On Tue, Dec 5, 2023 at 4:26 PM <jor...@apache.org> wrote: > > Author: jorton > Date: Tue Dec 5 15:26:22 2023 > New Revision: 1914365 > > URL: http://svn.apache.org/viewvc?rev=1914365&view=rev > Log: > mod_ssl: Add support for loading keys from OpenSSL 3.x providers via > the STORE API. Separates compile-time support for the STORE API > (supported in 3.x) from support for the ENGINE API (deprecated in > 3.x). > > * modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for > OpenSSL 3.0+. > > * modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri, > modssl_load_keypair_store): New functions. > (modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine. > (modssl_load_engine_keypair): Reimplement to use new STORE-based > functions if SSLCryptoDevice was not configured, or else old > ENGINE implementation. > > * modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs > also for the OpenSSL 3.x STORE API. > > * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log > message on error paths for the provider/STORE case. > > Signed-off-by: Ingo Franzki <ifranzki linux.ibm.com> > Submitted by: Ingo Franzki <ifranzki linux.ibm.com> > Github: closes #397, closes #398 > [] > > Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c?rev=1914365&r1=1914364&r2=1914365&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c Tue Dec 5 15:26:22 > 2023 [] > + > +apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, > + const char *vhostid, > + const char *certid, const char > *keyid, > + X509 **pubkey, EVP_PKEY **privkey) > +{ > +#if MODSSL_HAVE_OPENSSL_STORE > + SSLModConfigRec *mc = myModConfig(s); > + > + if (!mc->szCryptoDevice) > + return modssl_load_keypair_store(s, p, vhostid, certid, keyid, > + pubkey, privkey); > +#endif > +#if MODSSL_HAVE_ENGINE_API > + return modssl_load_keypair_engine(s, p, vhostid, certid, keyid, > + pubkey, privkey); > #else > return APR_ENOTIMPL; > #endif
Hm, it seems that with openssl-3+ we can handle/support pkcs#11 URIs only via the store API now. modssl_load_keypair_store() will fail/die if it can't find the cert/key in the STORE, but couldn't modssl_load_keypair_engine() find them if the OpenSSL configuration (and underlying lib, e.g. libp11) still uses the legacy engine API? The engine API is still available in openssl-3 and might still be used IIUC. So don't we need something like this: apr_status_t rv = APR_ENOTIMPL; #if MODSSL_HAVE_OPENSSL_STORE SSLModConfigRec *mc = myModConfig(s); if (!mc->szCryptoDevice) rv = modssl_load_keypair_store(s, p, vhostid, certid, keyid, pubkey, privkey); #endif #if MODSSL_HAVE_ENGINE_API if (rv == APR_ENOTIMPL) rv = modssl_load_keypair_engine(s, p, vhostid, certid, keyid, pubkey, privkey); #endif return rv; and somehow make modssl_load_keypair_store() return APR_ENOTIMPL when there is no store to get the cert/key from? Regards; Yann.