From 4e5f12d6584536ead82d20554d8f3f2ab0107b0b Mon Sep 17 00:00:00 2001 From: Lubos Uhliarik Date: Fri, 30 Apr 2021 13:07:45 +0000 Subject: [PATCH 3/3] Support loading certificates from hardware token (PKCS#11) --- src/event/ngx_event_openssl.c | 65 +++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index d762d6b..270b200 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -617,6 +617,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert, X509 *x509, *temp; u_long n; + if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) { + +#ifndef OPENSSL_NO_ENGINE + + u_char *p, *last; + ENGINE *engine; + + p = cert->data + sizeof("engine:") - 1; + last = (u_char *) ngx_strchr(p, ':'); + + if (last == NULL) { + *err = "invalid syntax"; + return NULL; + } + + *last = '\0'; + + engine = ENGINE_by_id((char *) p); + + if (engine == NULL) { + *err = "ENGINE_by_id() failed"; + return NULL; + } + + if (!ENGINE_init(engine)) { + *err = "ENGINE_init() failed"; + ENGINE_free(engine); + return NULL; + } + + *last++ = ':'; + + struct { + const char *cert_id; + X509 *cert; + } params = { (char *) last, NULL }; + + if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, ¶ms, NULL, 1)) { + *err = "ENGINE_ctrl_cmd() failed - Unable to get the certificate"; + ENGINE_free(engine); + return NULL; + } + + ENGINE_finish(engine); + ENGINE_free(engine); + + /* set chain to null */ + + *chain = sk_X509_new_null(); + if (*chain == NULL) { + *err = "sk_X509_new_null() failed"; + X509_free(params.cert); + return NULL; + } + + return params.cert; + +#else + + *err = "loading \"engine:...\" certificate is not supported"; + return NULL; + +#endif + } + if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) { bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1, -- 2.26.3