Forum List Message List New Topic Print View

Maxim Dounin

December 03, 2014 04:26PM

Hello!

On Fri, Nov 21, 2014 at 04:09:01PM +0300, Maxim Dounin wrote:

> On Fri, Nov 21, 2014 at 08:22:13AM +0300, Dmitrii Pichulin wrote:
>
> > Ping.
> >
> > Patch:
> > http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005740.html
> >
> > Example:
> > http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
>
> Thanks again and sorry, still no time. I hope I'll be able to
> look into it in the next week or so.

Below is the patch with some minor tweaking to better match nginx
code style, please check if it looks ok for you.

And, BTW, thanks for the detailed usage example, it was really
helpful even on FreeBSD (just one side note: "ssl_engine pkcs11"
in nginx config isn't needed).

# HG changeset patch
# User Dmitrii Pichulin
# Date 1407135800 -14400
# Mon Aug 04 11:03:20 2014 +0400
# Node ID 33d24b89fa274b7fdbfaec9c28f4b553ddc14712
# Parent 16be523be8e4541f45ba98c8071295f267ff14ff
SSL: loading certificate keys via ENGINE_load_private_key().

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -376,6 +376,67 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_

BIO_free(bio);

+ if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) {
+
+#ifndef OPENSSL_NO_ENGINE
+
+ u_char *p, *last;
+ ENGINE *engine;
+ EVP_PKEY *pkey;
+
+ p = key->data + sizeof("engine:") - 1;
+ last = (u_char *) ngx_strchr(p, ':');
+
+ if (last == NULL) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "invalid syntax in \"%V\"", key);
+ return NGX_ERROR;
+ }
+
+ *last = '\0';
+
+ engine = ENGINE_by_id((char *) p);
+
+ if (engine == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_by_id(\"%s\") failed", p);
+ return NGX_ERROR;
+ }
+
+ *last++ = ':';
+
+ pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);
+
+ if (pkey == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "ENGINE_load_private_key(\"%s\") failed", last);
+ ENGINE_free(engine);
+ return NGX_ERROR;
+ }
+
+ ENGINE_free(engine);
+
+ if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CTX_use_PrivateKey(\"%s\") failed", last);
+ EVP_PKEY_free(pkey);
+ return NGX_ERROR;
+ }
+
+ EVP_PKEY_free(pkey);
+
+ return NGX_OK;
+
+#else
+
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "loading \"engine:...\" certificate keys "
+ "is not supported");
+ return NGX_ERROR;
+
+#endif
+ }
+
if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) {
return NGX_ERROR;
}

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	2764	July 22, 2014 07:16AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	1193	July 22, 2014 10:54AM
[PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	897	July 23, 2014 10:56AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	832	July 27, 2014 10:44PM
[PATCH 0 of 1 ] Questions about ENGINE_load_private_key	Dmitrii Pichulin	1063	July 29, 2014 11:12AM
[PATCH 1 of 1] allow to use engine keyform for server private key	Dmitrii Pichulin	799	July 29, 2014 11:12AM
Re: [PATCH 1 of 1] allow to use engine keyform for server private key	Maxim Dounin	733	July 29, 2014 11:42AM
[PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	776	July 30, 2014 11:30AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	903	July 31, 2014 09:50AM
Re: [PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	653	August 01, 2014 01:22AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	904	August 01, 2014 01:00PM
[PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	1032	August 04, 2014 03:08AM
Re: [PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	766	August 11, 2014 12:38AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	782	August 11, 2014 08:44PM
Re: [PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	4331	October 29, 2014 10:48AM
Re: [PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	735	November 21, 2014 12:22AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	920	November 21, 2014 08:10AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	977	December 03, 2014 04:26PM
Re: [PATCH] allow to use engine keyform for server private key	Dmitrii Pichulin	737	December 04, 2014 05:58AM
Re: [PATCH] allow to use engine keyform for server private key	Maxim Dounin	1068	December 04, 2014 09:42AM
Re: [PATCH 0 of 1 ] Questions about ENGINE_load_private_key	Maxim Dounin	1111	July 29, 2014 11:34AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 263

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018