Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 04.12.2023 15:32, Yann Ylavic wrote: > Hi; > > On Mon, Dec 4, 2023 at 8:53 AM Ingo Franzki wrote: >> >> On 02.12.2023 11:20, Graham Leggett via dev wrote: >>> On 27 Nov 2023, at 15:02, Ingo Franzki wrote: >>> The mod_ssl module has support for loading keys and certificates from OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 (https://github.com/OpenSC/libp11). This works fine, but with OpenSSL 3.0 engines got deprecated, and a new provider concept is used. OpenSSL 1.1.1 is no longer supported by the OpenSSL organization (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), and newer distributions all have OpenSSL 3.x included. Currently, engines do still work, bit since they are deprecated, they will at some point in time no longer be working. With OpenSSL 3.x providers one can implements loading of keys and certificates by implementing a STORE method. With this, keys and certificates can be loaded for example from PKCS#11 modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. Please find below some code changes required to support loading the server private key and certificates from a PKCS#11 provider using OpenSSL STORE providers. >>> >>> Definite +1 in principle. > > +1, thanks for the patch! > >> >> Please see the patch file attached. >> I also fixed to minor bugs that I found during testing. >> >> You can also look at the patch here: >> https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931 >> >> If you want, I can even submit a pull request to >> https://github.com/apache/httpd. >> Let me know what you prefer. > > Yes please do this, it's easier to comment on the code and it also > gets tested by the ci. See https://github.com/apache/httpd/pull/397 > > > Regards; > Yann. -- Ingo Franzki eMail: ifran...@linux.ibm.com Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
Hi; On Mon, Dec 4, 2023 at 8:53 AM Ingo Franzki wrote: > > On 02.12.2023 11:20, Graham Leggett via dev wrote: > > On 27 Nov 2023, at 15:02, Ingo Franzki wrote: > > > >> The mod_ssl module has support for loading keys and certificates from > >> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and > >> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 > >> (https://github.com/OpenSC/libp11). > >> > >> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new > >> provider concept is used. > >> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization > >> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), > >> and newer distributions all have OpenSSL 3.x included. > >> Currently, engines do still work, bit since they are deprecated, they will > >> at some point in time no longer be working. > >> > >> With OpenSSL 3.x providers one can implements loading of keys and > >> certificates by implementing a STORE method. > >> With this, keys and certificates can be loaded for example from PKCS#11 > >> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. > >> > >> Please find below some code changes required to support loading the server > >> private key and certificates from a PKCS#11 provider using OpenSSL STORE > >> providers. > > > > Definite +1 in principle. +1, thanks for the patch! > > Please see the patch file attached. > I also fixed to minor bugs that I found during testing. > > You can also look at the patch here: > https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931 > > If you want, I can even submit a pull request to > https://github.com/apache/httpd. > Let me know what you prefer. Yes please do this, it's easier to comment on the code and it also gets tested by the ci. Regards; Yann.
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 02.12.2023 11:20, Graham Leggett via dev wrote: > On 27 Nov 2023, at 15:02, Ingo Franzki wrote: > >> The mod_ssl module has support for loading keys and certificates from >> OpenSSL engines via PKCS#11 URIs at SSLCertificateFile and >> SSLCertificateKeyFile, e.g. using the PKCS#11 engine part of libp11 >> (https://github.com/OpenSC/libp11). >> >> This works fine, but with OpenSSL 3.0 engines got deprecated, and a new >> provider concept is used. >> OpenSSL 1.1.1 is no longer supported by the OpenSSL organization >> (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), >> and newer distributions all have OpenSSL 3.x included. >> Currently, engines do still work, bit since they are deprecated, they will >> at some point in time no longer be working. >> >> With OpenSSL 3.x providers one can implements loading of keys and >> certificates by implementing a STORE method. >> With this, keys and certificates can be loaded for example from PKCS#11 >> modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. >> >> Please find below some code changes required to support loading the server >> private key and certificates from a PKCS#11 provider using OpenSSL STORE >> providers. > > Definite +1 in principle. > >> Index: docs/manual/mod/mod_ssl.html.en.utf8 >> === >> --- docs/manual/mod/mod_ssl.html.en.utf8 (revision 1914150) >> +++ docs/manual/mod/mod_ssl.html.en.utf8 (working copy) >> @@ -666,7 +666,7 @@ > > Would it be possible to patch mod_ssl.xml instead of the html file, the html > is autogenerated. Sure, see updated patch attached. > >> Index: modules/ssl/ssl_engine_config.c >> === >> --- modules/ssl/ssl_engine_config.c (revision 1914150) >> +++ modules/ssl/ssl_engine_config.c (working copy) >> @@ -689,6 +689,11 @@ >> if (strcEQ(arg, "builtin")) { >> mc->szCryptoDevice = NULL; >> } >> +#if MODSSL_USE_OPENSSL_STORE >> +else if (strcEQ(arg, "provider")) { >> +mc->szCryptoDevice = arg; >> +} >> +#endif >> #if MODSSL_HAVE_ENGINE_API > > This patch isn’t applying for me, looks like the leading spaces have been > lost. Would it be possible to try attach it as a file? Please see the patch file attached. I also fixed to minor bugs that I found during testing. You can also look at the patch here: https://github.com/ifranzki/httpd/commit/4bb3ea191bc2c77608b4811817ad7f63177dd931 If you want, I can even submit a pull request to https://github.com/apache/httpd. Let me know what you prefer. > > Regards, > Graham > — > -- Ingo Franzki eMail: ifran...@linux.ibm.com Tel: ++49 (0)7031-16-4648 Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Gregor Pillen Geschäftsführung: David Faller Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/ Index: docs/manual/mod/mod_ssl.xml === --- docs/manual/mod/mod_ssl.xml (revision 1914150) +++ docs/manual/mod/mod_ssl.xml (working copy) @@ -955,7 +955,7 @@ stored in a token. Currently, only https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs are recognized as certificate identifiers, and can be used in conjunction -with the OpenSSL pkcs11 engine. If pkcs11 engine or provider. If SSLCertificateKeyFile is omitted, the certificate and private key can be loaded through the single identifier specified with https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs are recognized as private key identifiers, and can be used in conjunction with the OpenSSL -pkcs11 engine. +pkcs11 engine or provider. Example @@ -2442,6 +2442,14 @@ SSLCryptoDevice ubsec + + +With OpenSSL 3.0 or later, specify provider to load keys and +certificates from a provider using https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs. +The provider to use must be defined and configured in the OpenSSL config file, +and it must support the https://www.openssl.org/docs/man3.0/man7/provider-storemgmt.html;>STORE method +for https://tools.ietf.org/html/rfc7512;>PKCS#11 URIs. + Index: modules/ssl/ssl_engine_config.c === --- modules/ssl/ssl_engine_config.c (revision 1914150) +++ modules/ssl/ssl_engine_config.c (working copy) @@ -689,6 +689,11 @@ if (strcEQ(arg, "builtin")) { mc->szCryptoDevice = NULL; } +#if MODSSL_USE_OPENSSL_STORE +else if (strcEQ(arg, "provider")) { +mc->szCryptoDevice = arg; +} +#endif #if MODSSL_HAVE_ENGINE_API else if ((e = ENGINE_by_id(arg))) { mc->szCryptoDevice = arg; @@ -697,7 +702,11 @@ #endif else { err = "SSLCryptoDevice: Invalid argument; must be one of: " +#if
Re: mod_ssl: Add support for loading keys from OpenSSL 3.x providers via STORE
On 27 Nov 2023, at 15:02, Ingo Franzki wrote: > The mod_ssl module has support for loading keys and certificates from OpenSSL > engines via PKCS#11 URIs at SSLCertificateFile and SSLCertificateKeyFile, > e.g. using the PKCS#11 engine part of libp11 > (https://github.com/OpenSC/libp11). > > This works fine, but with OpenSSL 3.0 engines got deprecated, and a new > provider concept is used. > OpenSSL 1.1.1 is no longer supported by the OpenSSL organization > (https://www.openssl.org/blog/blog/2023/09/11/eol-111/), > and newer distributions all have OpenSSL 3.x included. > Currently, engines do still work, bit since they are deprecated, they will at > some point in time no longer be working. > > With OpenSSL 3.x providers one can implements loading of keys and > certificates by implementing a STORE method. > With this, keys and certificates can be loaded for example from PKCS#11 > modules via PKCS#11 URIs, just like it was possible with an PKCS#11 engine. > > Please find below some code changes required to support loading the server > private key and certificates from a PKCS#11 provider using OpenSSL STORE > providers. Definite +1 in principle. > Index: docs/manual/mod/mod_ssl.html.en.utf8 > === > --- docs/manual/mod/mod_ssl.html.en.utf8 (revision 1914150) > +++ docs/manual/mod/mod_ssl.html.en.utf8 (working copy) > @@ -666,7 +666,7 @@ Would it be possible to patch mod_ssl.xml instead of the html file, the html is autogenerated. > Index: modules/ssl/ssl_engine_config.c > === > --- modules/ssl/ssl_engine_config.c (revision 1914150) > +++ modules/ssl/ssl_engine_config.c (working copy) > @@ -689,6 +689,11 @@ > if (strcEQ(arg, "builtin")) { > mc->szCryptoDevice = NULL; > } > +#if MODSSL_USE_OPENSSL_STORE > +else if (strcEQ(arg, "provider")) { > +mc->szCryptoDevice = arg; > +} > +#endif > #if MODSSL_HAVE_ENGINE_API This patch isn’t applying for me, looks like the leading spaces have been lost. Would it be possible to try attach it as a file? Regards, Graham —