Welcome! Log In Create A New Profile

Advanced

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos
June 22, 2015 05:08AM
On Mon, 2015-06-22 at 04:11 +0300, Maxim Dounin wrote:
>
> > Hi,
> > Yes, I've tried it. It would be specified as:
> > "engine:pkcs11:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin
> > -value=1234";
> >
> > But doesn't work, because it doesn't initialize the pkcs11 engine.
> Shouldn't initialization of an engine be added to "engine:..."
> handling then?

Hi,
I am not sure how the original engine approach was intended to work.
My understanding from the mail I quoted was that it required the engine
to be enabled via the openssl.cnf file. That's why I didn't touch that
part. I could update that part as well if you think it would be a nice
addition.

> (Just a side note: your patch has ENGINE_init() but no
> ENGINE_finish(). It looks like a leak.)

I'm not very familiar with the nginx code base and that could be indeed
an issue. Where would that finish be called? The engine initialization
for pkcs11 should stay up for the lifetime of all connections.

> > Furthermore, the "engine:pkcs11:pkcs11:" approach defeats the
> > purpose
> > of PKCS #11 URLs which is to use the same string to identify the
> > same
> > keys on all applications.
> The goal of the "engine:..." syntax is to allow nginx to load keys
> from arbitrary engines. With this approach you can use PKCS #11
> URLs as identifiers for engines which support them - though you
> have to write a prefix "engine:<name>:" to instruct nginx to load
> a key from a named engine rather than a file. So I don't think
> that the current approach "defeats the purpose" somehow - it's
> just a bit more chatty than it can be assuming nginx knows for
> sure that the only engine useable for PKCS #11 URLs is pkcs11.

Note that supporting the "pkcs11:" urls directly, has the advantage
that it doesn't make nginx dependent on any engine to support PKCS #11.
The current support relies on engine_pkcs11, which is a 3rd party
module (not in openssl distribution). It should be future-proof to have
a way to load PKCS #11 modules which is independent of the backend used
by nginx. So you could change the internal backend (for example to use
libp11 directly), without requiring all nginx users to change their
configuration files and remove the "engine:pkcs11:" part from their
keys.

It would of course be good to keep the engine support there for the
users that may need other modules than pkcs11, but for HSMs, all crypto
card providers do ship a PKCS #11 module. So I would expect that the
need for PKCS #11 support would overshadow the need for any other
engine supported by openssl.

regards,
Nikos

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 1073 June 19, 2015 09:50AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 452 June 19, 2015 10:08AM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 434 June 19, 2015 10:40AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 473 June 21, 2015 09:12PM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 862 June 22, 2015 05:08AM

Re: patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos 461 June 24, 2015 09:28AM

Re: patch to allow loading PKCS #11 URLs

Maxim Dounin 538 July 05, 2015 08:02PM

enhanced pkcs11 patch [was: patch to allow loading PKCS #11 URLs]

Nikos Mavrogiannopoulos 470 July 15, 2015 02:22AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 144
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready