Hi,

This patch leverages PKCS#11 support in nginx http module using libp11.
This allows the private key to be stored in a dedicated hardware (or
software) component.

The following patch does not deal with the "configure" tools of nginx.
I wanted to get feedback prior to writing nginx "autoconf" scripts to
deal with multiple platforms.

To test, apply the patch, run configure (with http/ssl enabled), and
modify objs/Makefile to add "-lp11" to link the libp11 library.

To configure use the following parameters:
* ssl_pkcs11, on or off
* ssl_certificate, no change the server certificate is fetched on the disk
* ssl_certificate_key, string mapped to the PKCS#11 "label" attribute
* ssl_pkcs11_pin, string of the token PIN
* ssl_pkcs11_module, path to the PKCS#11 shared library

Instead of tweaking ngx_ssl_certificate function, I have added
the ngx_ssl_certificate_pkcs11 function which is used when ssl_pkcs11 is
enabled.

This approach could also be applied to the nginx mail module.

Feedback appreciated.

Regards,


--
Cordialement,

Thomas Calderon
Laboratoire architectures matérielles et logicielles
Sous-direction expertise
ANSSI
Tél: 01 71 75 88 55
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel