[PATCH 3 of 4] Tests: loading keys from libp11 pkcs11prov provider

Maxim Dounin mdounin at mdounin.ru
Sat Oct 4 12:22:40 UTC 2025 

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1759580289 -10800
#      Sat Oct 04 15:18:09 2025 +0300
# Node ID a940924b9f40b94a9f0e064c763ade4cc02268ae
# Parent  38338626b7c2526ff6cc2ea0ea38b934b4fdb21e
Tests: loading keys from libp11 pkcs11prov provider.

diff --git a/ssl_engine_keys.t b/ssl_store_libp11.t
copy from ssl_engine_keys.t
copy to ssl_store_libp11.t
--- a/ssl_engine_keys.t
+++ b/ssl_store_libp11.t
@@ -4,7 +4,8 @@
 # (C) Sergey Kandaurov
 # (C) Nginx, Inc.
 
-# Tests for http ssl module, loading "engine:..." keys.
+# Tests for http ssl module, loading "store:..." certificates and keys
+# from libp11 pkcs11prov OpenSSL provider (https://github.com/OpenSC/libp11).
 
 ###############################################################################
 
@@ -32,7 +33,7 @@ my $t = Test::Nginx->new()
 	->has_daemon('softhsm2-util')
 	->has_daemon('pkcs11-tool');
 
-plan(skip_all => 'no engine:... keys')
+plan(skip_all => 'no store:... keys')
 	unless $t->has_module('OpenSSL') and !$t->has_module('BoringSSL');
 
 $t->write_file_expand('nginx.conf', <<'EOF');
@@ -52,8 +53,8 @@ http {
         listen       127.0.0.1:8080;
         server_name  localhost;
 
-        ssl_certificate localhost.crt;
-        ssl_certificate_key engine:pkcs11:id_00;
+        ssl_certificate store:pkcs11:object=cert-localhost;
+        ssl_certificate_key store:pkcs11:object=key0;
 
         location / {
             # index index.html by default
@@ -74,8 +75,8 @@ http {
         listen       127.0.0.1:8082 ssl;
         server_name  localhost;
 
-        ssl_certificate $ssl_server_name.crt;
-        ssl_certificate_key engine:pkcs11:id_00;
+        ssl_certificate store:pkcs11:object=cert-$ssl_server_name;
+        ssl_certificate_key store:pkcs11:object=key0;
 
         location / {
             # index index.html by default
@@ -86,11 +87,15 @@ http {
 EOF
 
 # Create a SoftHSM token with a secret key, and configure OpenSSL
-# to access it using the pkcs11 engine, see detailed example
+# to access it using the libp11 pkcs11prov provider.  See detailed example
 # posted by Dmitrii Pichulin here:
 #
 # http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
 #
+# Adapted to provider usage based on libp11 documentation, see here:
+#
+# https://github.com/OpenSC/libp11
+#
 # Note that library paths are different on different systems.  We try
 # to detect some known ones.
 #
@@ -98,12 +103,12 @@ EOF
 # building nginx, or the "openssl" tool in path, so everything will fail.
 # As such, this test is marked unsafe.
 
-# Libraries on various systems: FreeBSD, Alpine, Ubuntu
+# Libraries on various systems: FreeBSD, Alpine, Debian
 
-my ($engine) = grep { -e $_ } qw!
-	/usr/local/lib/engines/pkcs11.so
-	/usr/lib/engines-3/pkcs11.so
-	/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
+my ($provider) = grep { -e $_ } qw!
+	/usr/local/lib/ossl-modules/pkcs11prov.so
+	/usr/lib/ossl-modules/pkcs11prov.so
+	/usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11prov.so
 !;
 
 my ($softhsm) = grep { -e $_ } qw!
@@ -112,24 +117,29 @@ my ($softhsm) = grep { -e $_ } qw!
 	/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
 !;
 
-plan(skip_all => 'no libp11 pkcs11 engine') unless $engine;
+plan(skip_all => 'no libp11 pkcs11prov provider') unless $provider;
 plan(skip_all => 'no softhsm2') unless $softhsm;
 
 $t->write_file('openssl.conf', <<EOF);
 openssl_conf = openssl_def
 
 [openssl_def]
-engines = engine_section
+providers = provider_sect
 
-[engine_section]
-pkcs11 = pkcs11_section
+[provider_sect]
+default = default_sect
+pkcs11 = pkcs11_sect
 
-[pkcs11_section]
-engine_id = pkcs11
-dynamic_path = $engine
-MODULE_PATH = $softhsm
-init = 1
-PIN = 1234
+[default_sect]
+activate = 1
+
+[pkcs11_sect]
+identity = pkcs11prov
+module = $provider
+pkcs11_module = $softhsm
+debug_level = 2
+pin = 1234
+activate = 1
 
 [ req ]
 default_bits = 2048
@@ -165,9 +175,16 @@ foreach my $name ('localhost') {
 
 	system('openssl req -x509 -new '
 		. "-subj /CN=$name/ -out $d/$name.crt -text "
-		. "-engine pkcs11 -keyform engine -key id_00 "
+		. "-key pkcs11:object=key0 "
 		. ">>$d/openssl.out 2>&1") == 0
 		or die "Can't create certificate for $name: $!\n";
+
+	system('pkcs11-tool '
+		. "--module=$softhsm "
+		. '--token-label token0 --pin 1234 --login '
+		. "--write-object $d/$name.crt --type cert --label cert-$name "
+		. ">>$d/openssl.out 2>&1") == 0
+		or die "Can't store certificate to pkcs11 token: $!\n";
 }
 
 $t->run()->plan(2);
@@ -176,7 +193,7 @@ foreach my $name ('localhost') {
 
 ###############################################################################
 
-like(http_get('/proxy'), qr/200 OK/, 'ssl engine keys');
+like(http_get('/proxy'), qr/200 OK/, 'ssl store libp11 pkcs11prov');
 like(http_get('/var'), qr/200 OK/, 'ssl_certificate with variable');
 
 ###############################################################################

More information about the nginx-devel mailing list