mirror of
https://github.com/OpenVPN/openvpn.git
synced 2025-05-09 05:31:05 +08:00
3512e8d3ad
OpenSSL 3 has providers which can load keys and certificates from various key stores and HSMs using a provider-specific URI. While certificates are generally exportable, and some providers support a PEM file that acts as a proxy for non-exportable private keys, not all providers are expected to do so. A generic capability to read keys and certificates from URIs appears useful. This patch does this by extending the scope of the argument for "--key" and "--cert" options to include URIs. Many of OpenSSL 3 utilities also work the same way: e.g., the "-in" option for "openssl pkey" or "openssl x509" could be a filename or URI. Other applications have started emulating this behaviour: e.g., pkcs11: URI works as an alternative to a file name for certificates and keys in apache. Even for files, this has a nice side effect that non-PEM files get transparently parsed. E.g., a pkcs12 file could be used in place of a PEM file without needing any extra options. This is backward compatible as OpenSSL falls back to treating URIs with no scheme or unrecognized scheme as file names. Parsing of inlined keys and certificates is unchanged (those should be in PEM format). Specification of URIs that OpenSSL accepts depends on the providers that support them. Some are standard URIs such as "file:/path", but providers may support non-standard URIs with arbitrary scheme names. OpenSSL by itself recognizes only file URI. However, the implementation is agnostic to the URI specification as parsing is done by the provider that supports the URI. A new URI gets automatically recognized when the provider that supports it is loaded. Below are some usage examples: Relative or absolute path to a file or as a URI "file:/absolute/path": --key mykey.pem (same as what is currently supported) --key file:/path/to/mykey.pem --cert file:/path/to/mycert.pem Other file types supported by OpenSSL would also work: --key client.p12 --cert client.p12 pkcs11-provider supports "pkcs11:" URI (RFC 7512): --key pkcs11:token=Foo;id=%01 --cert pkcs11:token=Foo;id=%01 tpm2-provider recognizes a custom URI "handle:<hex>": --key handle:0x81000000 These examples assume that required providers, if any, are loaded and configured. v2: same as PR 591 but with the fixup commit that addresses review comments is squashed. Change-Id: I82b32d5ab472926e7889a5f4a90caba14231879a Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Frank Lichtenheld <frank@lichtenheld.com> Message-Id: <20240906103734.36633-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29075.html Signed-off-by: Gert Doering <gert@greenie.muc.de>