Nikos Mavrogiannopoulos
June 19, 2015 09:50AM
Hello,
The attached patch allows loading PKCS #11 URLs in the
ssl_certificate_key.

That is, one only needs to specify:
ssl_certificate_key "pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin
-value=1234"

to access a key in a HSM. That's the only step required.
That extends the previous approach which is generic, but tedious, and
requires modifying openssl config files shared with other apps.
See [0] for comparison.

This works with the latest engine_pkcs11, and p11-kit (which takes care
of module registration).

Note that PKCS #11 URLs, described in RFC7512, are becoming the way to
specify keys stored in PKCS #11 modules. engine_pkcs11 supports them
already, as well as gnutls natively. See also fedora's stance on them
[1].

regards,
Nikos

[0].
http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
[1]. https://fedoraproject.org/wiki/Packaging:SSLCertificateHandling
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 1070 June 19, 2015 09:50AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 449 June 19, 2015 10:08AM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 433 June 19, 2015 10:40AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 470 June 21, 2015 09:12PM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 860 June 22, 2015 05:08AM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 460 June 24, 2015 09:28AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 537 July 05, 2015 08:02PM

enhanced pkcs11 patch [was: patch to allow loading PKCS #11 URLs]

Nikos Mavrogiannopoulos 469 July 15, 2015 02:22AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 296
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready