Mercurial > nginx

changeset 9414:23971bd0b072

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: support loading keys via OSSL_STORE. A new "store:..." prefix for the "ssl_certificate_key" directive allows loading keys via the OSSL_STORE API. The change is required to support hardware backed keys in OpenSSL 3.x using the new "provider(7ossl)" modules, such as "pkcs11-provider". While the engine API is present in 3.x, some operating systems (notably, RHEL10) have already disabled it in their builds of OpenSSL. Related: https://trac.nginx.org/nginx/ticket/2449
author Aleksei Bavshin <a.bavshin@nginx.com>
date Mon, 16 Dec 2024 17:56:45 -0800
parents e992b5db34fc
children f1c6fdc44ac2
files src/event/ngx_event_openssl_cache.c
diffstat 1 files changed, 81 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/ngx_event_openssl_cache.c	Thu Feb 13 17:00:56 2025 +0400
+++ b/src/event/ngx_event_openssl_cache.c	Mon Dec 16 17:56:45 2024 -0800
@@ -8,10 +8,16 @@
 #include <ngx_core.h>
 #include <ngx_event.h>
 
+#ifdef ERR_R_OSSL_STORE_LIB
+#include <openssl/store.h>
+#include <openssl/ui.h>
+#endif
+
 
 #define NGX_SSL_CACHE_PATH    0
 #define NGX_SSL_CACHE_DATA    1
 #define NGX_SSL_CACHE_ENGINE  2
+#define NGX_SSL_CACHE_STORE   3
 
 #define NGX_SSL_CACHE_DISABLED  (ngx_array_t *) (uintptr_t) -1
 
@@ -444,6 +450,11 @@
     {
         id->type = NGX_SSL_CACHE_ENGINE;
 
+    } else if (index == NGX_SSL_CACHE_PKEY
+        && ngx_strncmp(path->data, "store:", sizeof("store:") - 1) == 0)
+    {
+        id->type = NGX_SSL_CACHE_STORE;
+
     } else {
         if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, path)
             != NGX_OK)
@@ -714,11 +725,6 @@
 #endif
     }
 
-    bio = ngx_ssl_cache_create_bio(id, err);
-    if (bio == NULL) {
-        return NULL;
-    }
-
     cb_data.encrypted = 0;
 
     if (*passwords) {
@@ -734,6 +740,76 @@
         cb = NULL;
     }
 
+    if (id->type == NGX_SSL_CACHE_STORE) {
+
+#ifdef ERR_R_OSSL_STORE_LIB
+
+        u_char           *uri;
+        UI_METHOD        *method;
+        OSSL_STORE_CTX   *store;
+        OSSL_STORE_INFO  *info;
+
+        method = (cb != NULL) ? UI_UTIL_wrap_read_pem_callback(cb, 0) : NULL;
+        uri = id->data + sizeof("store:") - 1;
+
+        store = OSSL_STORE_open((char *) uri, method, pwd, NULL, NULL);
+
+        if (store == NULL) {
+            *err = "OSSL_STORE_open() failed";
+
+            if (method != NULL) {
+                UI_destroy_method(method);
+            }
+
+            return NULL;
+        }
+
+        pkey = NULL;
+
+        while (pkey == NULL && !OSSL_STORE_eof(store)) {
+            info = OSSL_STORE_load(store);
+
+            if (info == NULL) {
+                continue;
+            }
+
+            if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
+                pkey = OSSL_STORE_INFO_get1_PKEY(info);
+            }
+
+            OSSL_STORE_INFO_free(info);
+        }
+
+        OSSL_STORE_close(store);
+
+        if (method != NULL) {
+            UI_destroy_method(method);
+        }
+
+        if (pkey == NULL) {
+            *err = "OSSL_STORE_load() failed";
+            return NULL;
+        }
+
+        if (cb_data.encrypted) {
+            *passwords = NGX_SSL_CACHE_DISABLED;
+        }
+
+        return pkey;
+
+#else
+
+        *err = "loading \"store:...\" certificate keys is not supported";
+        return NULL;
+
+#endif
+    }
+
+    bio = ngx_ssl_cache_create_bio(id, err);
+    if (bio == NULL) {
+        return NULL;
+    }
+
     for ( ;; ) {
 
         pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd);