[PATCH] Support loading server certificate from HW token
Lubos Uhliarik
luhliari at redhat.com
Thu Apr 30 11:55:54 UTC 2020
Hello everyone,
do you see any change getting this patch applied to 1.19?
Best,
----- Original Message -----
> From: "Lubos Uhliarik" <luhliari at redhat.com>
> To: nginx-devel at nginx.org
> Sent: Monday, April 27, 2020 1:53:17 PM
> Subject: [PATCH] Support loading server certificate from HW token
>
> # HG changeset patch
> # User Lubos Uhliarik <luhliari at redhat.com>
> # Date 1587988141 -7200
> # Mon Apr 27 13:49:01 2020 +0200
> # Node ID 8fe8445769f77165f793a4fd016a134aa1ad373c
> # Parent 716eddd74bc2831537f5b3f7ecd16ad3e516d043
> Support loading server certificate from HW token
>
> Nginx supports loading private key from HW token, but does not support
> loading certificate. This patch adds functionality which allows to load
> server certificate with a specified id from OpenSSL engine.
>
> diff -r 716eddd74bc2 -r 8fe8445769f7 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Thu Apr 23 15:10:26 2020 +0300
> +++ b/src/event/ngx_event_openssl.c Mon Apr 27 13:49:01 2020 +0200
> @@ -609,6 +609,71 @@
> X509 *x509, *temp;
> u_long n;
>
> + if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) {
> +
> +#ifndef OPENSSL_NO_ENGINE
> +
> + u_char *p, *last;
> + ENGINE *engine;
> +
> + p = cert->data + sizeof("engine:") - 1;
> + last = (u_char *) ngx_strchr(p, ':');
> +
> + if (last == NULL) {
> + *err = "invalid syntax";
> + return NULL;
> + }
> +
> + *last = '\0';
> +
> + engine = ENGINE_by_id((char *) p);
> +
> + if (engine == NULL) {
> + *err = "ENGINE_by_id() failed";
> + return NULL;
> + }
> +
> + if (!ENGINE_init(engine)) {
> + *err = "ENGINE_init() failed";
> + ENGINE_free(engine);
> + return NULL;
> + }
> +
> + *last++ = ':';
> +
> + struct {
> + const char *cert_id;
> + X509 *cert;
> + } params = { (char *) last, NULL };
> +
> + if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, ¶ms, NULL, 1))
> {
> + *err = "ENGINE_ctrl_cmd() failed - Unable to get the
> certificate";
> + ENGINE_free(engine);
> + return NULL;
> + }
> +
> + ENGINE_finish(engine);
> + ENGINE_free(engine);
> +
> + /* set chain to null */
> +
> + *chain = sk_X509_new_null();
> + if (*chain == NULL) {
> + *err = "sk_X509_new_null() failed";
> + X509_free(params.cert);
> + return NULL;
> + }
> +
> + return params.cert;
> +
> +#else
> +
> + *err = "loading \"engine:...\" certificate is not supported";
> + return NULL;
> +
> +#endif
> + }
> +
> if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
>
> bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
>
--
Lubos Uhliarik
Software Engineer - EMEA ENG Developer Experience
RH - Brno - TPB-C - 1D221
IRC: zero_byte at irc.freenode.net
RED HAT | TRIED. TESTED. TRUSTED.
Every airline in the Fortune 500 relies on Red Hat.
Find out why at http://www.redhat.com/en/about/trusted
Red Hat Inc. http://cz.redhat.com
More information about the nginx-devel
mailing list