Bug 57510 - Engine keyform support for private keys
Summary: Engine keyform support for private keys
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2015-01-28 14:29 UTC by Pichulin Dmitrii
Modified: 2015-02-08 06:34 UTC (History)
1 user (show)



Attachments
Engine keyform patch (3.87 KB, text/plain)
2015-01-28 14:32 UTC, Pichulin Dmitrii
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pichulin Dmitrii 2015-01-28 14:29:41 UTC
mod_ssl should support engine private keys, briefly -- use ENGINE_load_private_key.

We suggest when SSLCertificateKeyFile starts with "engine:" when it is interpreted as "engine:%s:%s" where first string is Crypto Device API (ENGINE) and second string is key in engine keyform.

The same functionality was recently added to nginx starting from 1.7.9, nginx patch is here: http://trac.nginx.org/nginx/changeset/2c33ed82cde140a5bc38938dbdd6e32534223925/nginx
Comment 1 Pichulin Dmitrii 2015-01-28 14:32:22 UTC
Created attachment 32405 [details]
Engine keyform patch
Comment 2 Kaspar Brand 2015-02-01 08:46:45 UTC
Thanks for the patch - it would be a fairly superficial support for engine-based keys, though. If we really want to support this feature (so far, the SSLCryptoDevice is targeting the accelerator-only case), then we should consider adding a more flexible mechanism. See e.g.

https://mail-archives.apache.org/mod_mbox/httpd-dev/200402.mbox/%3C1077205315.13155.15.camel%40dyn95394216.austin.ibm.com%3E

and bug 42687, bug 42688 (or bug 51296, which specifically mentions SSLCryptoDeviceCtrl).
Comment 3 Pichulin Dmitrii 2015-02-03 13:00:31 UTC
(In reply to Kaspar Brand from comment #2)
> Thanks for the patch - it would be a fairly superficial support for
> engine-based keys, though. If we really want to support this feature (so
> far, the SSLCryptoDevice is targeting the accelerator-only case), then we
> should consider adding a more flexible mechanism. See e.g.
> 
> https://mail-archives.apache.org/mod_mbox/httpd-dev/200402.mbox/
> %3C1077205315.13155.15.camel%40dyn95394216.austin.ibm.com%3E
> 
> and bug 42687, bug 42688 (or bug 51296, which specifically mentions
> SSLCryptoDeviceCtrl).

First:

Our patch provides exactly what is stated. Kaspar Brand said that this is "fairly superficial support for engine-based keys" but at this point of time Apache httpd can not load private keys from tokens at all.

This functionality is becoming more and more crucial over time. Our patch can simply add this functionality without any consequences. It can be upgraded later with a better solution if its needed.

Second:

Our vision is that OpenSSL is preconfigured and SSLCertificateKeyFile just use ENGINE_by_id (and then ENGINE_load_private_key) for getting already initialized ENGINE (initialized by OpenSSL config).

Your vision is that OpenSSL should be configured by Apache httpd, can you provide information why?
Comment 4 Yann Ylavic 2015-02-05 15:53:21 UTC
Do you have an example of how this could be tested with an (open) engine?
Comment 5 Kaspar Brand 2015-02-08 06:34:57 UTC
(In reply to Pichulin Dmitrii from comment #3)
> at this point of time
> Apache httpd can not load private keys from tokens at all.
> 
> This functionality is becoming more and more crucial over time.

This is debatable. Looking at how few reactions there were to bug 42687 (and an accompanying thread on httpd-dev which ended here [1]), I remain sceptical about the urgency of such a feature. Generally speaking, I would mostly be in favor of having decent PKCS#11 support in mod_ssl, as I consider this a much less idiosyncratic way of supporting hardware-based keys than using custom per-token OpenSSL engines (I'm aware of engine_pkcs11, which at least provides indirect PKCS#11 support for OpenSSL).

> Our patch
> can simply add this functionality without any consequences. It can be
> upgraded later with a better solution if its needed.

I beg to differ. It amounts to what is sometimes called creeping featurism - from an httpd maintainer's point of view, adding such an option is not just a question of committing a few additional lines of code. It's about devising / deciding on a sensible solution for supporting token-based keys, documenting this feature, making sure it doesn't break with new httpd or OpenSSL releases etc.

> Our vision is that OpenSSL is preconfigured and SSLCertificateKeyFile just
> use ENGINE_by_id (and then ENGINE_load_private_key)

Repurposing a directive which is clearly referring to "File" by its very name already suggests that this is a fairly hasty way of adding engine-based key support. The public-key part of the story is not addressed either - at least SSLCertificateFile would have to be taken into account, too.

> Your vision is that OpenSSL should be configured by Apache httpd, can you
> provide information why?

Because that's the approach mod_ssl takes for all other OpenSSL configuration things (SSLCipherSuite, SSLProtocol, etc., or the new SSLOpenSSLConfCmd for 1.0.2 and later). How OpenSSL is configured for the use by mod_ssl should be evident from the examination of the (self-contained) httpd configuration, and not depend on a potentially system-wide openssl.cnf file shared with other applications.

[1] https://mail-archives.apache.org/mod_mbox/httpd-dev/200706.mbox/%3C46768DFB.3090708@ncipher.com%3E