Welcome! Log In Create A New Profile

Advanced

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin
December 03, 2014 04:26PM
Hello!

On Fri, Nov 21, 2014 at 04:09:01PM +0300, Maxim Dounin wrote:

> On Fri, Nov 21, 2014 at 08:22:13AM +0300, Dmitrii Pichulin wrote:
>
> > Ping.
> >
> > Patch:
> > http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html
> >
> > Example:
> > http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
>
> Thanks again and sorry, still no time. I hope I'll be able to
> look into it in the next week or so.

Below is the patch with some minor tweaking to better match nginx
code style, please check if it looks ok for you.

And, BTW, thanks for the detailed usage example, it was really
helpful even on FreeBSD (just one side note: "ssl_engine pkcs11"
in nginx config isn't needed).

# HG changeset patch
# User Dmitrii Pichulin
# Date 1407135800 -14400
# Mon Aug 04 11:03:20 2014 +0400
# Node ID 33d24b89fa274b7fdbfaec9c28f4b553ddc14712
# Parent 16be523be8e4541f45ba98c8071295f267ff14ff
SSL: loading certificate keys via ENGINE_load_private_key().

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -376,6 +376,67 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_

BIO_free(bio);

+ if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
+
+#ifndef OPENSSL_NO_ENGINE
+
+ u_char *p, *last;
+ ENGINE *engine;
+ EVP_PKEY *pkey;
+
+ p = key->data + sizeof("engine:") - 1;
+ last = (u_char *) ngx_strchr(p, ':');
+
+ if (last == NULL) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "invalid syntax in \"%V\"", key);
+ return NGX_ERROR;
+ }
+
+ *last = '\0';
+
+ engine = ENGINE_by_id((char *) p);
+
+ if (engine == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_by_id(\"%s\") failed", p);
+ return NGX_ERROR;
+ }
+
+ *last++ = ':';
+
+ pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
+
+ if (pkey == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_load_private_key(\"%s\") failed", last);
+ ENGINE_free(engine);
+ return NGX_ERROR;
+ }
+
+ ENGINE_free(engine);
+
+ if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_use_PrivateKey(\"%s\") failed", last);
+ EVP_PKEY_free(pkey);
+ return NGX_ERROR;
+ }
+
+ EVP_PKEY_free(pkey);
+
+ return NGX_OK;
+
+#else
+
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "loading \"engine:...\" certificate keys "
+ "is not supported");
+ return NGX_ERROR;
+
+#endif
+ }
+
if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
return NGX_ERROR;
}


--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 2171 July 22, 2014 07:16AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 852 July 22, 2014 10:54AM

[PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 601 July 23, 2014 10:56AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 531 July 27, 2014 10:44PM

[PATCH 0 of 1 ] Questions about ENGINE_load_private_key

Dmitrii Pichulin 726 July 29, 2014 11:12AM

[PATCH 1 of 1] allow to use engine keyform for server private key

Dmitrii Pichulin 572 July 29, 2014 11:12AM

Re: [PATCH 1 of 1] allow to use engine keyform for server private key

Maxim Dounin 491 July 29, 2014 11:42AM

[PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 563 July 30, 2014 11:30AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 669 July 31, 2014 09:50AM

Re: [PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 435 August 01, 2014 01:22AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 630 August 01, 2014 01:00PM

[PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 704 August 04, 2014 03:08AM

Re: [PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 538 August 11, 2014 12:38AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 557 August 11, 2014 08:44PM

Re: [PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 3452 October 29, 2014 10:48AM

Re: [PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 496 November 21, 2014 12:22AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 699 November 21, 2014 08:10AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 680 December 03, 2014 04:26PM

Re: [PATCH] allow to use engine keyform for server private key

Dmitrii Pichulin 487 December 04, 2014 05:58AM

Re: [PATCH] allow to use engine keyform for server private key

Maxim Dounin 831 December 04, 2014 09:42AM

Re: [PATCH 0 of 1 ] Questions about ENGINE_load_private_key

Maxim Dounin 860 July 29, 2014 11:34AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 52
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready