Support for OpenSSL 3.0 providers and provider-based key loading

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

now that OpenSSL 3.0 support is available, I would like to ask if there are any plans to support loading OpenSSL provider-based keys similar to loading Engine-based keys from an URI.

When using an OpenSSL PKCS#11 engine, one can specify a PKCS#11 URL with SSLCertificateKeyFile to have the engine load the server's private key. 

When looking at the code it seems that this only work with Engines. 
The code in ssl_init_server_certs() checks via modssl_is_engine_id() if the key is an URI starting with 'pkcs11:', and if so, it loads the key via modssl_load_engine_keypair() which load the key via ENGINE_load_private_key() and friends. So this code is Engine-specific, and won't work with providers. 
The other code paths all expect the server private key to be in PEM format.

What I am looking for is a way to load the private key using a PKCS#11 URL, not using Engines, but a PKCS#11 provider (such a provider might not exist at the moment, but lets assume that one exists). That would require that mod_ssl loads the private key via OSSL_STORE_open() / OSSL_STORE_load() and friends, so that a PKCS#11 provider that was configured to be loaded is fetched for the 'pkcs11'-type URI and can in turn load the PKCS#11 key. 

The ultimate goal is to allow httpd to use an HSM based private key via a PKCS#11 provider, so that the servers private key is never exposed in clear.
This is already possible when using the libp11 Engine from https://github.com/OpenSC/libp11, but given that Engines are deprecated and will go away at some point in time, I would like to be able to do the same with a (still to be implemented) PKCS#11 provider.

Are there any plans to implement such provider-based key loading in httpd? 

-- 
Ingo Franzki
eMail: ifranzki@xxxxxxxxxxxxx  
Tel: ++49 (0)7031-16-4648
Fax: ++49 (0)7031-16-3456
Linux on IBM Z Development, Schoenaicher Str. 220, 71032 Boeblingen, Germany

IBM Deutschland Research & Development GmbH / Vorsitzender des Aufsichtsrats: Matthias Hartmann
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
IBM DATA Privacy Statement: https://www.ibm.com/privacy/us/en/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux