On February 7, 2020 4:59:39 AM CST, Joe Orton <jor...@redhat.com> wrote:
>On Thu, Feb 06, 2020 at 07:52:18AM -0600, Daniel Ruggeri wrote:
>> Hey there, Joe; No idea how I didn't detect this much sooner. I have
>> access to hardware security modules with PKCS11 interfaces for key
>
>> operations and would be happy to put this through it's paces. The
>> 2.5 docs are fairly light (note, this 2.4 patch seems to be
>missing
>> docs) on how to test this out. Pointers appreciated if you have a
>> working recipe.
>
>That would be awesome. The stuff I'm not really sure about & could use
>
>better docs is:
>
>a) how to identify the right PKCS#11 URI for the key/cert objects, and
>b) how to set up the OpenSSL pkcs11 engine correctly so this works
>
>On recent Fedora/RHEL (b) works OOTB but I imagine this may take some
>effort on other systems or from-scratch builds.
>
>For testing locally I used a USB smartcard reader, setting up the card
>following https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC
>
>If you can store a cert & private key on the token, mod_ssl will use
>both, but I think not all HSMs can store the cert, so you can load that
>
>from a PEM file if required and list the key only as a pkcs11: URI in
>SSLCertificateKeyFile.
>
>Beyond that it should "just work" if you configure per the mod_ssl
>docs,
>running "p11tool --list-tokens" listed the URI for the token, and I
>used:
>
>SSLCertificateFile
>"pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0001C954FFFF0200;token=Joe%20Orton%20%28OpenSC%20Card%29"
>
>Regards, Joe
Sweet - this is a good starting point. I'll also get in touch with the
manufacturer to see if there are any gotchas to worry about. For all I know, it
may be a non-starter with this particular gear. Hopefully more to come soon!
--
Daniel Ruggeri
>
>>
>> On 2019/08/28 12:15:02 jor...@apache.org wrote:
>> > Author: jorton
>> > Date: Wed Aug 28 12:15:01 2019
>> > New Revision: 1866035
>> >
>> > URL: http://svn.apache.org/viewvc?rev=1866035&view=rev
>> > Log:
>> > Proposed mod_ssl PKCS#11 cert/key support.
>> >
>> > Modified:
>> > httpd/httpd/branches/2.4.x/STATUS
>> >
>> > Modified: httpd/httpd/branches/2.4.x/STATUS
>> > URL:
>http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1866035&r1=1866034&r2=1866035&view=diff
>> >
>==============================================================================
>> > --- httpd/httpd/branches/2.4.x/STATUS (original)
>> > +++ httpd/httpd/branches/2.4.x/STATUS Wed Aug 28 12:15:01 2019
>> > @@ -160,6 +160,21 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>> > rpluem says: -1 for now. See further discussion at
>> >
>https://bz.apache.org/bugzilla/show_bug.cgi?id=63503
>> >
>> > + *) mod_ssl: Add support for loading certs & keys from PKCS#11
>URLs via the
>> > + OpenSSL pkcs11 engine. Includes related minor
>cleanups and
>> > + simplification to mod_ssl internals.
>> > + trunk patch: http://svn.apache.org/r1830819
>> > + http://svn.apache.org/r1830912
>> > + http://svn.apache.org/r1830913
>> > + http://svn.apache.org/r1830927
>> > + http://svn.apache.org/r1831168
>> > + http://svn.apache.org/r1831173
>> > + http://svn.apache.org/r1835240
>> > + http://svn.apache.org/r1835242
>> > + http://svn.apache.org/r1835615
>> > + 2.4.x patch:
>http://people.apache.org/~jorton/mod_ssl_pkcs11.patch
>> > + +1: jorton,
>> > +
>> > PATCHES/ISSUES THAT ARE BEING WORKED
>> > [ New entries should be added at the START of the list ]
>> >
>> >
>> >
>> >
>> --
>> Daniel Ruggeri