Re: [PATCH] Support loading server certificate from HW token
Hello! On Fri, May 08, 2020 at 07:53:18PM +, Пичулин Дмитрий Николаевич wrote: > I dipped into the problem and came to the conclusion that this > proposal cannot be used as a general one. > > First, although the ctrl number could be passed in the directive > itself, for example "engine:pkcs11:205:slot_0-id_00", where 205 > corresponds to CMD_LOAD_CERT_CTRL (ENGINE_CMD_BASE + 5 = 200 + > 5), the argument "params" is too specific for this command, in > fact, it is a binding to a specific non-extensible interface of > a particular ENGINE command. > > Secondly, this binding to a bad interface actually, which is not > able to return the certificate chain, CMD_LOAD_CERT_CTRL returns > only the leaf certificate. > > Therefore, I do not see how this can be used outside of pkcs11 > ENGINE and I do not see how this can be used in a production > without a certificate chain. Thanks for the review, appreciated. A possible use case might be to use it for proxy_ssl_certificate, but I agree that this looks very limited and at most optional. -- Maxim Dounin http://mdounin.ru/ ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Support loading server certificate from HW token
I dipped into the problem and came to the conclusion that this proposal cannot be used as a general one. First, although the ctrl number could be passed in the directive itself, for example "engine:pkcs11:205:slot_0-id_00", where 205 corresponds to CMD_LOAD_CERT_CTRL (ENGINE_CMD_BASE + 5 = 200 + 5), the argument "params" is too specific for this command, in fact, it is a binding to a specific non-extensible interface of a particular ENGINE command. Secondly, this binding to a bad interface actually, which is not able to return the certificate chain, CMD_LOAD_CERT_CTRL returns only the leaf certificate. Therefore, I do not see how this can be used outside of pkcs11 ENGINE and I do not see how this can be used in a production without a certificate chain. ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Support loading server certificate from HW token
Hi Николаевич,
you are right, this is not defined in openssl, it is an engine specific
functionality
as you wrote. p11-kit engine supports this command
(https://github.com/OpenSC/libp11).
I'm not aware of any other method, how to load it.
As you stated, it is not a must, but since nginx is already able to load
private
key from engine, it would be nice to have opportunity to load public key
(certificate)
as well. In case engine doesn't support that command CMD_LOAD_CERT_CTRL, we can
just
return error.
It would be good to check if the engine supports that command in following way:
const char *cmd_name = "LOAD_CERT_CTRL";
if (!ENGINE_ctrl(conn->engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
0, (void *)cmd_name, NULL))
I can alter the patch if it is the only problem you can see here.
Best,
- Original Message -
> From: "Пичулин Дмитрий Николаевич"
> To: nginx-devel@nginx.org
> Sent: Saturday, May 2, 2020 9:53:58 PM
> Subject: Re: [PATCH] Support loading server certificate from HW token
>
> I support the base idea to load certificates from engines but
> CMD_LOAD_CERT_CTRL ('LOAD_CERT_CTRL') seems not defined in openssl, it is an
> engine specific functionality. Is that the only way?
>
> And secondly, i can not imagine that you can not get a certificate from your
> hardware prior nginx run, because the certificate information is always
> open. So this new functionality is not a must, but a useful one.
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
>
--
Lubos Uhliarik
Software Engineer - EMEA ENG Developer Experience
RH - Brno - TPB-C - 1D221
IRC: zero_byte at irc.freenode.net
RED HAT | TRIED. TESTED. TRUSTED.
Every airline in the Fortune 500 relies on Red Hat.
Find out why at http://www.redhat.com/en/about/trusted
Red Hat Inc. http://cz.redhat.com
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Support loading server certificate from HW token
I support the base idea to load certificates from engines but
CMD_LOAD_CERT_CTRL ('LOAD_CERT_CTRL') seems not defined in openssl, it is an
engine specific functionality. Is that the only way?
And secondly, i can not imagine that you can not get a certificate from your
hardware prior nginx run, because the certificate information is always open.
So this new functionality is not a must, but a useful one.
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] Support loading server certificate from HW token
Hello everyone,
do you see any change getting this patch applied to 1.19?
Best,
- Original Message -
> From: "Lubos Uhliarik"
> To: nginx-devel@nginx.org
> Sent: Monday, April 27, 2020 1:53:17 PM
> Subject: [PATCH] Support loading server certificate from HW token
>
> # HG changeset patch
> # User Lubos Uhliarik
> # Date 1587988141 -7200
> # Mon Apr 27 13:49:01 2020 +0200
> # Node ID 8fe8445769f77165f793a4fd016a134aa1ad373c
> # Parent 716eddd74bc2831537f5b3f7ecd16ad3e516d043
> Support loading server certificate from HW token
>
> Nginx supports loading private key from HW token, but does not support
> loading certificate. This patch adds functionality which allows to load
> server certificate with a specified id from OpenSSL engine.
>
> diff -r 716eddd74bc2 -r 8fe8445769f7 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c Thu Apr 23 15:10:26 2020 +0300
> +++ b/src/event/ngx_event_openssl.c Mon Apr 27 13:49:01 2020 +0200
> @@ -609,6 +609,71 @@
> X509*x509, *temp;
> u_long n;
>
> +if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) {
> +
> +#ifndef OPENSSL_NO_ENGINE
> +
> +u_char *p, *last;
> +ENGINE *engine;
> +
> +p = cert->data + sizeof("engine:") - 1;
> +last = (u_char *) ngx_strchr(p, ':');
> +
> +if (last == NULL) {
> +*err = "invalid syntax";
> +return NULL;
> +}
> +
> +*last = '\0';
> +
> +engine = ENGINE_by_id((char *) p);
> +
> +if (engine == NULL) {
> +*err = "ENGINE_by_id() failed";
> +return NULL;
> +}
> +
> +if (!ENGINE_init(engine)) {
> +*err = "ENGINE_init() failed";
> +ENGINE_free(engine);
> +return NULL;
> +}
> +
> +*last++ = ':';
> +
> +struct {
> +const char *cert_id;
> +X509 *cert;
> +} params = { (char *) last, NULL };
> +
> +if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, , NULL, 1))
> {
> +*err = "ENGINE_ctrl_cmd() failed - Unable to get the
> certificate";
> +ENGINE_free(engine);
> +return NULL;
> +}
> +
> +ENGINE_finish(engine);
> +ENGINE_free(engine);
> +
> +/* set chain to null */
> +
> +*chain = sk_X509_new_null();
> +if (*chain == NULL) {
> + *err = "sk_X509_new_null() failed";
> + X509_free(params.cert);
> + return NULL;
> +}
> +
> +return params.cert;
> +
> +#else
> +
> +*err = "loading \"engine:...\" certificate is not supported";
> +return NULL;
> +
> +#endif
> +}
> +
> if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
>
> bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,
>
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
>
--
Lubos Uhliarik
Software Engineer - EMEA ENG Developer Experience
RH - Brno - TPB-C - 1D221
IRC: zero_byte at irc.freenode.net
RED HAT | TRIED. TESTED. TRUSTED.
Every airline in the Fortune 500 relies on Red Hat.
Find out why at http://www.redhat.com/en/about/trusted
Red Hat Inc. http://cz.redhat.com
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
