[PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine
Maxim Dounin
mdounin at mdounin.ru
Thu Jul 13 00:48:42 UTC 2023
Hello!
On Wed, Jul 12, 2023 at 05:07:03PM +0300, Vesa Jääskeläinen via nginx-devel wrote:
> (I hope this goes properly out as I had major issues with hg email so
> combined hg export + git send-email)
>
> It is convenient to keep X.509 certificates related to key pairs stored in
> openssl engine within the engine.
>
> Implementation uses 'LOAD_CERT_CTRL' extension to fetch certificate from
> the engine. This extension is not supported by all engines and in those
> cases it should report with an error.
>
> Configuration is similar to what it is for 'ssl_certificate_key'.
>
> First certificate must match with ssl_certificate_key's key pair rest of
> the certificiates are added to the certificate chain.
>
> Example configuration with libp11's pkcs11 engine:
>
> ssl_certificate "engine:pkcs11:pkcs11:token=mytoken;object=mykey
> engine:pkcs11:pkcs11:token=mytoken;object=int-ca";
> ssl_certificate_key "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin";
>
> Tested the loading with two pkcs11 implementations SoftHSMv2 and with
> OP-TEE's PKCS11 Trusted Application running on Embedded Linux device.
>
> First three commits is the main beef and in order to make it more flexible
> added also last commit allowing intermediate certificates loaded from file
> system.
>
> Separator of space is used as there was already existing use of array for
> ssl_certificate configuration.
Just in case, a similar proposal was previously discussed here:
https://mailman.nginx.org/pipermail/nginx-devel/2020-April/013130.html
https://mailman.nginx.org/pipermail/nginx-devel/2020-May/013142.html
Notably, the review is here:
https://mailman.nginx.org/pipermail/nginx-devel/2020-May/013152.html
I'm additionally sceptical about this given that engine interface
is deprecated by OpenSSL.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list