|
|
d64139 |
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
|
|
d64139 |
index 0a2f260..606b6e2 100644
|
|
|
d64139 |
--- a/src/event/ngx_event_openssl.c
|
|
|
d64139 |
+++ b/src/event/ngx_event_openssl.c
|
|
|
d64139 |
@@ -616,6 +616,71 @@ ngx_ssl_load_certificate(ngx_pool_t *pool, char **err, ngx_str_t *cert,
|
|
|
d64139 |
X509 *x509, *temp;
|
|
|
d64139 |
u_long n;
|
|
|
d64139 |
|
|
|
d64139 |
+ if (ngx_strncmp(cert->data, "engine:", sizeof("engine:") - 1) == 0) {
|
|
|
d64139 |
+
|
|
|
d64139 |
+#ifndef OPENSSL_NO_ENGINE
|
|
|
d64139 |
+
|
|
|
d64139 |
+ u_char *p, *last;
|
|
|
d64139 |
+ ENGINE *engine;
|
|
|
d64139 |
+
|
|
|
d64139 |
+ p = cert->data + sizeof("engine:") - 1;
|
|
|
d64139 |
+ last = (u_char *) ngx_strchr(p, ':');
|
|
|
d64139 |
+
|
|
|
d64139 |
+ if (last == NULL) {
|
|
|
d64139 |
+ *err = "invalid syntax";
|
|
|
d64139 |
+ return NULL;
|
|
|
d64139 |
+ }
|
|
|
d64139 |
+
|
|
|
d64139 |
+ *last = '\0';
|
|
|
d64139 |
+
|
|
|
d64139 |
+ engine = ENGINE_by_id((char *) p);
|
|
|
d64139 |
+
|
|
|
d64139 |
+ if (engine == NULL) {
|
|
|
d64139 |
+ *err = "ENGINE_by_id() failed";
|
|
|
d64139 |
+ return NULL;
|
|
|
d64139 |
+ }
|
|
|
d64139 |
+
|
|
|
d64139 |
+ if (!ENGINE_init(engine)) {
|
|
|
d64139 |
+ *err = "ENGINE_init() failed";
|
|
|
d64139 |
+ ENGINE_free(engine);
|
|
|
d64139 |
+ return NULL;
|
|
|
d64139 |
+ }
|
|
|
d64139 |
+
|
|
|
d64139 |
+ *last++ = ':';
|
|
|
d64139 |
+
|
|
|
d64139 |
+ struct {
|
|
|
d64139 |
+ const char *cert_id;
|
|
|
d64139 |
+ X509 *cert;
|
|
|
d64139 |
+ } params = { (char *) last, NULL };
|
|
|
d64139 |
+
|
|
|
d64139 |
+ if (!ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, ¶ms, NULL, 1)) {
|
|
|
d64139 |
+ *err = "ENGINE_ctrl_cmd() failed - Unable to get the certificate";
|
|
|
d64139 |
+ ENGINE_free(engine);
|
|
|
d64139 |
+ return NULL;
|
|
|
d64139 |
+ }
|
|
|
d64139 |
+
|
|
|
d64139 |
+ ENGINE_finish(engine);
|
|
|
d64139 |
+ ENGINE_free(engine);
|
|
|
d64139 |
+
|
|
|
d64139 |
+ /* set chain to null */
|
|
|
d64139 |
+
|
|
|
d64139 |
+ *chain = sk_X509_new_null();
|
|
|
d64139 |
+ if (*chain == NULL) {
|
|
|
d64139 |
+ *err = "sk_X509_new_null() failed";
|
|
|
d64139 |
+ X509_free(params.cert);
|
|
|
d64139 |
+ return NULL;
|
|
|
d64139 |
+ }
|
|
|
d64139 |
+
|
|
|
d64139 |
+ return params.cert;
|
|
|
d64139 |
+
|
|
|
d64139 |
+#else
|
|
|
d64139 |
+
|
|
|
d64139 |
+ *err = "loading \"engine:...\" certificate is not supported";
|
|
|
d64139 |
+ return NULL;
|
|
|
d64139 |
+
|
|
|
d64139 |
+#endif
|
|
|
d64139 |
+ }
|
|
|
d64139 |
+
|
|
|
d64139 |
if (ngx_strncmp(cert->data, "data:", sizeof("data:") - 1) == 0) {
|
|
|
d64139 |
|
|
|
d64139 |
bio = BIO_new_mem_buf(cert->data + sizeof("data:") - 1,
|