Welcome! Log In Create A New Profile

Advanced

[PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine

Vesa Jääskeläinen via nginx-devel
July 12, 2023 10:08AM
(I hope this goes properly out as I had major issues with hg email so
combined hg export + git send-email)

It is convenient to keep X.509 certificates related to key pairs stored in
openssl engine within the engine.

Implementation uses 'LOAD_CERT_CTRL' extension to fetch certificate from
the engine. This extension is not supported by all engines and in those
cases it should report with an error.

Configuration is similar to what it is for 'ssl_certificate_key'.

First certificate must match with ssl_certificate_key's key pair rest of
the certificiates are added to the certificate chain.

Example configuration with libp11's pkcs11 engine:

ssl_certificate "engine:pkcs11:pkcs11:token=mytoken;object=mykey
engine:pkcs11:pkcs11:token=mytoken;object=int-ca";
ssl_certificate_key "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin";

Tested the loading with two pkcs11 implementations SoftHSMv2 and with
OP-TEE's PKCS11 Trusted Application running on Embedded Linux device.

First three commits is the main beef and in order to make it more flexible
added also last commit allowing intermediate certificates loaded from file
system.

Separator of space is used as there was already existing use of array for
ssl_certificate configuration.

Thanks,
Vesa Jääskeläinen
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine

Vesa Jääskeläinen via nginx-devel 285 July 12, 2023 10:08AM

[PATCH 1/4] SSL: Add support for loading X.509 certificate from openssl engine

Vesa Jääskeläinen via nginx-devel 58 July 12, 2023 10:08AM

[PATCH 2/4] Core: Add ngx_strtok_r()

Vesa Jääskeläinen via nginx-devel 51 July 12, 2023 10:08AM

[PATCH 3/4] SSL: Add support for loading X.509 certificate chain from openssl engine

Vesa Jääskeläinen via nginx-devel 57 July 12, 2023 10:08AM

[PATCH 4/4] SSL: Improve X.509 certificate loading from openssl engine with file source

Vesa Jääskeläinen via nginx-devel 53 July 12, 2023 10:08AM

Re: [PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine

Maxim Dounin 60 July 12, 2023 08:50PM

Re: [PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine

Vesa Jääskeläinen via nginx-devel 52 July 13, 2023 03:40AM

Re: [PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine

Maxim Dounin 76 July 14, 2023 09:44PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 234
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready