[PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine

Maxim Dounin mdounin at mdounin.ru
Thu Jul 13 00:48:42 UTC 2023


Hello!

On Wed, Jul 12, 2023 at 05:07:03PM +0300, Vesa Jääskeläinen via nginx-devel wrote:

> (I hope this goes properly out as I had major issues with hg email so
> combined hg export + git send-email)
> 
> It is convenient to keep X.509 certificates related to key pairs stored in
> openssl engine within the engine.
> 
> Implementation uses 'LOAD_CERT_CTRL' extension to fetch certificate from
> the engine. This extension is not supported by all engines and in those
> cases it should report with an error.
> 
> Configuration is similar to what it is for 'ssl_certificate_key'.
> 
> First certificate must match with ssl_certificate_key's key pair rest of
> the certificiates are added to the certificate chain.
> 
> Example configuration with libp11's pkcs11 engine:
> 
>   ssl_certificate      "engine:pkcs11:pkcs11:token=mytoken;object=mykey
>                         engine:pkcs11:pkcs11:token=mytoken;object=int-ca";
>   ssl_certificate_key  "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin";
> 
> Tested the loading with two pkcs11 implementations SoftHSMv2 and with
> OP-TEE's PKCS11 Trusted Application running on Embedded Linux device.
> 
> First three commits is the main beef and in order to make it more flexible
> added also last commit allowing intermediate certificates loaded from file
> system.
> 
> Separator of space is used as there was already existing use of array for
> ssl_certificate configuration.

Just in case, a similar proposal was previously discussed here:

https://mailman.nginx.org/pipermail/nginx-devel/2020-April/013130.html
https://mailman.nginx.org/pipermail/nginx-devel/2020-May/013142.html

Notably, the review is here:

https://mailman.nginx.org/pipermail/nginx-devel/2020-May/013152.html

I'm additionally sceptical about this given that engine interface 
is deprecated by OpenSSL.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx-devel mailing list