Re: svn commit: r1866035 - /httpd/httpd/branches/2.4.x/STATUS
On February 7, 2020 4:59:39 AM CST, Joe Orton wrote: >On Thu, Feb 06, 2020 at 07:52:18AM -0600, Daniel Ruggeri wrote: >> Hey there, Joe; No idea how I didn't detect this much sooner. I have >>access to hardware security modules with PKCS11 interfaces for key > >>operations and would be happy to put this through it's paces. The >>2.5 docs are fairly light (note, this 2.4 patch seems to be >missing >>docs) on how to test this out. Pointers appreciated if you have a >>working recipe. > >That would be awesome. The stuff I'm not really sure about & could use > >better docs is: > >a) how to identify the right PKCS#11 URI for the key/cert objects, and >b) how to set up the OpenSSL pkcs11 engine correctly so this works > >On recent Fedora/RHEL (b) works OOTB but I imagine this may take some >effort on other systems or from-scratch builds. > >For testing locally I used a USB smartcard reader, setting up the card >following https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC > >If you can store a cert & private key on the token, mod_ssl will use >both, but I think not all HSMs can store the cert, so you can load that > >from a PEM file if required and list the key only as a pkcs11: URI in >SSLCertificateKeyFile. > >Beyond that it should "just work" if you configure per the mod_ssl >docs, >running "p11tool --list-tokens" listed the URI for the token, and I >used: > >SSLCertificateFile >"pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0001C9540200;token=Joe%20Orton%20%28OpenSC%20Card%29" > >Regards, Joe Sweet - this is a good starting point. I'll also get in touch with the manufacturer to see if there are any gotchas to worry about. For all I know, it may be a non-starter with this particular gear. Hopefully more to come soon! -- Daniel Ruggeri > >> >> On 2019/08/28 12:15:02 jor...@apache.org wrote: >> > Author: jorton >> > Date: Wed Aug 28 12:15:01 2019 >> > New Revision: 1866035 >> > >> > URL: http://svn.apache.org/viewvc?rev=1866035=rev >> > Log: >> > Proposed mod_ssl PKCS#11 cert/key support. >> > >> > Modified: >> > httpd/httpd/branches/2.4.x/STATUS >> > >> > Modified: httpd/httpd/branches/2.4.x/STATUS >> > URL: >http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1866035=1866034=1866035=diff >> > >== >> > --- httpd/httpd/branches/2.4.x/STATUS (original) >> > +++ httpd/httpd/branches/2.4.x/STATUS Wed Aug 28 12:15:01 2019 >> > @@ -160,6 +160,21 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: >> >rpluem says: -1 for now. See further discussion at >> > >https://bz.apache.org/bugzilla/show_bug.cgi?id=63503 >> > >> > + *) mod_ssl: Add support for loading certs & keys from PKCS#11 >URLs via the >> > + OpenSSL pkcs11 engine. Includes related minor >cleanups and >> > + simplification to mod_ssl internals. >> > + trunk patch: http://svn.apache.org/r1830819 >> > + http://svn.apache.org/r1830912 >> > + http://svn.apache.org/r1830913 >> > + http://svn.apache.org/r1830927 >> > + http://svn.apache.org/r1831168 >> > + http://svn.apache.org/r1831173 >> > + http://svn.apache.org/r1835240 >> > + http://svn.apache.org/r1835242 >> > + http://svn.apache.org/r1835615 >> > + 2.4.x patch: >http://people.apache.org/~jorton/mod_ssl_pkcs11.patch >> > + +1: jorton, >> > + >> > PATCHES/ISSUES THAT ARE BEING WORKED >> >[ New entries should be added at the START of the list ] >> > >> > >> > >> > >> -- >> Daniel Ruggeri
Re: svn commit: r1866035 - /httpd/httpd/branches/2.4.x/STATUS
On Thu, Feb 06, 2020 at 07:52:18AM -0600, Daniel Ruggeri wrote: > Hey there, Joe; No idea how I didn't detect this much sooner. I have >access to hardware security modules with PKCS11 interfaces for key >operations and would be happy to put this through it's paces. The >2.5 docs are fairly light (note, this 2.4 patch seems to be missing >docs) on how to test this out. Pointers appreciated if you have a >working recipe. That would be awesome. The stuff I'm not really sure about & could use better docs is: a) how to identify the right PKCS#11 URI for the key/cert objects, and b) how to set up the OpenSSL pkcs11 engine correctly so this works On recent Fedora/RHEL (b) works OOTB but I imagine this may take some effort on other systems or from-scratch builds. For testing locally I used a USB smartcard reader, setting up the card following https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC If you can store a cert & private key on the token, mod_ssl will use both, but I think not all HSMs can store the cert, so you can load that from a PEM file if required and list the key only as a pkcs11: URI in SSLCertificateKeyFile. Beyond that it should "just work" if you configure per the mod_ssl docs, running "p11tool --list-tokens" listed the URI for the token, and I used: SSLCertificateFile "pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0001C9540200;token=Joe%20Orton%20%28OpenSC%20Card%29" Regards, Joe > > On 2019/08/28 12:15:02 jor...@apache.org wrote: > > Author: jorton > > Date: Wed Aug 28 12:15:01 2019 > > New Revision: 1866035 > > > > URL: http://svn.apache.org/viewvc?rev=1866035=rev > > Log: > > Proposed mod_ssl PKCS#11 cert/key support. > > > > Modified: > > httpd/httpd/branches/2.4.x/STATUS > > > > Modified: httpd/httpd/branches/2.4.x/STATUS > > URL: > > http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1866035=1866034=1866035=diff > > == > > --- httpd/httpd/branches/2.4.x/STATUS (original) > > +++ httpd/httpd/branches/2.4.x/STATUS Wed Aug 28 12:15:01 2019 > > @@ -160,6 +160,21 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: > >rpluem says: -1 for now. See further discussion at > > https://bz.apache.org/bugzilla/show_bug.cgi?id=63503 > > > > + *) mod_ssl: Add support for loading certs & keys from PKCS#11 URLs via > > the > > + OpenSSL pkcs11 engine. Includes related minor cleanups and > > + simplification to mod_ssl internals. > > + trunk patch: http://svn.apache.org/r1830819 > > + http://svn.apache.org/r1830912 > > + http://svn.apache.org/r1830913 > > + http://svn.apache.org/r1830927 > > + http://svn.apache.org/r1831168 > > + http://svn.apache.org/r1831173 > > + http://svn.apache.org/r1835240 > > + http://svn.apache.org/r1835242 > > + http://svn.apache.org/r1835615 > > + 2.4.x patch: http://people.apache.org/~jorton/mod_ssl_pkcs11.patch > > + +1: jorton, > > + > > PATCHES/ISSUES THAT ARE BEING WORKED > >[ New entries should be added at the START of the list ] > > > > > > > > > -- > Daniel Ruggeri
RE: svn commit: r1866035 - /httpd/httpd/branches/2.4.x/STATUS
Hey there, Joe; No idea how I didn't detect this much sooner. I have access to hardware security modules with PKCS11 interfaces for key operations and would be happy to put this through it's paces. The 2.5 docs are fairly light (note, this 2.4 patch seems to be missing docs) on how to test this out. Pointers appreciated if you have a working recipe. On 2019/08/28 12:15:02 jor...@apache.org wrote: > Author: jorton > Date: Wed Aug 28 12:15:01 2019 > New Revision: 1866035 > > URL: http://svn.apache.org/viewvc?rev=1866035=rev > Log: > Proposed mod_ssl PKCS#11 cert/key support. > > Modified: > httpd/httpd/branches/2.4.x/STATUS > > Modified: httpd/httpd/branches/2.4.x/STATUS > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1866035=1866034=1866035=diff > == > --- httpd/httpd/branches/2.4.x/STATUS (original) > +++ httpd/httpd/branches/2.4.x/STATUS Wed Aug 28 12:15:01 2019 > @@ -160,6 +160,21 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: >rpluem says: -1 for now. See further discussion at > https://bz.apache.org/bugzilla/show_bug.cgi?id=63503 > > + *) mod_ssl: Add support for loading certs & keys from PKCS#11 URLs via the > + OpenSSL pkcs11 engine. Includes related minor cleanups and > + simplification to mod_ssl internals. > + trunk patch: http://svn.apache.org/r1830819 > + http://svn.apache.org/r1830912 > + http://svn.apache.org/r1830913 > + http://svn.apache.org/r1830927 > + http://svn.apache.org/r1831168 > + http://svn.apache.org/r1831173 > + http://svn.apache.org/r1835240 > + http://svn.apache.org/r1835242 > + http://svn.apache.org/r1835615 > + 2.4.x patch: http://people.apache.org/~jorton/mod_ssl_pkcs11.patch > + +1: jorton, > + > PATCHES/ISSUES THAT ARE BEING WORKED >[ New entries should be added at the START of the list ] > > > > -- Daniel Ruggeri
