SSL: support loading keys via OSSL_STORE.

A new "store:..." prefix for the "ssl_certificate_key" directive allows
loading keys via the OSSL_STORE API.

The change is required to support hardware backed keys in OpenSSL 3.x using
the new "provider(7ossl)" modules, such as "pkcs11-provider".  While the
engine API is present in 3.x, some operating systems (notably, RHEL10)
have already disabled it in their builds of OpenSSL.

Related: https://trac.nginx.org/nginx/ticket/2449
This commit is contained in:
Aleksei Bavshin 2024-12-16 17:56:45 -08:00
parent f3542500b6
commit 57aa81838b

View File

@ -8,10 +8,16 @@
#include <ngx_core.h>
#include <ngx_event.h>
#ifdef ERR_R_OSSL_STORE_LIB
#include <openssl/store.h>
#include <openssl/ui.h>
#endif
#define NGX_SSL_CACHE_PATH 0
#define NGX_SSL_CACHE_DATA 1
#define NGX_SSL_CACHE_ENGINE 2
#define NGX_SSL_CACHE_STORE 3
#define NGX_SSL_CACHE_DISABLED (ngx_array_t *) (uintptr_t) -1
@ -444,6 +450,11 @@ ngx_ssl_cache_init_key(ngx_pool_t *pool, ngx_uint_t index, ngx_str_t *path,
{
id->type = NGX_SSL_CACHE_ENGINE;
} else if (index == NGX_SSL_CACHE_PKEY
&& ngx_strncmp(path->data, "store:", sizeof("store:") - 1) == 0)
{
id->type = NGX_SSL_CACHE_STORE;
} else {
if (ngx_get_full_name(pool, (ngx_str_t *) &ngx_cycle->conf_prefix, path)
!= NGX_OK)
@ -714,11 +725,6 @@ ngx_ssl_cache_pkey_create(ngx_ssl_cache_key_t *id, char **err, void *data)
#endif
}
bio = ngx_ssl_cache_create_bio(id, err);
if (bio == NULL) {
return NULL;
}
cb_data.encrypted = 0;
if (*passwords) {
@ -734,6 +740,76 @@ ngx_ssl_cache_pkey_create(ngx_ssl_cache_key_t *id, char **err, void *data)
cb = NULL;
}
if (id->type == NGX_SSL_CACHE_STORE) {
#ifdef ERR_R_OSSL_STORE_LIB
u_char *uri;
UI_METHOD *method;
OSSL_STORE_CTX *store;
OSSL_STORE_INFO *info;
method = (cb != NULL) ? UI_UTIL_wrap_read_pem_callback(cb, 0) : NULL;
uri = id->data + sizeof("store:") - 1;
store = OSSL_STORE_open((char *) uri, method, pwd, NULL, NULL);
if (store == NULL) {
*err = "OSSL_STORE_open() failed";
if (method != NULL) {
UI_destroy_method(method);
}
return NULL;
}
pkey = NULL;
while (pkey == NULL && !OSSL_STORE_eof(store)) {
info = OSSL_STORE_load(store);
if (info == NULL) {
continue;
}
if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) {
pkey = OSSL_STORE_INFO_get1_PKEY(info);
}
OSSL_STORE_INFO_free(info);
}
OSSL_STORE_close(store);
if (method != NULL) {
UI_destroy_method(method);
}
if (pkey == NULL) {
*err = "OSSL_STORE_load() failed";
return NULL;
}
if (cb_data.encrypted) {
*passwords = NGX_SSL_CACHE_DISABLED;
}
return pkey;
#else
*err = "loading \"store:...\" certificate keys is not supported";
return NULL;
#endif
}
bio = ngx_ssl_cache_create_bio(id, err);
if (bio == NULL) {
return NULL;
}
for ( ;; ) {
pkey = PEM_read_bio_PrivateKey(bio, NULL, cb, pwd);