Skip to content

RFC: support for HSM private keys in TLS handshake #28973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
OYTIS wants to merge 3 commits into from
Closed

RFC: support for HSM private keys in TLS handshake #28973

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
970c366
tls: add an option for keys in OpenSSL engines
OYTIS Aug 5, 2019
3dae10a
tls: test for 'privateKeyEngine' and 'privateKeyIdentifier'
OYTIS Sep 12, 2019
ea21407
tls: add cleanup for private key engine
OYTIS Sep 20, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
tls: test for 'privateKeyEngine' and 'privateKeyIdentifier' 
Signed-off-by: Anton Gerasimov <agerasimov@twilio.com>
  • Loading branch information
@OYTIS
OYTIS committed Sep 26, 2019
commit 3dae10a7653d37821fa2305ca063c66ed5ab27fd
25 changes: 25 additions & 0 deletions test/addons/openssl-key-engine/binding.gyp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
{
'targets': [
{
'target_name': 'testkeyengine',
'type': 'none',
'includes': ['../common.gypi'],
'conditions': [
['OS=="mac" and '
'node_use_openssl=="true" and '
'node_shared=="false" and '
'node_shared_openssl=="false"', {
'type': 'shared_library',
'sources': [ 'testkeyengine.cc' ],
'product_extension': 'engine',
'include_dirs': ['../../../deps/openssl/openssl/include'],
'link_settings': {
'libraries': [
'../../../../out/<(PRODUCT_DIR)/<(openssl_product)'
]
},
}],
]
}
]
}
62 changes: 62 additions & 0 deletions test/addons/openssl-key-engine/test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
'use strict';
const common = require('../../common');
const fixture = require('../../common/fixtures');

if (!common.hasCrypto)
common.skip('missing crypto');

const fs = require('fs');
const path = require('path');

const engine = path.join(__dirname,
`/build/${common.buildType}/testkeyengine.engine`);

if (!fs.existsSync(engine))
common.skip('no client cert engine');

const assert = require('assert');
const https = require('https');

const agentKey = fs.readFileSync(fixture.path('/keys/agent1-key.pem'));
const agentCert = fs.readFileSync(fixture.path('/keys/agent1-cert.pem'));
const agentCa = fs.readFileSync(fixture.path('/keys/ca1-cert.pem'));

const serverOptions = {
key: agentKey,
cert: agentCert,
ca: agentCa,
requestCert: true,
rejectUnauthorized: true
};

const server = https.createServer(serverOptions, common.mustCall((req, res) => {
res.writeHead(200);
res.end('hello world');
})).listen(0, common.localhostIPv4, common.mustCall(() => {
const clientOptions = {
method: 'GET',
host: common.localhostIPv4,
port: server.address().port,
path: '/test',
privateKeyEngine: engine,
privateKeyIdentifier: 'dummykey',
cert: agentCert,
rejectUnauthorized: false, // Prevent failing on self-signed certificates
headers: {}
};

const req = https.request(clientOptions, common.mustCall(function(response) {
let body = '';
response.setEncoding('utf8');
response.on('data', function(chunk) {
body += chunk;
});

response.on('end', common.mustCall(function() {
assert.strictEqual(body, 'hello world');
server.close();
}));
}));

req.end();
}));
73 changes: 73 additions & 0 deletions test/addons/openssl-key-engine/testkeyengine.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
#include <assert.h>
#include <string.h>
#include <stdlib.h>

#include <openssl/engine.h>
#include <openssl/pem.h>

#include <fstream>
#include <iterator>
#include <string>

#ifndef ENGINE_CMD_BASE
# error did not get engine.h
#endif

#define TEST_ENGINE_ID "testkeyengine"
#define TEST_ENGINE_NAME "dummy test key engine"

#define PRIVATE_KEY "test/fixtures/keys/agent1-key.pem"

namespace {

int EngineInit(ENGINE* engine) {
return 1;
}

int EngineFinish(ENGINE* engine) {
return 1;
}

int EngineDestroy(ENGINE* engine) {
return 1;
}

std::string LoadFile(const char* filename) {
std::ifstream file(filename);
return std::string(std::istreambuf_iterator<char>(file),
std::istreambuf_iterator<char>());
}

static EVP_PKEY* EngineLoadPrivkey(ENGINE* engine, const char* name,
UI_METHOD* ui_method, void* callback_data) {
if (strcmp(name, "dummykey") == 0) {
std::string key = LoadFile(PRIVATE_KEY);
BIO* bio = BIO_new_mem_buf(key.data(), key.size());
EVP_PKEY* ret = PEM_read_bio_PrivateKey(bio, nullptr, nullptr, nullptr);

BIO_vfree(bio);
if (ret != nullptr) {
return ret;
}
}

return nullptr;
}

int bind_fn(ENGINE* engine, const char* id) {
ENGINE_set_id(engine, TEST_ENGINE_ID);
ENGINE_set_name(engine, TEST_ENGINE_NAME);
ENGINE_set_init_function(engine, EngineInit);
ENGINE_set_finish_function(engine, EngineFinish);
ENGINE_set_destroy_function(engine, EngineDestroy);
ENGINE_set_load_privkey_function(engine, EngineLoadPrivkey);

return 1;
}

extern "C" {
IMPLEMENT_DYNAMIC_CHECK_FN();
IMPLEMENT_DYNAMIC_BIND_FN(bind_fn);
}

} // anonymous namespace