[PATCH] Support loading server certificate from HW token

Lubos Uhliarik luhliari at redhat.com
Mon May 4 12:42:36 UTC 2020

Hi Николаевич,

you are right, this is not defined in openssl, it is an engine specific functionality
as you wrote. p11-kit engine supports this command (https://github.com/OpenSC/libp11). 
I'm not aware of any other method, how to load it.

As you stated, it is not a must, but since nginx is already able to load private 
key from engine, it would be nice to have opportunity to load public key (certificate) 
as well. In case engine doesn't support that command CMD_LOAD_CERT_CTRL, we can just 
return error.

It would be good to check if the engine supports that command in following way:

const char *cmd_name = "LOAD_CERT_CTRL";
if (!ENGINE_ctrl(conn->engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
                 0, (void *)cmd_name, NULL))

I can alter the patch if it is the only problem you can see here.


----- Original Message -----
> From: "Пичулин Дмитрий Николаевич" <pdn at cryptopro.ru>
> To: nginx-devel at nginx.org
> Sent: Saturday, May 2, 2020 9:53:58 PM
> Subject: Re: [PATCH] Support loading server certificate from HW token
> I support the base idea to load certificates from engines but
> CMD_LOAD_CERT_CTRL ('LOAD_CERT_CTRL') seems not defined in openssl, it is an
> engine specific functionality. Is that the only way?
> And secondly, i can not imagine that you can not get a certificate from your
> hardware prior nginx run, because the certificate information is always
> open. So this new functionality is not a must, but a useful one.
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

Lubos Uhliarik
Software Engineer - EMEA ENG Developer Experience
RH - Brno - TPB-C - 1D221
IRC: zero_byte at irc.freenode.net

Every airline in the Fortune 500 relies on Red Hat.
Find out why at http://www.redhat.com/en/about/trusted

Red Hat Inc. http://cz.redhat.com

More information about the nginx-devel mailing list