[PATCH] Support loading server certificate from HW token
mdounin at mdounin.ru
Tue May 12 19:06:33 UTC 2020
On Fri, May 08, 2020 at 07:53:18PM +0000, Пичулин Дмитрий Николаевич wrote:
> I dipped into the problem and came to the conclusion that this
> proposal cannot be used as a general one.
> First, although the ctrl number could be passed in the directive
> itself, for example "engine:pkcs11:205:slot_0-id_00", where 205
> corresponds to CMD_LOAD_CERT_CTRL (ENGINE_CMD_BASE + 5 = 200 +
> 5), the argument "params" is too specific for this command, in
> fact, it is a binding to a specific non-extensible interface of
> a particular ENGINE command.
> Secondly, this binding to a bad interface actually, which is not
> able to return the certificate chain, CMD_LOAD_CERT_CTRL returns
> only the leaf certificate.
> Therefore, I do not see how this can be used outside of pkcs11
> ENGINE and I do not see how this can be used in a production
> without a certificate chain.
Thanks for the review, appreciated.
A possible use case might be to use it for proxy_ssl_certificate,
but I agree that this looks very limited and at most optional.
More information about the nginx-devel