Description of problem: In Fedora 22 engine_pkcs11 supports loading PKCS #11 URLs (RFC7512). However, they cannot be used with the nginx configuration. Please allow a way to specify PKCS #11 URLs for use with nginx. How reproducible: Attempt to use the instructions at: http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html Replace: "ssl_certificate_key engine:pkcs11:slot_0-id_00;" with ssl_certificate_key engine:pkcs11:"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=f0490bea351ba5b1;token=System%20softtoken;id=%00%01%02%03%04%05;object=server-key;type=private"; Actual results: nginx: [emerg] unknown directive "manufacturer=SoftHSM%20project" in /usr/local/nginx/conf/nginx.conf:64 Expected results: The key should have been loaded. Additional info: The issue seems to be that the character ';' is taken as a line delimiter even if it is within quotes. Escaping that character does not solve the issue either as the escaped string is provided directly into ENGINE_load_private_key.
Created attachment 1040926 [details] Proposed patch This patch seems to address the issue for me. I'm not familiar with nginx codebase though and may not be appropriate. Note, that while investigating this, I realized that nginx doesn't initialize the engine (that patch addresses that issue as well).
Most of the instructions given in that mailing list post you reference, should die. You shouldn't need to create an openssl.cnf to configure the engine. It should automatically load p11-kit-proxy.so as the default provider if no other is specified, which will Do The Right Thing. You can load it just with ENGINE_by_id("pkcs11"). We shouldn't require explicit configuration of the engine in the nginx config either — that 'ssl_engine pkcs11' shouldn't be needed. Whenever the "filename" for the key or cert are a PKCS#11 URI, that should be done transparently. See the patches I sent to fix wpa_supplicant along basically the same lines: http://lists.shmoo.com/pipermail/hostap/2014-December/031550.html
Created attachment 1040957 [details] Patch set to support PKCS #11 URLs This patch set simplifies the specification of PKCS #11 URLs. It allows to directly specify such a URL in the ssl_certificate_key field, as long as it is quoted. That is as: ssl_certificate_key "pkcs11:model=SoftHSM..." This is in accordance to our guidelines: https://fedoraproject.org/wiki/Packaging:SSLCertificateHandling
A minimal patch was sent upstream: http://mailman.nginx.org/pipermail/nginx-devel/2015-June/007074.html
Jamie, please provide input. If you have no time to handle it, please provide me with access to address the issue after I coordinate with upstream.
Hi Nikos. Happy to add you as co-maintainer! Please request permissions on pkgdb and I'll approve.
I've applied for permissions.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.