Maxim Dounin
June 21, 2015 09:12PM
Hello!

On Fri, Jun 19, 2015 at 04:39:48PM +0200, Nikos Mavrogiannopoulos wrote:

> On Fri, 2015-06-19 at 17:07 +0300, Maxim Dounin wrote:
> >
> > Have you tried
> > ssl_certificate_key
> > "engine:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin-value=1234";
> > instead?
> > I don't see how it's different from the code you propose.
>
> Hi,
> Yes, I've tried it. It would be specified as:
> "engine:pkcs11:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin
> -value=1234";
>
> But doesn't work, because it doesn't initialize the pkcs11 engine.

Shouldn't initialization of an engine be added to "engine:..."
handling then?

(Just a side note: your patch has ENGINE_init() but no
ENGINE_finish(). It looks like a leak.)

> Furthermore, the "engine:pkcs11:pkcs11:" approach defeats the purpose
> of PKCS #11 URLs which is to use the same string to identify the same
> keys on all applications.

The goal of the "engine:..." syntax is to allow nginx to load keys
from arbitrary engines. With this approach you can use PKCS #11
URLs as identifiers for engines which support them - though you
have to write a prefix "engine:<name>:" to instruct nginx to load
a key from a named engine rather than a file. So I don't think
that the current approach "defeats the purpose" somehow - it's
just a bit more chatty than it can be assuming nginx knows for
sure that the only engine useable for PKCS #11 URLs is pkcs11.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 1073 June 19, 2015 09:50AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 450 June 19, 2015 10:08AM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 434 June 19, 2015 10:40AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 472 June 21, 2015 09:12PM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 861 June 22, 2015 05:08AM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 461 June 24, 2015 09:28AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 538 July 05, 2015 08:02PM

enhanced pkcs11 patch [was: patch to allow loading PKCS #11 URLs]

Nikos Mavrogiannopoulos 470 July 15, 2015 02:22AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 144
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready