using PKCS#11 URI.
The test run a nginx instance with ssl enabled using a
PKCS#11 URI to reference a key from a device.

diff -r d6daf03478ad -r 84d417fa2dda ssl_pkcs11_uri.t
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ssl_pkcs11_uri.t	Wed Apr 25 17:01:36 2018 +0200
@@ -0,0 +1,172 @@
+#!/usr/bin/perl
+
+# (C) Sergey Kandaurov
+# (C) Nginx, Inc.
+
+# Tests for http ssl module, loading "engine:pkcs11:" keys.
+
+###############################################################################
+
+use warnings;
+use strict;
+
+use Test::More;
+
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+
+use lib 'lib';
+use Test::Nginx;
+
+###############################################################################
+
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+
+plan(skip_all => 'win32') if $^O eq 'MSWin32';
+
+plan(skip_all => 'may not work, leaves coredump')
+	unless $ENV{TEST_NGINX_UNSAFE};
+
+my $t = Test::Nginx->new()->has(qw/http proxy http_ssl/)->has_daemon('openssl')
+	->has_daemon('softhsm2-util')->has_daemon('pkcs11-tool')->plan(1);
+
+$t->write_file_expand('nginx.conf', <<'EOF');
+
+%%TEST_GLOBALS%%
+
+daemon off;
+
+events {
+}
+
+http {
+    %%TEST_GLOBALS_HTTP%%
+
+    server {
+        listen       127.0.0.1:8081 ssl;
+        listen       127.0.0.1:8080;
+        server_name  localhost;
+
+        ssl_certificate_key "engine:pkcs11:pkcs11:token=NginxZero;object=nx_key_0;type=private;pin-value=1234";
+        ssl_certificate localhost.crt;
+
+        location / {
+            # index index.html by default
+        }
+        location /proxy {
+            proxy_pass https://127.0.0.1:8081/;
+        }
+    }
+}
+
+EOF
+
+# Create a OpenSSL configuration file
+my $module_path = `find /usr -name *libsofthsm*.so 2>/dev/null | head -n 1 | \
+    tr -d "\n"`;
+my $dynamic_path = `find /usr -name *pkcs11*.so 2>/dev/null | grep engine | \
+    head -n 1 | tr -d "\n"`;
+
+$t->write_file('openssl.conf', <<EOF);
+openssl_conf = openssl_def
+
+[openssl_def]
+engines = engine_section
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+engine_id = pkcs11
+dynamic_path = $dynamic_path
+MODULE_PATH = $module_path
+init = 0
+
+[ req ]
+default_bits = 1024
+encrypt_key = no
+distinguished_name = req_distinguished_name
+[ req_distinguished_name ]
+EOF
+
+my $d = $t->testdir();
+
+# Test if OpenSSL is already configured with the engine pkcs11
+# If not, create a local configuration
+my $openssl_config;
+eval "openssl engine -t pkcs11";
+if ($? == 0) {
+    $openssl_config = "";
+} else {
+    $openssl_config = "-config $d/openssl.conf";
+}
+
+# Configure SoftHSM to create a local database for the keys
+$t->write_file('softhsm.conf', <<EOF);
+objectstore.backend = file
+directories.tokendir = $d/softhsm.db
+EOF
+
+$ENV{SOFTHSM2_CONF} = "$d/softhsm.conf";
+$ENV{PKCS11_MODULE_PATH} = "$module_path";
+mkdir("$d/softhsm.db");
+
+# Create a new SoftHSM device, generate a key pair and a self-signed
+# certificate
+foreach my $name ('localhost') {
+	system('softhsm2-util --init-token --free --label "NginxZero" '
+		. '--pin 1234 --so-pin 1234 '
+		. ">>$d/openssl.out 2>&1") == 0
+        or exit($?);
+
+	system('pkcs11-tool --module='
+        . "$module_path -p 1234 -l -k -d 0 -a nx_key_0 --key-type rsa:1024 "
+		. ">>$d/openssl.out 2>&1") == 0
+        or exit($?);
+
+	system('openssl req -x509 -new -engine pkcs11 '
+		. "$openssl_config -subj \"/CN=$name\" "
+		. "-out $d/$name.crt -keyform engine "
+        . '-key "pkcs11:token=NginxZero;object=nx_key_0;type=private'
+        . ';pin-value=1234" '
+		. ">>$d/openssl.out 2>&1") == 0
+		or exit($?);
+}
+
+$t->run();
+
+$t->write_file('index.html', '');
+
+###############################################################################
+
+like(http_get('/proxy', socket => get_ssl_socket()), qr/200 OK/, 'https');
+
+###############################################################################
+#
+sub get_ssl_socket {
+	my $s;
+
+	eval {
+		local $SIG{ALRM} = sub { die "timeout\n" };
+		local $SIG{PIPE} = sub { die "sigpipe\n" };
+		alarm(2);
+		$s = IO::Socket::SSL->new(
+			Proto => 'tcp',
+			PeerAddr => 'localhost:',
+            PeerPort => 8081,
+			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
+			SSL_error_trap => sub { die $_[1] }
+		);
+		alarm(0);
+	};
+	alarm(0);
+
+	if ($@) {
+		log_in("died: $@");
+		return undef;
+	}
+
+	return $s;
+}
+
+###############################################################################


More information about the nginx-devel mailing list