[PATCH] Support loading server certificate from HW token

Пичулин Дмитрий Николаевич pdn at cryptopro.ru
Fri May 8 19:53:18 UTC 2020

I dipped into the problem and came to the conclusion that this proposal cannot be used as a general one.

First, although the ctrl number could be passed in the directive itself, for example "engine:pkcs11:205:slot_0-id_00", where 205 corresponds to CMD_LOAD_CERT_CTRL (ENGINE_CMD_BASE + 5 = 200 + 5), the argument "params" is too specific for this command, in fact, it is a binding to a specific non-extensible interface of a particular ENGINE command.

Secondly, this binding to a bad interface actually, which is not able to return the certificate chain, CMD_LOAD_CERT_CTRL returns only the leaf certificate.

Therefore, I do not see how this can be used outside of pkcs11 ENGINE and I do not see how this can be used in a production without a certificate chain.

More information about the nginx-devel mailing list