[PATCH] Support loading server certificate from HW token
luhliari at redhat.com
Mon May 4 12:42:36 UTC 2020
you are right, this is not defined in openssl, it is an engine specific functionality
as you wrote. p11-kit engine supports this command (https://github.com/OpenSC/libp11).
I'm not aware of any other method, how to load it.
As you stated, it is not a must, but since nginx is already able to load private
key from engine, it would be nice to have opportunity to load public key (certificate)
as well. In case engine doesn't support that command CMD_LOAD_CERT_CTRL, we can just
It would be good to check if the engine supports that command in following way:
const char *cmd_name = "LOAD_CERT_CTRL";
if (!ENGINE_ctrl(conn->engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
0, (void *)cmd_name, NULL))
I can alter the patch if it is the only problem you can see here.
----- Original Message -----
> From: "Пичулин Дмитрий Николаевич" <pdn at cryptopro.ru>
> To: nginx-devel at nginx.org
> Sent: Saturday, May 2, 2020 9:53:58 PM
> Subject: Re: [PATCH] Support loading server certificate from HW token
> I support the base idea to load certificates from engines but
> CMD_LOAD_CERT_CTRL ('LOAD_CERT_CTRL') seems not defined in openssl, it is an
> engine specific functionality. Is that the only way?
> And secondly, i can not imagine that you can not get a certificate from your
> hardware prior nginx run, because the certificate information is always
> open. So this new functionality is not a must, but a useful one.
> nginx-devel mailing list
> nginx-devel at nginx.org
Software Engineer - EMEA ENG Developer Experience
RH - Brno - TPB-C - 1D221
IRC: zero_byte at irc.freenode.net
RED HAT | TRIED. TESTED. TRUSTED.
Every airline in the Fortune 500 relies on Red Hat.
Find out why at http://www.redhat.com/en/about/trusted
Red Hat Inc. http://cz.redhat.com
More information about the nginx-devel