Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 04.12.2023 15:32, Yann Ylavic wrote: > Hi; > > On Mon, Dec 4, 2023 at 8:53 AM Ingo Franzki wrote: >> >> On 02.12.2023 11:20, Graham Leggett via dev wrote: >>> On 27 Nov 2023, at 15:02, Ingo Franzki wrote: >>> The mod_ssl module has support for loading keys and certificates from OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 (https://github.com/OpenSC/libp11). This works fine, but with OpenSSL 3.0 engines got deprecated, and a new provider concept is used. OpenSSL 1.1.1 is no longer supported by the OpenSSL organization (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), and newer distributions all have OpenSSL 3.x included. Currently, engines do still work, bit since they are deprecated, they will at some point in time no longer be working. With OpenSSL 3.x providers one can implements loading of keys and certificates by implementing a STORE method. With this, keys and certificates can be loaded for example from PKCS#11 modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. Please find below some code changes required to support loading the server private key and certificates from a PKCS#11 provider using OpenSSL STORE providers. >>> >>> Definite +1 in principle. > > +1, thanks for the patch! > >> >> Please see the patch file attached. >> I also fixed to minor bugs that I found during testing. >> >> You can also look at the patch here: >> https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931 >> >> If you want, I can even submit a pull request to >> https://github.com/apache/httpd. >> Let me know what you prefer. > > Yes please do this, it's easier to comment on the code and it also > gets tested by the ci. See https://github.com/apache/httpd/pull/397 > > > Regards; > Yann. -- Ingo Franzki eMail: ifran...@linux.ibm.com Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
Hi; On Mon, Dec 4, 2023 at 8:53 AM Ingo Franzki wrote: > > On 02.12.2023 11:20, Graham Leggett via dev wrote: > > On 27 Nov 2023, at 15:02, Ingo Franzki wrote: > > > >> The mod_ssl module has support for loading keys and certificates from > >> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and > >> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 > >> (https://github.com/OpenSC/libp11). > >> > >> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new > >> provider concept is used. > >> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization > >> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), > >> and newer distributions all have OpenSSL 3.x included. > >> Currently, engines do still work, bit since they are deprecated, they will > >> at some point in time no longer be working. > >> > >> With OpenSSL 3.x providers one can implements loading of keys and > >> certificates by implementing a STORE method. > >> With this, keys and certificates can be loaded for example from PKCS#11 > >> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. > >> > >> Please find below some code changes required to support loading the server > >> private key and certificates from a PKCS#11 provider using OpenSSL STORE > >> providers. > > > > Definite +1 in principle. +1, thanks for the patch! > > Please see the patch file attached. > I also fixed to minor bugs that I found during testing. > > You can also look at the patch here: > https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931 > > If you want, I can even submit a pull request to > https://github.com/apache/httpd. > Let me know what you prefer. Yes please do this, it's easier to comment on the code and it also gets tested by the ci. Regards; Yann.
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 02.12.2023 11:20, Graham Leggett via dev wrote:
> On 27 Nov 2023, at 15:02, Ingo Franzki wrote:
>
>> The mod_ssl module has support for loading keys and certificates from
>> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and
>> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11
>> (https://github.com/OpenSC/libp11).
>>
>> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new
>> provider concept is used.
>> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization
>> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/),
>> and newer distributions all have OpenSSL 3.x included.
>> Currently, engines do still work, bit since they are deprecated, they will
>> at some point in time no longer be working.
>>
>> With OpenSSL 3.x providers one can implements loading of keys and
>> certificates by implementing a STORE method.
>> With this, keys and certificates can be loaded for example from PKCS#11
>> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine.
>>
>> Please find below some code changes required to support loading the server
>> private key and certificates from a PKCS#11 provider using OpenSSL STORE
>> providers.
>
> Definite +1 in principle.
>
>> Index: docs/manual/mod/mod_ssl.html.en.utf8
>> ===
>> --- docs/manual/mod/mod_ssl.html.en.utf8 (revision 1914150)
>> +++ docs/manual/mod/mod_ssl.html.en.utf8 (working copy)
>> @@ -666,7 +666,7 @@
>
> Would it be possible to patch mod_ssl.xml instead of the html file, the html
> is autogenerated.
Sure, see updated patch attached.
>
>> Index: modules/ssl/ssl_engine_config.c
>> ===
>> --- modules/ssl/ssl_engine_config.c (revision 1914150)
>> +++ modules/ssl/ssl_engine_config.c (working copy)
>> @@ -689,6 +689,11 @@
>> if (strcEQ(arg, "builtin")) {
>> mc->szCryptoDevice = NULL;
>> }
>> +#if MODSSL_USE_OPENSSL_STORE
>> +else if (strcEQ(arg, "provider")) {
>> +mc->szCryptoDevice = arg;
>> +}
>> +#endif
>> #if MODSSL_HAVE_ENGINE_API
>
> This patch isn’t applying for me, looks like the leading spaces have been
> lost. Would it be possible to try attach it as a file?
Please see the patch file attached.
I also fixed to minor bugs that I found during testing.
You can also look at the patch here:
https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931
If you want, I can even submit a pull request to
https://github.com/apache/httpd.
Let me know what you prefer.
>
> Regards,
> Graham
> —
>
--
Ingo Franzki
eMail: ifran...@linux.ibm.com
Tel: ++49 (0)7031-16-4648
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Gregor Pillen
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB
243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
Index: docs/manual/mod/mod_ssl.xml
===
--- docs/manual/mod/mod_ssl.xml (revision 1914150)
+++ docs/manual/mod/mod_ssl.xml (working copy)
@@ -955,7 +955,7 @@
stored in a token. Currently, only https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs are
recognized as certificate identifiers, and can be used in conjunction
-with the OpenSSL pkcs11 engine. If pkcs11 engine or provider. If SSLCertificateKeyFile is omitted, the
certificate and private key can be loaded through the single
identifier specified with https://tools.ietf.org/html/rfc7512;>PKCS#11
URIs are recognized as private key
identifiers, and can be used in conjunction with the OpenSSL
-pkcs11 engine.
+pkcs11 engine or provider.
Example
@@ -2442,6 +2442,14 @@
SSLCryptoDevice ubsec
+
+
+With OpenSSL 3.0 or later, specify provider to load keys and
+certificates from a provider using https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs.
+The provider to use must be defined and configured in the OpenSSL config file,
+and it must support the https://www.openssl.org/docs/man3.0/man7/provider-storemgmt.html;>STORE
method
+for https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs.
+
Index: modules/ssl/ssl_engine_config.c
===
--- modules/ssl/ssl_engine_config.c (revision 1914150)
+++ modules/ssl/ssl_engine_config.c (working copy)
@@ -689,6 +689,11 @@
if (strcEQ(arg, "builtin")) {
mc->szCryptoDevice = NULL;
}
+#if MODSSL_USE_OPENSSL_STORE
+else if (strcEQ(arg, "provider")) {
+mc->szCryptoDevice = arg;
+}
+#endif
#if MODSSL_HAVE_ENGINE_API
else if ((e = ENGINE_by_id(arg))) {
mc->szCryptoDevice = arg;
@@ -697,7 +702,11 @@
#endif
else {
err = "SSLCryptoDevice: Invalid argument; must be one of: "
+#if
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 27 Nov 2023, at 15:02, Ingo Franzki wrote:
> The mod_ssl module has support for loading keys and certificates from OpenSSL
> engines via PKCS#11 URIs at SSLCertificateFile and SSLCertificateKeyFile,
> e.g. using the PKCS#11 engine part of libp11
> (https://github.com/OpenSC/libp11).
>
> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new
> provider concept is used.
> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization
> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/),
> and newer distributions all have OpenSSL 3.x included.
> Currently, engines do still work, bit since they are deprecated, they will at
> some point in time no longer be working.
>
> With OpenSSL 3.x providers one can implements loading of keys and
> certificates by implementing a STORE method.
> With this, keys and certificates can be loaded for example from PKCS#11
> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine.
>
> Please find below some code changes required to support loading the server
> private key and certificates from a PKCS#11 provider using OpenSSL STORE
> providers.
Definite +1 in principle.
> Index: docs/manual/mod/mod_ssl.html.en.utf8
> ===
> --- docs/manual/mod/mod_ssl.html.en.utf8 (revision 1914150)
> +++ docs/manual/mod/mod_ssl.html.en.utf8 (working copy)
> @@ -666,7 +666,7 @@
Would it be possible to patch mod_ssl.xml instead of the html file, the html is
autogenerated.
> Index: modules/ssl/ssl_engine_config.c
> ===
> --- modules/ssl/ssl_engine_config.c (revision 1914150)
> +++ modules/ssl/ssl_engine_config.c (working copy)
> @@ -689,6 +689,11 @@
> if (strcEQ(arg, "builtin")) {
> mc->szCryptoDevice = NULL;
> }
> +#if MODSSL_USE_OPENSSL_STORE
> +else if (strcEQ(arg, "provider")) {
> +mc->szCryptoDevice = arg;
> +}
> +#endif
> #if MODSSL_HAVE_ENGINE_API
This patch isn’t applying for me, looks like the leading spaces have been lost.
Would it be possible to try attach it as a file?
Regards,
Graham
—
mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
Hi all,
The mod_ssl module has support for loading keys and certificates from OpenSSL
engines via PKCS#11 URIs at SSLCertificateFile and SSLCertificateKeyFile, e.g.
using the PKCS#11 engine part of libp11 (https://github.com/OpenSC/libp11).
This works fine, but with OpenSSL 3.0 engines got deprecated, and a new
provider concept is used.
OpenSSL 1.1.1 is no longer supported by the OpenSSL organization
(https://www.openssl.org/blog/blog/2023/09/11/eol-111/),
and newer distributions all have OpenSSL 3.x included.
Currently, engines do still work, bit since they are deprecated, they will at
some point in time no longer be working.
With OpenSSL 3.x providers one can implements loading of keys and certificates
by implementing a STORE method.
With this, keys and certificates can be loaded for example from PKCS#11 modules
via PKCS#11 URIs, just like it was possible with an PKCS#11 engine.
Please find below some code changes required to support loading the server
private key and certificates from a PKCS#11 provider using OpenSSL STORE
providers.
The usage is very similar to how it was with engines. You can specify a PKCS#11
URI with SSLCertificateFile and SSLCertificateKeyFile, exactly how it is with
engines. The only difference is that you must specify 'SSLCryptoDevice
provider' as crypto device, instead of specifying the engine name.
That way, the code continues to support working with engines. So
SSLCryptoDevice accepts either 'builtin' or an engine name as before, but now
also 'provider' to enable the OpenSSL provider STORE API. Instead of choosing
this approach, we could just replace the engine support by the provider
support, but this might break existing installations that are still using
engines.
The provider(s) to be used with httpd must be configured via the OpenSSL config
file in the provider section.
Most providers need additional, provider specific settings that can only be
supplied via the OpenSSL config file.
If one does not like to configure the providers globally, one can have a
separate OpenSSL config file and use environment variable OPENSSL_CONF to
specify the config file to use. That way one can have an OpenSSL config file
just for httpd.
Currently there exist 2 PKCS#11 provider projects:
- https://github.com/latchset/pkcs11-provider
- https://github.com/opencryptoki/openssl-pkcs11-sign-provider
Both do support loading keys via PKCS#11 URI via their STORE support, but the
code below is not limited to just those two.
Any provider that supports a STORE implementation for URIs with the 'pkcs11'
scheme can be used.
BTW: my ICLA is on file.
Index: docs/manual/mod/mod_ssl.html.en.utf8
===
--- docs/manual/mod/mod_ssl.html.en.utf8(revision 1914150)
+++ docs/manual/mod/mod_ssl.html.en.utf8(working copy)
@@ -666,7 +666,7 @@
files, a certificate identifier can be used to identify a certificate
stored in a token. Currently, only https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs are
recognized as certificate identifiers, and can be used in conjunction
-with the OpenSSL pkcs11 engine. If SSLCertificateKeyFile is omitted, the
+with the OpenSSL pkcs11 engine or provider. If SSLCertificateKeyFile is omitted, the
certificate and private key can be loaded through the single
identifier specified with SSLCertificateFile.
@@ -754,7 +754,7 @@
identifier can be used to identify a private key stored in a
token. Currently, only https://tools.ietf.org/html/rfc7512;>PKCS#11
URIs are recognized as private key
identifiers, and can be used in conjunction with the OpenSSL
-pkcs11 engine.
+pkcs11 engine or provider.
Example# To
use a private key from a PEM-encoded file:
SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key"
@@ -988,6 +988,12 @@
SSLCryptoDevice ubsec
+With OpenSSL 3.0 or later, specify provider to load keys and
+certificates from a provider using https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs.
+The provider to use must be defined and configured in the OpenSSL config file,
+and it must support the https://www.openssl.org/docs/man3.0/man7/provider-storemgmt.html;>STORE
method
+for https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs
+
SSLEngine Directive
Index: modules/ssl/ssl_engine_config.c
===
--- modules/ssl/ssl_engine_config.c (revision 1914150)
+++ modules/ssl/ssl_engine_config.c (working copy)
@@ -689,6 +689,11 @@
if (strcEQ(arg, "builtin")) {
mc->szCryptoDevice = NULL;
}
+#if MODSSL_USE_OPENSSL_STORE
+else if (strcEQ(arg, "provider")) {
+mc->szCryptoDevice = arg;
+}
+#endif
#if MODSSL_HAVE_ENGINE_API
else if ((e = ENGINE_by_id(arg))) {
mc->szCryptoDevice = arg;
@@ -697,7 +702,11 @@
#endif
else {
err = "SSLCryptoDevice: Invalid argument; must be one of: "
+#if MODSSL_USE_OPENSSL_STORE
+ "'builtin'
