enhanced pkcs11 patch [was: patch to allow loading PKCS #11 URLs]

2015-07-14 Thread Nikos Mavrogiannopoulos
On Fri, 2015-06-19 at 15:49 +0200, Nikos Mavrogiannopoulos wrote: > Hello, > The attached patch allows loading PKCS #11 URLs in the > ssl_certificate_key. The attached patch set enhances that support by allowing PKCS #11 URLs in the certificate field as well. As it is now nginx can work with arbi

Re: patch to allow loading PKCS #11 URLs

2015-07-05 Thread Maxim Dounin
Hello! On Wed, Jun 24, 2015 at 03:26:17PM +0200, Nikos Mavrogiannopoulos wrote: > On Mon, 2015-06-22 at 11:06 +0200, Nikos Mavrogiannopoulos wrote: > > > > > The current support relies on engine_pkcs11, which is a 3rd party > > module (not in openssl distribution). It should be future-proof to

Re: patch to allow loading PKCS #11 URLs

2015-06-24 Thread Nikos Mavrogiannopoulos
On Mon, 2015-06-22 at 11:06 +0200, Nikos Mavrogiannopoulos wrote: > > The current support relies on engine_pkcs11, which is a 3rd party > module (not in openssl distribution). It should be future-proof to > have > a way to load PKCS #11 modules which is independent of the backend > used > by ng

Re: patch to allow loading PKCS #11 URLs

2015-06-22 Thread Nikos Mavrogiannopoulos
On Mon, 2015-06-22 at 04:11 +0300, Maxim Dounin wrote: > > > Hi, > > Yes, I've tried it. It would be specified as: > > "engine:pkcs11:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin > > -value=1234"; > > > > But doesn't work, because it doesn't initialize the pkcs11 engine. > Shouldn't initializa

Re: patch to allow loading PKCS #11 URLs

2015-06-21 Thread Maxim Dounin
Hello! On Fri, Jun 19, 2015 at 04:39:48PM +0200, Nikos Mavrogiannopoulos wrote: > On Fri, 2015-06-19 at 17:07 +0300, Maxim Dounin wrote: > > > > Have you tried > > ssl_certificate_key > > "engine:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin-value=1234"; > > instead? > > I don't see how it's d

Re: patch to allow loading PKCS #11 URLs

2015-06-19 Thread Nikos Mavrogiannopoulos
On Fri, 2015-06-19 at 17:07 +0300, Maxim Dounin wrote: > > Have you tried > ssl_certificate_key > "engine:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin-value=1234"; > instead? > I don't see how it's different from the code you propose. Hi, Yes, I've tried it. It would be specified as: "engine:

Re: patch to allow loading PKCS #11 URLs

2015-06-19 Thread Maxim Dounin
Hello! On Fri, Jun 19, 2015 at 03:49:48PM +0200, Nikos Mavrogiannopoulos wrote: > > Hello, > The attached patch allows loading PKCS #11 URLs in the > ssl_certificate_key. > > That is, one only needs to specify: > ssl_certificate_key "pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin > -value=1234

patch to allow loading PKCS #11 URLs

2015-06-19 Thread Nikos Mavrogiannopoulos
Hello, The attached patch allows loading PKCS #11 URLs in the ssl_certificate_key. That is, one only needs to specify: ssl_certificate_key "pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin -value=1234" to access a key in a HSM. That's the only step required. That extends the previous approach whi