-keyform ENG and NodeJS

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

-keyform ENG and NodeJS

Erik Madsen
I am using a Hardware Security Module.  Both s_client and cURL work fine
due to we can use the CLI "-keyform ENG" for s_client and "--key-type
ENG" for curl

Is it possible to specify this in the openssl.cnf file instead of the CLI?

For testing this, the following works:

openssl s_client -connect host:port -engine engineSO -keyform ENG -cert
/path/to/signed/cert


If we can do like this:

OPENSSL_CONF=openssl.cnf openssl s_client -connect host:port -engine
engineSO -cert /path/to/signed/cert (removed the -keyform)

I think will work fine


Any help greatly appreciated

Reply | Threaded
Open this post in threaded view
|

Re: -keyform ENG and NodeJS

Viktor Dukhovni
On Sun, Jun 02, 2019 at 05:49:10PM -0700, Erik Madsen wrote:

> I am using a Hardware Security Module.  Both s_client and cURL work fine
> due to we can use the CLI "-keyform ENG" for s_client and "--key-type
> ENG" for curl
>
> Is it possible to specify this in the openssl.cnf file instead of the CLI?

You could be a bit more explicit about whether this a TLS or some
other application.  Configuration is "module"-specific.

> For testing this, the following works:
>
> openssl s_client -connect host:port -engine engineSO -keyform ENG -cert
> /path/to/signed/cert
>
>
> If we can do like this:
>
> OPENSSL_CONF=openssl.cnf openssl s_client -connect host:port -engine
> engineSO -cert /path/to/signed/cert (removed the -keyform)
>
> I think will work fine

I don't believe that the SSL "conf module" presently supports a
"command" that allows you specify the "keyform" of a private key
file.  It has a "PrivateKey" "command", but this appears to be
unconditionally limited to PEM.

If anyone else knows otherwise, corrections welcome

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: -keyform ENG and NodeJS

Erik Madsen
Sorry about that

It is TLS and we want Root Of Trust from a non exportable, non readable Private key on the Hardware Security Module.

By explicitly adding "-keyform ENG" s_client works perfectly.

And with cURL "--key-type ENG" also works

NodeJs crypto module has setEngine but there's no option for passing keyform.

I requested from NodeJs team as well, but if we can do something to tell openssl "keyform is always ENG" I think maybe that would work.

From: Viktor Dukhovni
Sent: Sun Jun 02 18:35:37 PDT 2019
To: [hidden email]
Subject: Re: -keyform ENG and NodeJS

On Sun, Jun 02, 2019 at 05:49:10PM -0700, Erik Madsen wrote:

I am using a Hardware Security Module.  Both s_client and cURL work fine
due to we can use the CLI "-keyform ENG" for s_client and "--key-type
ENG" for curl

Is it possible to specify this in the openssl.cnf file instead of the CLI?

You could be a bit more explicit about whether this a TLS or some
other application. Configuration is "module"-specific.

For testing this, the following works:

openssl s_client -connect host:port -engine engineSO -keyform ENG -cert
/path/to/signed/cert


If we can do like this:

OPENSSL_CONF=openssl.cnf openssl s_client -connect host:port -engine
engineSO -cert /path/to/signed/cert (removed the -keyform)

I think will work fine

I don't believe that the SSL "conf module" presently supports a
"command" that allows you specify the "keyform" of a private key
file. It has a "PrivateKey" "command", but this appears to be
unconditionally limited to PEM.

If anyone else knows otherwise, corrections welcome
Reply | Threaded
Open this post in threaded view
|

Re: -keyform ENG and NodeJS

Viktor Dukhovni


> On Jun 2, 2019, at 9:47 PM, Erik Madsen <[hidden email]> wrote:
>
> It is TLS and we want Root Of Trust from a non exportable, non readable Private key on the Hardware Security Module.
>
> By explicitly adding "-keyform ENG" s_client works perfectly.
>
> And with cURL "--key-type ENG" also works
>
> NodeJs crypto module has setEngine but there's no option for passing keyform.
>
> I requested from NodeJs team as well, but if we can do something to tell openssl "keyform is always ENG" I think maybe that would work.

If nobody on the list finds something I missed, a feature
request on Github is the next step, or you could do that
right away.

[ Some on the team prefer to track issues on Github from
the outset, I prefer to resolve routine questions on the
list, and move to Github when it is clear that developer
action will be needed to resolve the issue. The workflow
preference is matter of taste... ]

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: -keyform ENG and NodeJS

Erik Madsen
Here is a more detailed explanation of how NodeJS is failing...I posted in November, but we are close to production, so scrambling to find solutions

Thanks so much for the help.

From: Viktor Dukhovni
Sent: Sun Jun 02 19:14:29 PDT 2019
To: "[hidden email]"
Subject: Re: -keyform ENG and NodeJS



On Jun 2, 2019, at 9:47 PM, Erik Madsen <[hidden email]> wrote:

It is TLS and we want Root Of Trust from a non exportable, non readable Private key on the Hardware Security Module.

By explicitly adding "-keyform ENG" s_client works perfectly.

And with cURL "--key-type ENG" also works

NodeJs crypto module has setEngine but there's no option for passing keyform.

I requested from NodeJs team as well, but if we can do something to tell openssl "keyform is always ENG" I think maybe that would work.

If nobody on the list finds something I missed, a feature
request on Github is the next step, or you could do that
right away.

[ Some on the team prefer to track issues on Github from
the outset, I prefer to resolve routine questions on the
list, and move to Github when it is clear that developer
action will be needed to resolve the issue. The workflow
preference is matter of taste... ]