Interesting about the TPM2 stuff - it has implemented a store loader for "TSS2 PRIVATE KEY" stanza.
Since PEM is new to pkcs11-provider it may not have implemented a store loader yet (i.e. not PEM_bio_read_PrivateKey ready) hence this PR uses store directly. I will check with pkcs11-provider whether they can implement a store loader. Re current MWORKER problem (before any solution in 3.1!) - [RFC] Delayed private key loading - check if we are in MWORKER mode then skip EVP_PKEY loading in master for all PKCS#11 keys Hmmm - how to identify such keys? Maybe .crt file has a first line "key-type = PKCS#11" - in child process: create a map based on SSL_CTX *pointer and just-in-time load private key when needed at at SSL_set_SSL_CTX; does the child_process have access to bind_conf/ssl_bind_conf so it can find the crt file name? Otherwise, cache the SSL_CTX* -> crt(or key) filename in master before fork() WDYT? Thanks S-P On Thu, 21 Mar 2024 at 00:15, William Lallemand <wlallem...@haproxy.com> wrote: > On Wed, Mar 20, 2024 at 06:23:03AM +0000, PR Bot wrote: > > Subject: [PR] FEATURE: load private keys from PKCS#11 pkcs11-provider > PEM files > > Dear list! > > > > Author: S-P Chan <shihping.c...@gmail.com> > > Number of patches: 1 > > > > This is an automated relay of the Github pull request: > > FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files > > > > Patch title(s): > > FEATURE: load private keys from PKCS#11 pkcs11-provider PEM files > > > > Link: > > https://github.com/haproxy/haproxy/pull/2493 > > > > Edit locally: > > wget https://github.com/haproxy/haproxy/pull/2493.patch && vi > 2493.patch > > > > Apply locally: > > curl https://github.com/haproxy/haproxy/pull/2493.patch | git am - > > > > Description: > > With pkcs11-provider (https://github.com/latchset/pkcs11-provider) a > > specially formatted PEM stanza can be used > > to reference a PKCS#11 > > URI to locate the private key. > > > > This PEM stanza can be used > > inside the crt file so that there is no change to the HAProxy config > > language. > > > > This works with OpenSSL 3 and pkcs11-provider after > > https://github.com/latchset/pkcs11-provider/commit/0806c3665 which > > added support for PKCS#11 URI-in-PEM. > > > > TODO: This PR works > > without forking (i.e., not in master-worker mode) as PKCS#11 drivers > > are fragile after fork. > > To use PKCS#11 keys in master-worker mode, > > we need to defer key loading to the child process. > > > > Format of > > PEM stanza: > > ``` > > -----BEGIN PKCS#11 PROVIDER URI----- > > MIHWGhlQS0NTIzExIFByb3ZpZGVyIFVSSSB2MS4wDIG4cGtjczExOm1vZGVsPU5T > > UyUyMDM7bWFudWZhY3R1cmVyPU1vemlsbGElMjBGb3VuZGF0aW9uO3NlcmlhbD0w > > MDAwMDAwMDAwMDAwMDAwO3Rva2VuPU5TUyUyMENlcnRpZmljYXRlJTIwREI7aWQ9 > > JTczJTQ5JTU1JTFBJTMyJUFFJThDJUIwJTQ1JTQ5JTAzJURDJUE4JTA0JTg0JTlF > > JUI0JTlGJTQxJUFFO3R5cGU9cHJpdmF0ZQ== > > -----END PKCS#11 PROVIDER > > URI----- > > ``` > > > > Parsed ASN.1: > > ``` > > 0:d=0 hl=3 l= > > 214 cons: SEQUENCE > > 3:d=1 hl=2 l= 25 prim: VISIBLESTRING > > :PKCS#11 Provider URI v1.0 > > 30:d=1 hl=3 l= 184 prim: UTF8STRING > > :pkcs11:model=NSS%203;manufacturer=Mozilla%20Foundation;serial=0000000 > > 000000000;token=NSS%20Certificate%20DB;id=%73%49%55%1A%32%AE%8C%B0%45% > > 49%03%DC%A8%04%84%9E%B4%9F%41%AE;type=private > > ``` > > > > Instructions: > > This github pull request will be closed automatically; patch should be > > reviewed on the haproxy mailing list (haproxy@formilux.org). > Everyone is > > invited to comment, even the patch's author. Please keep the author > and > > list CCed in replies. Please note that in absence of any response this > > pull request will be lost. > > > > Hello, > > Thank you for your contribution, I'm surprised this is not already > working with the current code. > > We made test in the past with the TPM2 provider which also uses a URI in > the privatekey: > > https://github.com/haproxy/wiki/wiki/OpenSSL-Providers-in-HAProxy#tpm2-provider > > Do you have any specific configuration for HAProxy? > > Regards, > > -- > William Lallemand >
