Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP - mod_ssl: allow loading PKCS#11 keys without requiring #480

Closed
wants to merge 1 commit into from
Closed

WIP - mod_ssl: allow loading PKCS#11 keys without requiring #480

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions changes-entries/modssl-engine-fallback.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
*) mod_ssl: Restore support for loading PKCS#11 keys via ENGINE
without "SSLCryptoDevice" configured. [Joe Orton]
31 changes: 20 additions & 11 deletions modules/ssl/ssl_engine_pphrase.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -806,6 +806,9 @@ static apr_status_t modssl_engine_cleanup(void *engine)
return APR_SUCCESS;
}

/* Tries to load the key and optionally certificate via the ENGINE
* API. Returns APR_ENOTIMPL if an ENGINE could not be identified
* loaded from the key name. */
static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf,
apr_pool_t *ptemp,
const char *vhostid,
Expand All @@ -831,16 +834,16 @@ static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf,
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
"Init: Unrecognized private key identifier `%s'",
keyid);
return ssl_die(s);
return APR_ENOTIMPL;
}

scheme = apr_pstrmemdup(ptemp, keyid, c - keyid);
if (!(e = ENGINE_by_id(scheme))) {
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
"Init: Failed to load engine for private key %s",
keyid);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
return ssl_die(s);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s);
return APR_ENOTIMPL;
}

if (!ENGINE_init(e)) {
Expand Down Expand Up @@ -996,15 +999,21 @@ apr_status_t modssl_load_engine_keypair(server_rec *s,
X509 **pubkey, EVP_PKEY **privkey)
{
#if MODSSL_HAVE_ENGINE_API
SSLModConfigRec *mc = myModConfig(s);
apr_status_t rv;

rv = modssl_load_keypair_engine(s, pconf, ptemp,
vhostid, certid, keyid,
pubkey, privkey);
if (rv == APR_SUCCESS) {
return rv;
}
/* If STORE support is not present, all errors are fatal here; if
* STORE is present and the ENGINE could not be loaded, ignore the
* error and fall through to try loading via the STORE API. */
else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) {
return ssl_die(s);
}

/* For OpenSSL 3.x, use the STORE-based API if either ENGINE
* support was not present compile-time, or if it's built but
* SSLCryptoDevice is not configured. */
if (mc->szCryptoDevice)
return modssl_load_keypair_engine(s, pconf, ptemp,
vhostid, certid, keyid,
pubkey, privkey);
#endif
#if MODSSL_HAVE_OPENSSL_STORE
return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,
Expand Down
Loading