[PATCH] Support loading server certificate from HW token
Пичулин Дмитрий Николаевич
pdn at cryptopro.ru
Fri May 8 19:53:18 UTC 2020
I dipped into the problem and came to the conclusion that this proposal cannot be used as a general one.
First, although the ctrl number could be passed in the directive itself, for example "engine:pkcs11:205:slot_0-id_00", where 205 corresponds to CMD_LOAD_CERT_CTRL (ENGINE_CMD_BASE + 5 = 200 + 5), the argument "params" is too specific for this command, in fact, it is a binding to a specific non-extensible interface of a particular ENGINE command.
Secondly, this binding to a bad interface actually, which is not able to return the certificate chain, CMD_LOAD_CERT_CTRL returns only the leaf certificate.
Therefore, I do not see how this can be used outside of pkcs11 ENGINE and I do not see how this can be used in a production without a certificate chain.
More information about the nginx-devel