Perfect your code
With built-in code review tools, GitHub makes it easy to raise the quality bar before you ship. Join the 40 million developers who've merged over 200 million pull requests.
Sign up for free See pricing for teams and enterprisesRFC: support for HSM private keys in TLS handshake #28973
Conversation
nodejs-github-bot
added
C++
lib / src
labels
Aug 5, 2019
OYTIS
force-pushed the
OYTIS:hsm_keys
branch
2 times, most recently
from
b020c1b
to
33cf16f
Aug 5, 2019
This comment has been minimized.
This comment has been minimized.
|
Needs documentation and a unit test |
jasnell
added
crypto
semver-minor
tls
labels
Aug 7, 2019
This comment has been minimized.
This comment has been minimized.
tniessen
reviewed
Aug 8, 2019
lib/_tls_common.js Outdated
lib/_tls_common.js Outdated
lib/_tls_common.js Outdated
lib/_tls_common.js Outdated
lib/_tls_common.js Outdated
src/node_crypto.cc Outdated
src/node_crypto.cc Outdated
src/node_crypto.cc Outdated
| @@ -153,6 +153,38 @@ exports.createSecureContext = function createSecureContext(options) { | |||
| } | |||
| } | |||
|
|
|||
| const engineKey = options.engineKey; | |||
| const privateKeyEngine = options.privateKeyEngine; | |||
| if (engineKey && privateKeyEngine) { | |||
This comment has been minimized.
This comment has been minimized.
tniessen
Aug 8, 2019
Member
Node.js has traditionally been lazy when it comes to input validation, but new APIs should be stricter: Use !== undefined or something similar to not ignore inputs such as engineKey: 0.
This comment has been minimized.
This comment has been minimized.
tniessen
Aug 8, 2019
Member
Also, I don't know if it would make sense to validate types even if only one option is given? Or to even throw if only one is given? Is there any use case for only specifying one of these options?
This comment has been minimized.
This comment has been minimized.
OYTIS
Aug 10, 2019
•
Author
Is there any use case for only specifying one of these options?
@tniessen From the OpenSSL point of view, you can extract multiple keys from one engine, but since we only have one key in the SecureContext, they should probably go together.
This comment has been minimized.
This comment has been minimized.
tniessen
Aug 11, 2019
Member
I agree, but I would prefer to throw when only one of the options is given. (Currently, you are ignoring the options if only one is used.) If there is no legitimate use case for only specifying one of the two options, then it is most likely an error or a mistake, and we shouldn't silently ignore that.
This comment has been minimized.
This comment has been minimized.
|
I can't comment much on the matter, maybe @bnoordhuis or @sam-github can, I never used OpenSSL engines. These options would be for server keys then, not for client keys? The other addition, |
This comment has been minimized.
This comment has been minimized.
|
@tniessen Thank you for your review, your comments are extremely valuable for a newcomer like myself. I am addressing all of them in the coming version.
These options are for the communication party under control of Node.js. If it's a server (which is a more common scenario with Node.js, as far as I know), then it will be server keys, the example in my first comment is rather a client. |
OYTIS
force-pushed the
OYTIS:hsm_keys
branch
from
33cf16f
to
769a786
Aug 11, 2019
This comment has been minimized.
This comment has been minimized.
|
Fixed hopefully all the issues, added documentation and tests. |
vsemozhetbyt
reviewed
Aug 11, 2019
| @@ -1425,6 +1425,11 @@ changes: | |||
| passphrase: <string>]}`. The object form can only occur in an array. | |||
| `object.passphrase` is optional. Encrypted keys will be decrypted with | |||
| `object.passphrase` if provided, or `options.passphrase` if it is not. | |||
| * `privateKeyEngine` {string} Name of an OpenSSL engine to get private key | |||
| from. Should be use together with `engineKey`, otherwise ignored. | |||
This comment has been minimized.
This comment has been minimized.
vsemozhetbyt
Aug 11, 2019
Contributor
Nit:
| from. Should be use together with `engineKey`, otherwise ignored. | |
| from. Should be used together with `engineKey`, otherwise ignored. |
vsemozhetbyt
reviewed
Aug 11, 2019
| * `privateKeyEngine` {string} Name of an OpenSSL engine to get private key | ||
| from. Should be use together with `engineKey`, otherwise ignored. | ||
| * `engineKey` {string} Identifier of a private key managed by OpenSSL engine. | ||
| Should be use together with `privateKeyEngine`, otherwise ignored. Overrides |
This comment has been minimized.
This comment has been minimized.
vsemozhetbyt
Aug 11, 2019
•
Contributor
Nit (it seems this needs rewrapping to conform with 80 chars limit):
| Should be use together with `privateKeyEngine`, otherwise ignored. Overrides | |
| Should be used together with `privateKeyEngine`, otherwise ignored. Overrides |
OYTIS commentedAug 5, 2019
•
edited
The use-case is briefly described here: #28921. I want to use a private key managed by an OpenSSL engine to establish a TLS connection.
Another option,
sigalgs, is useful, among the other things, to adapt to the limitations of the hardware (e.g. if it doesn't support RSAPSS). I can make it a separate PR if it makes more sense.Usage example: