[PR] FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files

Tue, 19 Mar 2024 23:23:43 -0700 

Dear list!

Author: S-P Chan <shihping.c...@gmail.com>
Number of patches: 1

This is an automated relay of the Github pull request:
   FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files

Patch title(s): 
   FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files

Link:
   https://github.com/haproxy/haproxy/pull/2493

Edit locally:
   wget https://github.com/haproxy/haproxy/pull/2493.patch && vi 2493.patch

Apply locally:
   curl https://github.com/haproxy/haproxy/pull/2493.patch | git am -

Description:
   With pkcs11-provider (https://github.com/latchset/pkcs11-provider) a
   specially formatted PEM stanza can be used
   to reference a PKCS#11
   URI to locate the private key.
   
   This PEM stanza can be used
   inside the crt file so that there is no change to the HAProxy config
   language.
   
   This works with OpenSSL 3 and pkcs11-provider after
   https://github.com/latchset/pkcs11-provider/commit/0806c3665 which
   added support for PKCS#11 URI-in-PEM.
   
   TODO: This PR works
   without forking (i.e., not in master-worker mode) as PKCS#11 drivers
   are fragile after fork.
   To use PKCS#11 keys in master-worker mode,
   we need to defer key loading to the child process.
   
   Format of
   PEM stanza:
   ```
   -----BEGIN PKCS#11 PROVIDER URI-----
   MIHWGhlQS0NTIzExIFByb3ZpZGVyIFVSSSB2MS4wDIG4cGtjczExOm1vZGVsPU5T
   UyUyMDM7bWFudWZhY3R1cmVyPU1vemlsbGElMjBGb3VuZGF0aW9uO3NlcmlhbD0w
   MDAwMDAwMDAwMDAwMDAwO3Rva2VuPU5TUyUyMENlcnRpZmljYXRlJTIwREI7aWQ9
   JTczJTQ5JTU1JTFBJTMyJUFFJThDJUIwJTQ1JTQ5JTAzJURDJUE4JTA0JTg0JTlF
   JUI0JTlGJTQxJUFFO3R5cGU9cHJpdmF0ZQ==
   -----END PKCS#11 PROVIDER
   URI-----
   ```
   
   Parsed ASN.1:
   ```
       0:d=0  hl=3 l=
   214 cons: SEQUENCE
       3:d=1  hl=2 l=  25 prim: VISIBLESTRING
   :PKCS#11 Provider URI v1.0
      30:d=1  hl=3 l= 184 prim: UTF8STRING
   :pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000
   000000000;token=NSS%20Certificate%20DB;id=%73%49%55%1A%32%AE%8C%B0%45%
   49%03%DC%A8%04%84%9E%B4%9F%41%AE;type=private
   ```

Instructions:
   This github pull request will be closed automatically; patch should be
   reviewed on the haproxy mailing list (haproxy@formilux.org). Everyone is
   invited to comment, even the patch's author. Please keep the author and
   list CCed in replies. Please note that in absence of any response this
   pull request will be lost.

Reply via email to