Welcome! Log In Create A New Profile

Advanced

[PATCH 1 of 1] add keyform option to SSL config to support loading private key from engine without exporting it to file

Previous Message Next Message
Forum List Message List New Topic Print View
Tatiana Kondakova
March 25, 2014 08:42AM
# HG changeset patch
# User Tatiana Kondakova <kondakova@cryptopro.ru>
# Date 1395663427 -14400
# Node ID 773a8762a7544e77d4790be8296c592b53314b0e
# Parent 345e4fd4bb64f1b3ad48a20b69f62bcd39a443c9
add keyform option to SSL config to support loading private key from engine without exporting it to file

diff -r 345e4fd4bb64 -r 773a8762a754 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Fri Mar 21 19:33:21 2014 +0400
+++ b/src/event/ngx_event_openssl.c Mon Mar 24 16:17:07 2014 +0400
@@ -14,6 +14,11 @@
ngx_uint_t engine; /* unsigned engine:1; */
} ngx_openssl_conf_t;

+typedef struct pw_cb_data
+ {
+ const void *password;
+ const char *prompt_info;
+ } PW_CB_DATA;

static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
@@ -253,7 +258,7 @@

ngx_int_t
ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
- ngx_str_t *key)
+ ngx_str_t *key, ngx_str_t *keyform)
{
BIO *bio;
X509 *x509;
@@ -340,17 +345,44 @@

BIO_free(bio);

- if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
- return NGX_ERROR;
+ if(keyform->len) {
+ PW_CB_DATA cb_data;
+ cb_data.password = NULL;
+ cb_data.prompt_info = key->data;
+
+ EVP_PKEY *pkey =
+ ENGINE_load_private_key(ENGINE_by_id(keyform->data),
+ key->data,
+ UI_create_method("OpenSSL application"
+ " user interface"),
+ &cb_data);
+ if(!pkey)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_load_private_key(\"%s\") failed", key->data);
+ return NGX_ERROR;
+ }
+
+ if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
+ return NGX_ERROR;
+ }
}
-
- if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
- SSL_FILETYPE_PEM)
- == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
- "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
- return NGX_ERROR;
+ else {
+ if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (SSL_CTX_use_PrivateKey_file(ssl->ctx,
+ (char *) key->data, SSL_FILETYPE_PEM)
+ == 0)
+ {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
+ return NGX_ERROR;
+ }
}

return NGX_OK;
diff -r 345e4fd4bb64 -r 773a8762a754 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Fri Mar 21 19:33:21 2014 +0400
+++ b/src/event/ngx_event_openssl.h Mon Mar 24 16:17:07 2014 +0400
@@ -112,7 +112,7 @@
ngx_int_t ngx_ssl_init(ngx_log_t *log);
ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data);
ngx_int_t ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
- ngx_str_t *cert, ngx_str_t *key);
+ ngx_str_t *cert, ngx_str_t *key, ngx_str_t *keyform);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff -r 345e4fd4bb64 -r 773a8762a754 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Fri Mar 21 19:33:21 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.c Mon Mar 24 16:17:07 2014 +0400
@@ -90,6 +90,13 @@
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
NULL },
+
+ { ngx_string("ssl_keyform_engine"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, certificate_keyform),
+ NULL },

{ ngx_string("ssl_dhparam"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
@@ -556,6 +563,8 @@

ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
+ ngx_conf_merge_str_value(conf->certificate_keyform,
+ prev->certificate_keyform, "");

ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");

@@ -646,7 +655,7 @@
cln->data = &conf->ssl;

if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate,
- &conf->certificate_key)
+ &conf->certificate_key, &conf->certificate_keyform)
!= NGX_OK)
{
return NGX_CONF_ERROR;
diff -r 345e4fd4bb64 -r 773a8762a754 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Fri Mar 21 19:33:21 2014 +0400
+++ b/src/http/modules/ngx_http_ssl_module.h Mon Mar 24 16:17:07 2014 +0400
@@ -34,6 +34,7 @@

ngx_str_t certificate;
ngx_str_t certificate_key;
+ ngx_str_t certificate_keyform;
ngx_str_t dhparam;
ngx_str_t ecdh_curve;
ngx_str_t client_certificate;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH 0 of 1] allow to use engine keyform for server private key

Tatiana Kondakova 794 March 25, 2014 08:42AM

[PATCH 1 of 1] add keyform option to SSL config to support loading private key from engine without exporting it to file

Tatiana Kondakova 322 March 25, 2014 08:42AM

Re: [PATCH 0 of 1] allow to use engine keyform for server private key

Maxim Dounin 317 March 25, 2014 01:12PM

Re: [PATCH 0 of 1] allow to use engine keyform for server private key

Piotr Sikora 258 March 25, 2014 02:26PM

Re: [PATCH 0 of 1] allow to use engine keyform for server private key

Maxim Dounin 286 March 25, 2014 02:44PM

Re: [PATCH 0 of 1] allow to use engine keyform for server private key

Piotr Sikora 368 March 25, 2014 04:12PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 148
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready