Re: svn commit: r1914365 - in /httpd/httpd/trunk: changes-entries/ssl-providers.txt docs/log-message-tags/next-number docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_pphrase.c modules/ssl/ssl_private.h modules/ssl/ssl_util.c

Wed, 06 Dec 2023 02:06:09 -0800 

On Tue, Dec 5, 2023 at 4:26 PM <jor...@apache.org> wrote:
>
> Author: jorton
> Date: Tue Dec  5 15:26:22 2023
> New Revision: 1914365
>
> URL: http://svn.apache.org/viewvc?rev=1914365&view=rev
> Log:
> mod_ssl: Add support for loading keys from OpenSSL 3.x providers via
> the STORE API. Separates compile-time support for the STORE API
> (supported in 3.x) from support for the ENGINE API (deprecated in
> 3.x).
>
> * modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for
>   OpenSSL 3.0+.
>
> * modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri,
>   modssl_load_keypair_store): New functions.
>   (modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine.
>   (modssl_load_engine_keypair): Reimplement to use new STORE-based
>   functions if SSLCryptoDevice was not configured, or else old
>   ENGINE implementation.
>
> * modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs
>   also for the OpenSSL 3.x STORE API.
>
> * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log
>   message on error paths for the provider/STORE case.
>
> Signed-off-by: Ingo Franzki <ifranzki linux.ibm.com>
> Submitted by: Ingo Franzki <ifranzki linux.ibm.com>
> Github: closes #397, closes #398
>
[]
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c?rev=1914365&r1=1914364&r2=1914365&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c Tue Dec  5 15:26:22 
> 2023
[]
> +
> +apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
> +                                        const char *vhostid,
> +                                        const char *certid, const char 
> *keyid,
> +                                        X509 **pubkey, EVP_PKEY **privkey)
> +{
> +#if MODSSL_HAVE_OPENSSL_STORE
> +    SSLModConfigRec *mc = myModConfig(s);
> +
> +    if (!mc->szCryptoDevice)
> +        return modssl_load_keypair_store(s, p, vhostid, certid, keyid,
> +                                         pubkey, privkey);
> +#endif
> +#if MODSSL_HAVE_ENGINE_API
> +    return modssl_load_keypair_engine(s, p, vhostid, certid, keyid,
> +                                      pubkey, privkey);
>  #else
>      return APR_ENOTIMPL;
>  #endif

Hm, it seems that with openssl-3+ we can handle/support pkcs#11 URIs
only via the store API now.
modssl_load_keypair_store() will fail/die if it can't find the
cert/key in the STORE, but couldn't modssl_load_keypair_engine() find
them if the OpenSSL configuration (and underlying lib, e.g. libp11)
still uses the legacy engine API? The engine API is still available in
openssl-3 and might still be used IIUC.

So don't we need something like this:

    apr_status_t rv = APR_ENOTIMPL;
#if MODSSL_HAVE_OPENSSL_STORE
    SSLModConfigRec *mc = myModConfig(s);
    if (!mc->szCryptoDevice)
        rv = modssl_load_keypair_store(s, p, vhostid, certid, keyid,
                                       pubkey, privkey);
#endif
#if MODSSL_HAVE_ENGINE_API
    if (rv == APR_ENOTIMPL)
        rv = modssl_load_keypair_engine(s, p, vhostid, certid, keyid,
                                        pubkey, privkey);
#endif
    return rv;

and somehow make modssl_load_keypair_store() return APR_ENOTIMPL when
there is no store to get the cert/key from?


Regards;
Yann.

Reply via email to