Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] allow to use engine keyform for server private key

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
July 22, 2014 10:54AM
Hello!

On Tue, Jul 22, 2014 at 03:16:35PM +0400, Dmitrii Pichulin wrote:

> # HG changeset patch
> # User Dmitrii Pichulin <pdn@cryptopro.ru>
> # Date 1406021876 -14400
> # Tue Jul 22 13:37:56 2014 +0400
> # Node ID 638389b21e0e1522ed8b8205012f5af562dc50c7
> # Parent 63d7d69d0fe48e030ff9fc520c7036dbd1ebc13f
> allow to use engine keyform for server private key

The patch is built against an old version, and there are
conflicting changes in nginx 1.7.3.

>
> diff -r 63d7d69d0fe4 -r 638389b21e0e src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Fri Jun 20 12:55:41 2014 +0400
> +++ b/src/event/ngx_event_openssl.c Tue Jul 22 13:37:56 2014 +0400
> @@ -257,11 +257,31 @@
>
> ngx_int_t
> ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
> - ngx_str_t *key)
> + ngx_str_t *key, ngx_str_t *keyform, ngx_str_t *engine)
> {
> - BIO *bio;
> - X509 *x509;
> - u_long n;
> + BIO *bio;
> + X509 *x509;
> + u_long n;
> + ngx_uint_t ssl_use_engine_keyform = 0;
> +
> + if (keyform->len) {
> +
> + if (ngx_strcmp(keyform->data, "ENGINE") == 0) {
> + ssl_use_engine_keyform = 1;
> +
> + } else if (ngx_strcmp(keyform->data, "PEM") != 0) {
> + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
> + "invalid parameter: %V", keyform);
> + return NGX_ERROR;
> + }
> + }
> +
> + if (ssl_use_engine_keyform && engine->len == 0) {
> + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
> + "no \"ssl_certificate_engine\" is defined "
> + "while \"ssl_certificate_keyform\" is \"ENGINE\"");
> + return NGX_ERROR;
> + }
>
> if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) {
> return NGX_ERROR;

As previously suggested, it should be "engine=" parameter of the
ssl_certificate_key directive and/or some specific path prefix to
load a key from an engine (like "engine:<foo>:<keyid>" instead of
a file name), see the thread here:

http://mailman.nginx.org/pipermail/nginx-devel/2014-March/005114.html

There is no need to introduce such a number of directives - there
is no real need for this, and it's confusing for users.

> @@ -344,17 +364,51 @@
>
> BIO_free(bio);
>
> - if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
> - return NGX_ERROR;
> - }
> -
> - if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data,
> - SSL_FILETYPE_PEM)
> - == 0)
> - {
> - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> - "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
> - return NGX_ERROR;
> + if (ssl_use_engine_keyform) {
> + EVP_PKEY *pkey;
> + ENGINE *e;
> +

Please define all variables at function start.

> + e = ENGINE_by_id((const char *) engine->data);

There is no need to use "const" in the cast.

> +
> + if (e == NULL) {
> + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> + "ENGINE_by_id(\"%s\") failed", engine->data);
> + return NGX_ERROR;
> + }
> +
> + pkey = ENGINE_load_private_key(e, (const char *)key->data, 0, 0);

Style: there should be a space between "(const char *)" and
"key->data". (Also, there is no need to use "const" in the cast.)

> +
> + ENGINE_free(e);
> +
> + if (!pkey) {
> + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> + "ENGINE_load_private_key(\"%s\") failed", key->data);
> + return NGX_ERROR;
> + }

Error stack may be changed by the ENGINE_free().

Additinally, it looks like ENGINE_free() can return errors, and it
may be a good idea to check them.

> +
> + if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
> + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> + "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);

Style: it may be a good idea to break the line into two here.

> + EVP_PKEY_free(pkey);
> + return NGX_ERROR;
> + }
> +
> + EVP_PKEY_free(pkey);
> +
> + } else {

It should be better to just return here and hence avoid
indentation changes on the default code path.

> +
> + if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
> + return NGX_ERROR;
> + }
> +
> + if (SSL_CTX_use_PrivateKey_file(ssl->ctx,
> + (char *) key->data, SSL_FILETYPE_PEM)
> + == 0)
> + {
> + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
> + "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data);
> + return NGX_ERROR;
> + }
> }
>
> return NGX_OK;

[...]

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 2769 July 22, 2014 07:16AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 1196 July 22, 2014 10:54AM

[PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 900 July 23, 2014 10:56AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 835 July 27, 2014 10:44PM

[PATCH 0 of 1 ] Questions about ENGINE_load_private_key

Dmitrii Pichulin 1066 July 29, 2014 11:12AM

[PATCH 1 of 1] allow to use engine keyform for server private key

Dmitrii Pichulin 804 July 29, 2014 11:12AM

Re: [PATCH 1 of 1] allow to use engine keyform for server private key

Maxim Dounin 737 July 29, 2014 11:42AM

[PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 780 July 30, 2014 11:30AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 906 July 31, 2014 09:50AM

Re: [PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 656 August 01, 2014 01:22AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 907 August 01, 2014 01:00PM

[PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 1035 August 04, 2014 03:08AM

Re: [PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 769 August 11, 2014 12:38AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 785 August 11, 2014 08:44PM

Re: [PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 4334 October 29, 2014 10:48AM

Re: [PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 738 November 21, 2014 12:22AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 924 November 21, 2014 08:10AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 983 December 03, 2014 04:26PM

Re: [PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 740 December 04, 2014 05:58AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 1071 December 04, 2014 09:42AM

Re: [PATCH 0 of 1 ] Questions about ENGINE_load_private_key

Maxim Dounin 1114 July 29, 2014 11:34AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

pamplemousse
Guests: 169
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready