Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

client and server tls UPDATE add pkcs11 engine support #454

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 58 additions & 5 deletions src/session_client_tls.c
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
#include <openssl/err.h>
#include <openssl/ossl_typ.h>
#include <openssl/x509.h>
#include <openssl/engine.h>

#include "config.h"
#include "log_p.h"
Expand Down Expand Up @@ -387,6 +388,9 @@ nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername)
char *key;
X509_LOOKUP *lookup;
X509_VERIFY_PARAM *vpm = NULL;
EVP_PKEY *pkey = NULL;
ENGINE *pkcs11 = NULL;
const char* pin = getenv("DEFAULT_USER_PIN");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a standard variable name used by other projects, and does it conform to how the OpenSSL API is "supposed to be used"? Where is the documentation?


if (!opts->tls_ctx || opts->tls_ctx_change) {
SSL_CTX_free(opts->tls_ctx);
Expand All @@ -412,11 +416,54 @@ nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername)
} else {
key = opts->key_path;
}
if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, key, SSL_FILETYPE_PEM) != 1) {
ERR(NULL, "Loading the client private key from \'%s\' failed (%s).", key,
ERR_reason_error_string(ERR_get_error()));
rc = -1;
goto cleanup;

ENGINE_load_dynamic();
pkcs11 = ENGINE_by_id("pkcs11");
if (!pkcs11)
{
if (SSL_CTX_use_PrivateKey_file(opts->tls_ctx, key, SSL_FILETYPE_PEM) != 1) {
ERR(NULL, "Loading the client private key from \'%s\' failed (%s).", key,
ERR_reason_error_string(ERR_get_error()));
rc = -1;
goto cleanup;
}
} else {
if (!pin) {
ERR(NULL, "DEFAULT_USER_PIN is not set. Loading private key using pkcs11 engine failed.");
rc -1;
goto cleanup;
}

if (!ENGINE_init(pkcs11))
{
ERR(NULL, "Initializing the pkcs11 engine failed (%s).", ERR_reason_error_string(ERR_get_error()));
rc = -1;
goto cleanup;
}

if (!ENGINE_ctrl_cmd_string(pkcs11, "PIN", pin, 0))
{
ERR(NULL, "Setting pin failed (%s).", ERR_reason_error_string(ERR_get_error()));
rc = -1;
goto cleanup;
}

/* load server key using pkcs11 engine*/
pkey = ENGINE_load_private_key(pkcs11, key, NULL, NULL);
if (!pkey)
{
ERR(NULL, "Reading the private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
rc = -1;
goto cleanup;
}

/* set server key */
if ((SSL_CTX_use_PrivateKey(opts->tls_ctx, pkey) != 1))
{
ERR(NULL, "Loading the client private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
rc = -1;
goto cleanup;
}
}

if (!SSL_CTX_load_verify_locations(opts->tls_ctx, opts->ca_file, opts->ca_dir)) {
Expand Down Expand Up @@ -481,6 +528,12 @@ nc_client_tls_update_opts(struct nc_client_tls_opts *opts, const char *peername)
}

cleanup:
if (pkcs11) {
ENGINE_free(pkcs11);
}
if (pkey){
EVP_PKEY_free(pkey);
}
X509_VERIFY_PARAM_free(vpm);
return rc;
}
Expand Down
59 changes: 53 additions & 6 deletions src/session_server_tls.c
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/engine.h>

#include "compat.h"
#include "config.h"
Expand Down Expand Up @@ -862,6 +863,9 @@ nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts
NC_PRIVKEY_FORMAT privkey_type;
X509 *cert = NULL;
EVP_PKEY *pkey = NULL;
ENGINE *pkcs11 = NULL;
const char* uri = getenv("TOKEN_KEY_URI");
const char* pin = getenv("DEFAULT_USER_PIN");
Comment on lines +867 to +868
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these standard variable names, and are they documented somewhere?


NC_CHECK_ARG_RET(NULL, tls_ctx, opts, -1);

Expand Down Expand Up @@ -896,12 +900,52 @@ nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts
goto cleanup;
}

/* load the private key */
pkey = base64der_to_privatekey(privkey_data, nc_privkey_format_to_str(privkey_type));
if (!pkey) {
ERR(NULL, "Converting private key data to private key format failed.");
ret = -1;
goto cleanup;
ENGINE_load_dynamic();
pkcs11 = ENGINE_by_id("pkcs11");
if (!pkcs11)
{
/* load the private key */
pkey = base64der_to_privatekey(privkey_data, nc_privkey_format_to_str(privkey_type));
if (!pkey) {
ERR(NULL, "Converting private key data to private key format failed.");
ret = -1;
goto cleanup;
}
} else {
if (!uri) {
ERR(NULL, "TOKEN_KEY_URI is not set. Loading private key using pkcs11 engine failed.");
ret = -1;
goto cleanup;
}

if (!pin) {
ERR(NULL, "DEFAULT_USER_PIN is not set. Loading private key using pkcs11 engine failed.");
ret = -1;
goto cleanup;
}

if (!ENGINE_init(pkcs11))
{
ERR(NULL, "Initializing the pkcs11 engine failed (%s).", ERR_reason_error_string(ERR_get_error()));
ret = -1;
goto cleanup;
}

if (!ENGINE_ctrl_cmd_string(pkcs11, "PIN", pin, 0))
{
ERR(NULL, "Setting pin failed (%s).", ERR_reason_error_string(ERR_get_error()));
ret = -1;
goto cleanup;
}

/* load server key using pkcs11 engine*/
pkey = ENGINE_load_private_key(pkcs11, uri, NULL, NULL);
if (!pkey)
{
ERR(NULL, "Reading the private key failed (%s).", ERR_reason_error_string(ERR_get_error()));
ret = -1;
goto cleanup;
}
}

/* set server key */
Expand All @@ -917,6 +961,9 @@ nc_tls_ctx_set_server_cert_key(SSL_CTX *tls_ctx, struct nc_server_tls_opts *opts
cleanup:
X509_free(cert);
EVP_PKEY_free(pkey);
if (pkcs11) {
ENGINE_free(pkcs11);
}
return ret;
}

Expand Down