89 lines
2.3 KiB
Diff
89 lines
2.3 KiB
Diff
From 4e5f12d6584536ead82d20554d8f3f2ab0107b0b Mon Sep 17 00:00:00 2001
|
|
From: Lubos Uhliarik <luhliari@redhat.com>
|
|
Date: Fri, 30 Apr 2021 13:07:45 +0000
|
|
Subject: [PATCH 3/3] Support loading certificates from hardware token (PKCS#11)
|
|
|
|
---
|
|
src/event/ngx_event_openssl.c | 65 +++++++++++++++++++++++++++++++++++
|
|
1 file changed, 65 insertions(+)
|
|
|
|
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
|
index d762d6b..270b200 100644
|
|
--- a/src/event/ngx_event_openssl.c
|
|
+++ b/src/event/ngx_event_openssl.c
|
|
@@ -617,6 +617,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
|
X509 *x509, *temp;
|
|
u_long n;
|
|
|
|
+ if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) {
|
|
+
|
|
+#ifndef OPENSSL_NO_ENGINE
|
|
+
|
|
+ u_char *p, *last;
|
|
+ ENGINE *engine;
|
|
+
|
|
+ p = cert->data + sizeof("engine:") - 1;
|
|
+ last = (u_char *) ngx_strchr(p, ':');
|
|
+
|
|
+ if (last == NULL) {
|
|
+ *err = "invalid syntax";
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ *last = '\0';
|
|
+
|
|
+ engine = ENGINE_by_id((char *) p);
|
|
+
|
|
+ if (engine == NULL) {
|
|
+ *err = "ENGINE_by_id() failed";
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ if (!ENGINE_init(engine)) {
|
|
+ *err = "ENGINE_init() failed";
|
|
+ ENGINE_free(engine);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ *last++ = ':';
|
|
+
|
|
+ struct {
|
|
+ const char *cert_id;
|
|
+ X509 *cert;
|
|
+ } params = { (char *) last, NULL };
|
|
+
|
|
+ if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, ¶ms, NULL, 1)) {
|
|
+ *err = "ENGINE_ctrl_cmd() failed - Unable to get the certificate";
|
|
+ ENGINE_free(engine);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ ENGINE_finish(engine);
|
|
+ ENGINE_free(engine);
|
|
+
|
|
+ /* set chain to null */
|
|
+
|
|
+ *chain = sk_X509_new_null();
|
|
+ if (*chain == NULL) {
|
|
+ *err = "sk_X509_new_null() failed";
|
|
+ X509_free(params.cert);
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
+ return params.cert;
|
|
+
|
|
+#else
|
|
+
|
|
+ *err = "loading \"engine:...\" certificate is not supported";
|
|
+ return NULL;
|
|
+
|
|
+#endif
|
|
+ }
|
|
+
|
|
if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
|
|
|
|
bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,
|
|
--
|
|
2.26.3
|
|
|