Re: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files
On Thu, Mar 21, 2024 at 10:58:17AM +0100, William Lallemand wrote: > On Thu, Mar 21, 2024 at 05:34:12PM +0800, Richard Chan wrote: > > Yes I would be happy to include HAProxy with pkcs11-provider examples. > > > > Great, thank you! > > I made a `PKCS11 provider` > https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#pkcs11-provider > that you could edit once we give you the rights. > > Willy: Could you give the right to edit this page to the `space88man` > github user? Thanks! Sute! It should be OK now, an invite was sent. Willy
Re: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files
On Thu, Mar 21, 2024 at 05:34:12PM +0800, Richard Chan wrote: > Yes I would be happy to include HAProxy with pkcs11-provider examples. > Great, thank you! I made a `PKCS11 provider` https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#pkcs11-provider that you could edit once we give you the rights. Willy: Could you give the right to edit this page to the `space88man` github user? Thanks! -- William Lallemand
Re: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files
Yes I would be happy to include HAProxy with pkcs11-provider examples. On Thu, 21 Mar 2024, 16:43 William Lallemand, wrote: > On Thu, Mar 21, 2024 at 10:39:58AM +0800, Richard Chan wrote: > > Subject: Re: [PR] FEATURE: load private keys from PKCS#11 > pkcs11-provider PEM files > > On Thu, 21 Mar 2024, 00:15 William Lallemand, > wrote > > > > > > > > We made test in the past with the TPM2 provider which also uses a URI > in > > > the privatekey: > > > > > > > https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#tpm2-provider > > > > > > Further testing shows that this PR is not needed. Sorry for the noise. > > > > There is a glitch in pkcs11-provider that requires the private key to be > > the first PEM object. Apart from this HAProxy loads the private key with > > no issues. > > > > Okay that's good to read :-) > > Would you be interested in contributing on the OpenSSL providers wiki > page? We could have a pkcs11 section like the one we already have for > the TPM2 provider. > > Regards, > > -- > William Lallemand >
Re: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files
On Thu, Mar 21, 2024 at 10:39:58AM +0800, Richard Chan wrote: > Subject: Re: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM > files > On Thu, 21 Mar 2024, 00:15 William Lallemand, wrote > > > > > We made test in the past with the TPM2 provider which also uses a URI in > > the privatekey: > > > > https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#tpm2-provider > > > Further testing shows that this PR is not needed. Sorry for the noise. > > There is a glitch in pkcs11-provider that requires the private key to be > the first PEM object. Apart from this HAProxy loads the private key with > no issues. > Okay that's good to read :-) Would you be interested in contributing on the OpenSSL providers wiki page? We could have a pkcs11 section like the one we already have for the TPM2 provider. Regards, -- William Lallemand
Re: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files
On Thu, 21 Mar 2024, 00:15 William Lallemand, wrote > > We made test in the past with the TPM2 provider which also uses a URI in > the privatekey: > > https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#tpm2-provider Further testing shows that this PR is not needed. Sorry for the noise. There is a glitch in pkcs11-provider that requires the private key to be the first PEM object. Apart from this HAProxy loads the private key with no issues. > >
Re: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files
Interesting about the TPM2 stuff - it has implemented a store loader for "TSS2 PRIVATE KEY" stanza. Since PEM is new to pkcs11-provider it may not have implemented a store loader yet (i.e. not PEM_bio_read_PrivateKey ready) hence this PR uses store directly. I will check with pkcs11-provider whether they can implement a store loader. Re current MWORKER problem (before any solution in 3.1!) - [RFC] Delayed private key loading - check if we are in MWORKER mode then skip EVP_PKEY loading in master for all PKCS#11 keys Hmmm - how to identify such keys? Maybe .crt file has a first line "key-type = PKCS#11" - in child process: create a map based on SSL_CTX *pointer and just-in-time load private key when needed at at SSL_set_SSL_CTX; does the child_process have access to bind_conf/ssl_bind_conf so it can find the crt file name? Otherwise, cache the SSL_CTX* -> crt(or key) filename in master before fork() WDYT? Thanks S-P On Thu, 21 Mar 2024 at 00:15, William Lallemand wrote: > On Wed, Mar 20, 2024 at 06:23:03AM +, PR Bot wrote: > > Subject: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider > PEM files > > Dear list! > > > > Author: S-P Chan > > Number of patches: 1 > > > > This is an automated relay of the Github pull request: > >FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files > > > > Patch title(s): > >FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files > > > > Link: > >https://github.com/haproxy/haproxy/pull/2493 > > > > Edit locally: > >wget https://github.com/haproxy/haproxy/pull/2493.patch && vi > 2493.patch > > > > Apply locally: > >curl https://github.com/haproxy/haproxy/pull/2493.patch | git am - > > > > Description: > >With pkcs11-provider (https://github.com/latchset/pkcs11-provider) a > >specially formatted PEM stanza can be used > >to reference a PKCS#11 > >URI to locate the private key. > > > >This PEM stanza can be used > >inside the crt file so that there is no change to the HAProxy config > >language. > > > >This works with OpenSSL 3 and pkcs11-provider after > >https://github.com/latchset/pkcs11-provider/commit/0806c3665 which > >added support for PKCS#11 URI-in-PEM. > > > >TODO: This PR works > >without forking (i.e., not in master-worker mode) as PKCS#11 drivers > >are fragile after fork. > >To use PKCS#11 keys in master-worker mode, > >we need to defer key loading to the child process. > > > >Format of > >PEM stanza: > >``` > >-BEGIN PKCS#11 PROVIDER URI- > >MIHWGhlQS0NTIzExIFByb3ZpZGVyIFVSSSB2MS4wDIG4cGtjczExOm1vZGVsPU5T > >UyUyMDM7bWFudWZhY3R1cmVyPU1vemlsbGElMjBGb3VuZGF0aW9uO3NlcmlhbD0w > >MDAwMDAwMDAwMDAwMDAwO3Rva2VuPU5TUyUyMENlcnRpZmljYXRlJTIwREI7aWQ9 > >JTczJTQ5JTU1JTFBJTMyJUFFJThDJUIwJTQ1JTQ5JTAzJURDJUE4JTA0JTg0JTlF > >JUI0JTlGJTQxJUFFO3R5cGU9cHJpdmF0ZQ== > >-END PKCS#11 PROVIDER > >URI- > >``` > > > >Parsed ASN.1: > >``` > >0:d=0 hl=3 l= > >214 cons: SEQUENCE > >3:d=1 hl=2 l= 25 prim: VISIBLESTRING > >:PKCS#11 Provider URI v1.0 > > 30:d=1 hl=3 l= 184 prim: UTF8STRING > >:pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=000 > >0;token=NSS%20Certificate%20DB;id=%73%49%55%1A%32%AE%8C%B0%45% > >49%03%DC%A8%04%84%9E%B4%9F%41%AE;type=private > >``` > > > > Instructions: > >This github pull request will be closed automatically; patch should be > >reviewed on the haproxy mailing list (haproxy@formilux.org). > Everyone is > >invited to comment, even the patch's author. Please keep the author > and > >list CCed in replies. Please note that in absence of any response this > >pull request will be lost. > > > > Hello, > > Thank you for your contribution, I'm surprised this is not already > working with the current code. > > We made test in the past with the TPM2 provider which also uses a URI in > the privatekey: > > https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#tpm2-provider > > Do you have any specific configuration for HAProxy? > > Regards, > > -- > William Lallemand >
Re: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files
On Wed, Mar 20, 2024 at 05:15:47PM +0100, William Lallemand wrote: > >TODO: This PR works > >without forking (i.e., not in master-worker mode) as PKCS#11 drivers > >are fragile after fork. > >To use PKCS#11 keys in master-worker mode, > >we need to defer key loading to the child process. > > Also, regarding this part, I must look what the exact problem is with the pkcs11. But we have in mind a rearchitecture of the master-worker which could simplify this kind of problem. But that won't be before HAProxy 3.1 unfortunately :-) -- William Lallemand
Re: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files
On Wed, Mar 20, 2024 at 06:23:03AM +, PR Bot wrote: > Subject: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM > files > Dear list! > > Author: S-P Chan > Number of patches: 1 > > This is an automated relay of the Github pull request: >FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files > > Patch title(s): >FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files > > Link: >https://github.com/haproxy/haproxy/pull/2493 > > Edit locally: >wget https://github.com/haproxy/haproxy/pull/2493.patch && vi 2493.patch > > Apply locally: >curl https://github.com/haproxy/haproxy/pull/2493.patch | git am - > > Description: >With pkcs11-provider (https://github.com/latchset/pkcs11-provider) a >specially formatted PEM stanza can be used >to reference a PKCS#11 >URI to locate the private key. > >This PEM stanza can be used >inside the crt file so that there is no change to the HAProxy config >language. > >This works with OpenSSL 3 and pkcs11-provider after >https://github.com/latchset/pkcs11-provider/commit/0806c3665 which >added support for PKCS#11 URI-in-PEM. > >TODO: This PR works >without forking (i.e., not in master-worker mode) as PKCS#11 drivers >are fragile after fork. >To use PKCS#11 keys in master-worker mode, >we need to defer key loading to the child process. > >Format of >PEM stanza: >``` >-BEGIN PKCS#11 PROVIDER URI- >MIHWGhlQS0NTIzExIFByb3ZpZGVyIFVSSSB2MS4wDIG4cGtjczExOm1vZGVsPU5T >UyUyMDM7bWFudWZhY3R1cmVyPU1vemlsbGElMjBGb3VuZGF0aW9uO3NlcmlhbD0w >MDAwMDAwMDAwMDAwMDAwO3Rva2VuPU5TUyUyMENlcnRpZmljYXRlJTIwREI7aWQ9 >JTczJTQ5JTU1JTFBJTMyJUFFJThDJUIwJTQ1JTQ5JTAzJURDJUE4JTA0JTg0JTlF >JUI0JTlGJTQxJUFFO3R5cGU9cHJpdmF0ZQ== >-END PKCS#11 PROVIDER >URI- >``` > >Parsed ASN.1: >``` >0:d=0 hl=3 l= >214 cons: SEQUENCE >3:d=1 hl=2 l= 25 prim: VISIBLESTRING >:PKCS#11 Provider URI v1.0 > 30:d=1 hl=3 l= 184 prim: UTF8STRING >:pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=000 >0;token=NSS%20Certificate%20DB;id=%73%49%55%1A%32%AE%8C%B0%45% >49%03%DC%A8%04%84%9E%B4%9F%41%AE;type=private >``` > > Instructions: >This github pull request will be closed automatically; patch should be >reviewed on the haproxy mailing list (haproxy@formilux.org). Everyone is >invited to comment, even the patch's author. Please keep the author and >list CCed in replies. Please note that in absence of any response this >pull request will be lost. > Hello, Thank you for your contribution, I'm surprised this is not already working with the current code. We made test in the past with the TPM2 provider which also uses a URI in the privatekey: https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#tpm2-provider Do you have any specific configuration for HAProxy? Regards, -- William Lallemand
[PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files
Dear list! Author: S-P Chan Number of patches: 1 This is an automated relay of the Github pull request: FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files Patch title(s): FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files Link: https://github.com/haproxy/haproxy/pull/2493 Edit locally: wget https://github.com/haproxy/haproxy/pull/2493.patch && vi 2493.patch Apply locally: curl https://github.com/haproxy/haproxy/pull/2493.patch | git am - Description: With pkcs11-provider (https://github.com/latchset/pkcs11-provider) a specially formatted PEM stanza can be used to reference a PKCS#11 URI to locate the private key. This PEM stanza can be used inside the crt file so that there is no change to the HAProxy config language. This works with OpenSSL 3 and pkcs11-provider after https://github.com/latchset/pkcs11-provider/commit/0806c3665 which added support for PKCS#11 URI-in-PEM. TODO: This PR works without forking (i.e., not in master-worker mode) as PKCS#11 drivers are fragile after fork. To use PKCS#11 keys in master-worker mode, we need to defer key loading to the child process. Format of PEM stanza: ``` -BEGIN PKCS#11 PROVIDER URI- MIHWGhlQS0NTIzExIFByb3ZpZGVyIFVSSSB2MS4wDIG4cGtjczExOm1vZGVsPU5T UyUyMDM7bWFudWZhY3R1cmVyPU1vemlsbGElMjBGb3VuZGF0aW9uO3NlcmlhbD0w MDAwMDAwMDAwMDAwMDAwO3Rva2VuPU5TUyUyMENlcnRpZmljYXRlJTIwREI7aWQ9 JTczJTQ5JTU1JTFBJTMyJUFFJThDJUIwJTQ1JTQ5JTAzJURDJUE4JTA0JTg0JTlF JUI0JTlGJTQxJUFFO3R5cGU9cHJpdmF0ZQ== -END PKCS#11 PROVIDER URI- ``` Parsed ASN.1: ``` 0:d=0 hl=3 l= 214 cons: SEQUENCE 3:d=1 hl=2 l= 25 prim: VISIBLESTRING :PKCS#11 Provider URI v1.0 30:d=1 hl=3 l= 184 prim: UTF8STRING :pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=000 0;token=NSS%20Certificate%20DB;id=%73%49%55%1A%32%AE%8C%B0%45% 49%03%DC%A8%04%84%9E%B4%9F%41%AE;type=private ``` Instructions: This github pull request will be closed automatically; patch should be reviewed on the haproxy mailing list (haproxy@formilux.org). Everyone is invited to comment, even the patch's author. Please keep the author and list CCed in replies. Please note that in absence of any response this pull request will be lost.