subject:"Re\: mod_ssl\: Add support for loading keys from OpenSSL 3.x providers via STORE"

Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE

2023-12-04 Thread Ingo Franzki

On 04.12.2023 15:32, Yann Ylavic wrote:
> Hi;
> 
> On Mon, Dec 4, 2023 at 8:53 AM Ingo Franzki  wrote:
>>
>> On 02.12.2023 11:20, Graham Leggett via dev wrote:
>>> On 27 Nov 2023, at 15:02, Ingo Franzki  wrote:
>>>
 The mod_ssl module has support for loading keys and certificates from 
 OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and 
 SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 
 (https://github.com/OpenSC/libp11).

 This works fine, but with OpenSSL 3.0 engines got deprecated, and a new 
 provider concept is used.
 OpenSSL 1.1.1 is no longer supported by the OpenSSL organization 
 (https://www.openssl.org/blog/blog/2023/09/11/eol-111/),
 and newer distributions all have OpenSSL 3.x included.
 Currently, engines do still work, bit since they are deprecated, they will 
 at some point in time no longer be working.

 With OpenSSL 3.x providers one can implements loading of keys and 
 certificates by implementing a STORE method.
 With this, keys and certificates can be loaded for example from PKCS#11 
 modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine.

 Please find below some code changes required to support loading the server 
 private key and certificates from a PKCS#11 provider using OpenSSL STORE 
 providers.
>>>
>>> Definite +1 in principle.
> 
> +1, thanks for the patch!
> 
>>
>> Please see the patch file attached.
>> I also fixed to minor bugs that I found during testing.
>>
>> You can also look at the patch here:
>> https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931
>>
>> If you want, I can even submit a pull request to 
>> https://github.com/apache/httpd.
>> Let me know what you prefer.
> 
> Yes please do this, it's easier to comment on the code and it also
> gets tested by the ci.
See https://github.com/apache/httpd/pull/397
> 
> 
> Regards;
> Yann.

-- 
Ingo Franzki
eMail: ifran...@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 
243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE

2023-12-04 Thread Yann Ylavic

Hi;

On Mon, Dec 4, 2023 at 8:53 AM Ingo Franzki  wrote:
>
> On 02.12.2023 11:20, Graham Leggett via dev wrote:
> > On 27 Nov 2023, at 15:02, Ingo Franzki  wrote:
> >
> >> The mod_ssl module has support for loading keys and certificates from 
> >> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and 
> >> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 
> >> (https://github.com/OpenSC/libp11).
> >>
> >> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new 
> >> provider concept is used.
> >> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization 
> >> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/),
> >> and newer distributions all have OpenSSL 3.x included.
> >> Currently, engines do still work, bit since they are deprecated, they will 
> >> at some point in time no longer be working.
> >>
> >> With OpenSSL 3.x providers one can implements loading of keys and 
> >> certificates by implementing a STORE method.
> >> With this, keys and certificates can be loaded for example from PKCS#11 
> >> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine.
> >>
> >> Please find below some code changes required to support loading the server 
> >> private key and certificates from a PKCS#11 provider using OpenSSL STORE 
> >> providers.
> >
> > Definite +1 in principle.

+1, thanks for the patch!

>
> Please see the patch file attached.
> I also fixed to minor bugs that I found during testing.
>
> You can also look at the patch here:
> https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931
>
> If you want, I can even submit a pull request to 
> https://github.com/apache/httpd.
> Let me know what you prefer.

Yes please do this, it's easier to comment on the code and it also
gets tested by the ci.


Regards;
Yann.

Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE

2023-12-03 Thread Ingo Franzki

On 02.12.2023 11:20, Graham Leggett via dev wrote:
> On 27 Nov 2023, at 15:02, Ingo Franzki  wrote:
> 
>> The mod_ssl module has support for loading keys and certificates from 
>> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and 
>> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 
>> (https://github.com/OpenSC/libp11). 
>>
>> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new 
>> provider concept is used.
>> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization 
>> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), 
>> and newer distributions all have OpenSSL 3.x included.
>> Currently, engines do still work, bit since they are deprecated, they will 
>> at some point in time no longer be working.
>>
>> With OpenSSL 3.x providers one can implements loading of keys and 
>> certificates by implementing a STORE method.
>> With this, keys and certificates can be loaded for example from PKCS#11 
>> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. 
>>
>> Please find below some code changes required to support loading the server 
>> private key and certificates from a PKCS#11 provider using OpenSSL STORE 
>> providers. 
> 
> Definite +1 in principle.
> 
>> Index: docs/manual/mod/mod_ssl.html.en.utf8
>> ===
>> --- docs/manual/mod/mod_ssl.html.en.utf8 (revision 1914150)
>> +++ docs/manual/mod/mod_ssl.html.en.utf8 (working copy)
>> @@ -666,7 +666,7 @@
> 
> Would it be possible to patch mod_ssl.xml instead of the html file, the html 
> is autogenerated.
Sure, see updated patch attached.
> 
>> Index: modules/ssl/ssl_engine_config.c
>> ===
>> --- modules/ssl/ssl_engine_config.c  (revision 1914150)
>> +++ modules/ssl/ssl_engine_config.c  (working copy)
>> @@ -689,6 +689,11 @@
>> if (strcEQ(arg, "builtin")) {
>> mc->szCryptoDevice = NULL;
>> }
>> +#if MODSSL_USE_OPENSSL_STORE
>> +else if (strcEQ(arg, "provider")) {
>> +mc->szCryptoDevice = arg;
>> +}
>> +#endif
>> #if MODSSL_HAVE_ENGINE_API
> 
> This patch isn’t applying for me, looks like the leading spaces have been 
> lost. Would it be possible to try attach it as a file?
Please see the patch file attached.
I also fixed to minor bugs that I found during testing. 

You can also look at the patch here:
https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931

If you want, I can even submit a pull request to 
https://github.com/apache/httpd.
Let me know what you prefer.

> 
> Regards,
> Graham
> —
> 

-- 
Ingo Franzki
eMail: ifran...@linux.ibm.com  
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 
243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
Index: docs/manual/mod/mod_ssl.xml
===
--- docs/manual/mod/mod_ssl.xml (revision 1914150)
+++ docs/manual/mod/mod_ssl.xml (working copy)
@@ -955,7 +955,7 @@
 stored in a token.  Currently, only https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs are
 recognized as certificate identifiers, and can be used in conjunction
-with the OpenSSL pkcs11 engine.  If pkcs11 engine or provider.  If SSLCertificateKeyFile is omitted, the
 certificate and private key can be loaded through the single
 identifier specified with https://tools.ietf.org/html/rfc7512;>PKCS#11 
URIs are recognized as private key
 identifiers, and can be used in conjunction with the OpenSSL
-pkcs11 engine.
+pkcs11 engine or provider.
 
 Example
 
@@ -2442,6 +2442,14 @@
 SSLCryptoDevice ubsec
 
 
+
+
+With OpenSSL 3.0 or later, specify provider to load keys and
+certificates from a provider using https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs.
+The provider to use must be defined and configured in the OpenSSL config file,
+and it must support the https://www.openssl.org/docs/man3.0/man7/provider-storemgmt.html;>STORE 
method
+for https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs.
+
 
 
 
Index: modules/ssl/ssl_engine_config.c
===
--- modules/ssl/ssl_engine_config.c (revision 1914150)
+++ modules/ssl/ssl_engine_config.c (working copy)
@@ -689,6 +689,11 @@
 if (strcEQ(arg, "builtin")) {
 mc->szCryptoDevice = NULL;
 }
+#if MODSSL_USE_OPENSSL_STORE
+else if (strcEQ(arg, "provider")) {
+mc->szCryptoDevice = arg;
+}
+#endif
 #if MODSSL_HAVE_ENGINE_API
 else if ((e = ENGINE_by_id(arg))) {
 mc->szCryptoDevice = arg;
@@ -697,7 +702,11 @@
 #endif
 else {
 err = "SSLCryptoDevice: Invalid argument; must be one of: "
+#if

Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE

2023-12-02 Thread Graham Leggett via dev

On 27 Nov 2023, at 15:02, Ingo Franzki  wrote:

> The mod_ssl module has support for loading keys and certificates from OpenSSL 
> engines via PKCS#11 URIs at SSLCertificateFile and SSLCertificateKeyFile, 
> e.g. using the PKCS#11 engine part of libp11 
> (https://github.com/OpenSC/libp11). 
> 
> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new 
> provider concept is used.
> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization 
> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), 
> and newer distributions all have OpenSSL 3.x included.
> Currently, engines do still work, bit since they are deprecated, they will at 
> some point in time no longer be working.
> 
> With OpenSSL 3.x providers one can implements loading of keys and 
> certificates by implementing a STORE method.
> With this, keys and certificates can be loaded for example from PKCS#11 
> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. 
> 
> Please find below some code changes required to support loading the server 
> private key and certificates from a PKCS#11 provider using OpenSSL STORE 
> providers. 

Definite +1 in principle.

> Index: docs/manual/mod/mod_ssl.html.en.utf8
> ===
> --- docs/manual/mod/mod_ssl.html.en.utf8  (revision 1914150)
> +++ docs/manual/mod/mod_ssl.html.en.utf8  (working copy)
> @@ -666,7 +666,7 @@

Would it be possible to patch mod_ssl.xml instead of the html file, the html is 
autogenerated.

> Index: modules/ssl/ssl_engine_config.c
> ===
> --- modules/ssl/ssl_engine_config.c   (revision 1914150)
> +++ modules/ssl/ssl_engine_config.c   (working copy)
> @@ -689,6 +689,11 @@
> if (strcEQ(arg, "builtin")) {
> mc->szCryptoDevice = NULL;
> }
> +#if MODSSL_USE_OPENSSL_STORE
> +else if (strcEQ(arg, "provider")) {
> +mc->szCryptoDevice = arg;
> +}
> +#endif
> #if MODSSL_HAVE_ENGINE_API

This patch isn’t applying for me, looks like the leading spaces have been lost. 
Would it be possible to try attach it as a file?

Regards,
Graham
—

Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE

Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE

Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE

Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE

4 matches

Site Navigation

Mail list logo

Footer information