Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client and server tls UPDATE add pkcs11 engine support #454

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

client and server tls UPDATE add pkcs11 engine support #454

wants to merge 1 commit into from

Conversation

vkarpenk
Copy link

This PR is adding pkcs#11 support for TLS private key storage. This was tested using Intel 'Key Management Reference Application (KMRA)' project, which uses SGX enclave to store manage keys, but could be used with other pkcs#11 targets. Moves private keys from local file to remote key management storage.

@vjardin
Copy link

vjardin commented Jan 19, 2024

Since ENGINE is deprecated with OpenSSL 3, please, switch to the PROVIDER API.

jktjkt
jktjkt suggested changes Jan 19, 2024
View reviewed changes
Copy link
Contributor

@jktjkt jktjkt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This really needs docs. Please link to an some best-practices document or a HOWTO by the OpenSSL project which explains how these are used in other SW.

How is the end user supposed to control this feature, btw?

src/session_server_tls.c
Comment on lines +867 to +868
const char* uri = getenv("TOKEN_KEY_URI");
const char* pin = getenv("DEFAULT_USER_PIN");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these standard variable names, and are they documented somewhere?

src/session_client_tls.c
@@ -387,6 +388,9 @@ nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername)
char *key;
X509_LOOKUP *lookup;
X509_VERIFY_PARAM *vpm = NULL;
EVP_PKEY *pkey = NULL;
ENGINE *pkcs11 = NULL;
const char* pin = getenv("DEFAULT_USER_PIN");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a standard variable name used by other projects, and does it conform to how the OpenSSL API is "supposed to be used"? Where is the documentation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jktjkt jktjkt jktjkt requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vkarpenk @vjardin @jktjkt