Merge r1830819, r1830912, r1830913, r1830927, r1831168, r1831173, r1835240, r1835242, r1835615, r1836547 from trunk:
mod_ssl: Add support for loading private keys from ENGINEs. Support
for PKCS#11 URIs only, and PIN entry is not threaded through
SSLPassPhraseDialog config yet.
* modules/ssl/ssl_util.c (modssl_is_engine_key): New function.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Use it, skip check for file existence for engine keys.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_pkey):
New function.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):
For engine keys, load via modssl_load_engine_pkey.
* modules/ssl/ssl_util_ssl.c, modules/ssl/ssl_util_ssl.h:
Remove modssl_read_encrypted_pkey() and helpers, added in r1804087
but never used.
* modules/ssl/ssl_util_ssl.c (modssl_read_privatekey): Remove unused
second argument.
* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey): Adjust
accordingly.
Simplify the ssl_asn1_table API, remove abstraction (it is used only
to cache serialized EVP_PKEYs not any char * blobs), and document.
* modules/ssl/ssl_util.c (ssl_asn1_table_set): Take the EVP_PKEY and
serialize internally. Use ap_realloc. Return the ssl_asn1_t *
pointer. Don't call apr_hash_set() for unchanged pointer case.
* modules/ssl/ssl_engine_pphrase.c (ssl_load_encrypted_pkey):
Adjust for the above.
* modules/ssl/ssl_private.h: Adjust as above, add docs.
mod_ssl: Add support for loading TLS certificates through the PKCS#11
engine.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Renamed
from modssl_is_engine_key.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLCertificateKeyFile):
Adjust accordingly.
(ssl_cmd_SSLCertificateFile): Also allow ENGINE cert ids.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):
Rename from modssl_load_engine_key; load certificate if
cert id is passed.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Optionally
load the certificate from the engine as well.
* docs/manual/: Update manual.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Add error
logno. Free EVP_PKEY in engine case. Never try reading ECDH/DH
parameters from engine ids.
Hook up PKCS#11 PIN entry through configured passphrase entry method.
* modules/ssl/ssl_engine_pphrase.c: Add wrappers for OpenSSL UI * API
around passphrase entry.
(modssl_load_engine_keypair): Take vhost ID and use above rather than
default OpenSSL UI.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Pass vhost ID.
Submitted by: Anderson Sasaki<ansaski redhat.com>, jorton
* modules/ssl/ssl_engine_pphrase.c: Add logno tags.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair): Load
the engine associated with the private key (&cert) explicitly
rather than requiring the engine to be set as the default method
for all operations (with "SSLCryptoDevice <engine>").
(Thanks to Anderson Sasaki <ansasaki redhat.com> for suggested
improvement and guidance)
* modules/ssl/ssl_engine_pphrase.c: Fix linking against OpenSSL without
ENGINE support.
Submitted by: Anderson Sasaki <ansasaki redhat.com>, jorton
Reviewed by: jorton, jim, ylavic
Github: closes #92
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@
1874196 13f79535-47bb-0310-9956-
ffa450edef68
projects / thirdparty / apache / httpd.git / commit
