Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls_wrap does not forward privateKeyEngine and privateKeyIdentifier to tls.createSecureContext() on Server opening #3094

Closed
BenBaratte opened this issue Nov 25, 2020 · 2 comments
Closed

tls_wrap does not forward privateKeyEngine and privateKeyIdentifier to tls.createSecureContext() on Server opening #3094

BenBaratte opened this issue Nov 25, 2020 · 2 comments

Comments

@BenBaratte
Copy link

  • Node.js Version: 14.15.1
  • OS: Linux Kali over WSL1
  • Scope (install, code, runtime, meta, other?): code
  • Module (and version) (if relevant): nodejs core

in the options pass to the https.createServer() functions, all parameters are forwarded to tls.createSecureContext().
the issue is that in the _tls_wrap.js, the Server.prototype.setSecureContext() explicitly log the options structure before forwarding it to tls.createSecureContext()
there is 2 options that are managed by the tls.createSecureContext() that are not forward :
privateKeyEngine, privateKeyIdentifier

The impact is that the https server can not use OpenSSL engine to manage the server private key.

here is a basic example :

var fs = require('fs')
var https = require('https')

var engine_path='/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so'

var server = https.createServer({
maxVersion: 'TLSv1.2',
minVersion: 'TLSv1.2',
privateKeyEngine: engine_path,
privateKeyIdentifier : '0',
cert: fs.readFileSync('server.pem'),
ciphers:'ECDHE-ECDSA-AES128-GCM-SHA256',
enableTrace:true,
sigalgs:'ECDSA+SHA256',
ecdhCurve:'P-256:P-384',
})
.listen(3000, function () {
console.log('Example app listening on port 3000! Go to https://localhost:3000/')
})

the output with official release is :

Example app listening on port 3000! Go to https://localhost:3000/

with a small patch to the Server.prototype.setSecureContext() I have the following output :

bad engine id
Failed to enumerate slots
Failed to enumerate slots
PKCS11_get_private_key returned NULL
_tls_common.js:182
c.context.setEngineKey(privateKeyIdentifier, privateKeyEngine);
^

Error: error:80067065:pkcs11 engine:ctx_load_privkey:object not found
at Object.createSecureContext (_tls_common.js:182:19)
at Server.setSecureContext (_tls_wrap.js:1332:27)
at Server (_tls_wrap.js:1181:8)
at new Server (https.js:66:14)
at Object.createServer (https.js:91:10)
at Object. (/home/ben/node-v14.15.1-linux-x64/testproj/express_engine.js:7:20)
at Module._compile (internal/modules/cjs/loader.js:1063:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
at Module.load (internal/modules/cjs/loader.js:928:32)
at Function.Module._load (internal/modules/cjs/loader.js:769:14) {
opensslErrorStack: [
'error:26096080:engine routines:ENGINE_load_private_key:failed loading private key'
],
library: 'pkcs11 engine',
function: 'ctx_load_privkey',
reason: 'object not found',
code: 'ERR_OSSL_USER_OBJECT_NOT_FOUND'
}

I expect this error as the engine is well called by the https.createServer() function.

I made this example so everyone can reproduce the issue.

For my testing, I'm using a proprietary OpenSSL engine and I'm able to authenticate the server thanks to the HSM private key.

Thanks,

Ben
@gireeshpunathil
Copy link
Member

let us see if @nodejs/crypto can help

@BenBaratte
Copy link
Author

This point has been addressed with the pull request nodejs/node#36416

We can close this discussion.

Best Regards,

Ben

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gireeshpunathil @BenBaratte