Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support to use keys and certificates from PKCS#11 provider #15587

Closed
wants to merge 1 commit into from

Conversation

Jakuje
Copy link
Contributor

@Jakuje Jakuje commented Nov 15, 2024

In OpenSSL < 3.0, the modularity was provided by mechanism called "engines". This is supported in curl, but the engines got deprecated with OpenSSL 3.0 in favor of more versatile providers.

This adds a support for OpenSSL Providers, to use PKCS#11 keys, namely through the pkcs11 provider (https://github.com/latchset/pkcs11-provider). This is done using similar approach as the engines and this is automatically built in when the OpenSSL 3 and newer is used.

Tested locally with the same steps we had for the engines (just with new OpenSSL and pkcs11-provider installed) and the basic tests worked fine. I can add some more extensive one if needed.

@Jakuje Jakuje force-pushed the pkcs11-provider branch 4 times, most recently from fbd381a to dff373e Compare November 15, 2024 14:25
@testclutch
Copy link

Analysis of PR #15587 at dff373e6:

Test 1478 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 91 different CI jobs (the link just goes to one of them).

Generated by Testclutch

@Jakuje Jakuje force-pushed the pkcs11-provider branch 7 times, most recently from 59ed6b6 to e38ad12 Compare November 18, 2024 13:24
@Jakuje Jakuje marked this pull request as ready for review November 18, 2024 13:34
@bagder bagder self-requested a review December 2, 2024 20:35
@Jakuje Jakuje force-pushed the pkcs11-provider branch 2 times, most recently from 1076a74 to a8a79ad Compare December 17, 2024 13:33
@Jakuje
Copy link
Contributor Author

Jakuje commented Dec 17, 2024

Seems like the windows build issue is resolved now. The test Linux HTTP/3 / AM openssl-quic (pull_request) Failing after 3m looks like flaky -- worked in the previous version and the failure does not look related to anything I was changing.

lib/urldata.h Outdated Show resolved Hide resolved
docs/libcurl/opts/CURLOPT_SSLKEYTYPE.md Outdated Show resolved Hide resolved
In OpenSSL < 3.0, the modularity was provided by mechanism
called "engines". This is supported in curl, but the engines
got deprecated with OpenSSL 3.0 in favor of more versatile
providers.

This adds a support for OpenSSL Providers, to use PKCS#11
keys, namely through the pkcs11 provider. This is done using
similar approach as the engines and this is automatically built
in when the OpenSSL 3 and newer is used.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
@bagder bagder added the feature-window A merge of this requires an open feature window label Jan 1, 2025
@bagder bagder closed this in 999cc81 Jan 1, 2025
@bagder
Copy link
Member

bagder commented Jan 1, 2025

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cmdline tool feature-window A merge of this requires an open feature window libcurl API
Development

Successfully merging this pull request may close these issues.

3 participants