On Tue, Dec 5, 2023 at 4:26 PM <[email protected]> wrote:
>
> Author: jorton
> Date: Tue Dec 5 15:26:22 2023
> New Revision: 1914365
>
> URL: http://svn.apache.org/viewvc?rev=1914365&view=rev
> Log:
> mod_ssl: Add support for loading keys from OpenSSL 3.x providers via
> the STORE API. Separates compile-time support for the STORE API
> (supported in 3.x) from support for the ENGINE API (deprecated in
> 3.x).
>
> * modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for
> OpenSSL 3.0+.
>
> * modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri,
> modssl_load_keypair_store): New functions.
> (modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine.
> (modssl_load_engine_keypair): Reimplement to use new STORE-based
> functions if SSLCryptoDevice was not configured, or else old
> ENGINE implementation.
>
> * modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs
> also for the OpenSSL 3.x STORE API.
>
> * modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log
> message on error paths for the provider/STORE case.
>
> Signed-off-by: Ingo Franzki <ifranzki linux.ibm.com>
> Submitted by: Ingo Franzki <ifranzki linux.ibm.com>
> Github: closes #397, closes #398
>
[]
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c?rev=1914365&r1=1914364&r2=1914365&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_pphrase.c Tue Dec 5 15:26:22
> 2023
[]
> +
> +apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p,
> + const char *vhostid,
> + const char *certid, const char
> *keyid,
> + X509 **pubkey, EVP_PKEY **privkey)
> +{
> +#if MODSSL_HAVE_OPENSSL_STORE
> + SSLModConfigRec *mc = myModConfig(s);
> +
> + if (!mc->szCryptoDevice)
> + return modssl_load_keypair_store(s, p, vhostid, certid, keyid,
> + pubkey, privkey);
> +#endif
> +#if MODSSL_HAVE_ENGINE_API
> + return modssl_load_keypair_engine(s, p, vhostid, certid, keyid,
> + pubkey, privkey);
> #else
> return APR_ENOTIMPL;
> #endif
Hm, it seems that with openssl-3+ we can handle/support pkcs#11 URIs
only via the store API now.
modssl_load_keypair_store() will fail/die if it can't find the
cert/key in the STORE, but couldn't modssl_load_keypair_engine() find
them if the OpenSSL configuration (and underlying lib, e.g. libp11)
still uses the legacy engine API? The engine API is still available in
openssl-3 and might still be used IIUC.
So don't we need something like this:
apr_status_t rv = APR_ENOTIMPL;
#if MODSSL_HAVE_OPENSSL_STORE
SSLModConfigRec *mc = myModConfig(s);
if (!mc->szCryptoDevice)
rv = modssl_load_keypair_store(s, p, vhostid, certid, keyid,
pubkey, privkey);
#endif
#if MODSSL_HAVE_ENGINE_API
if (rv == APR_ENOTIMPL)
rv = modssl_load_keypair_engine(s, p, vhostid, certid, keyid,
pubkey, privkey);
#endif
return rv;
and somehow make modssl_load_keypair_store() return APR_ENOTIMPL when
there is no store to get the cert/key from?
Regards;
Yann.
